Category Archives: Authentication and Authorization

System Administrator Crashes ISP’s Network

pexels-photo-1148820

Dariusz J. Prugar, A former system administrator at a network service provider called PA online, used his old account to access the company’s servers and created backdoors to maintain his unauthorized access to the servers. Prugar had some issues with his employer and got fire just a couple of days before his unauthorized access. To hide his activity, he installed scripts that delete his login records from the server logs. An error in the scripts led to the deleting of important files required for the company network to work. As a result, the company network crashed and the service was shut down for many customers and businesses.

After field attempts from The IT team to fix the sudden damage that crashed the network, they contacted Prugar since he was the one who built most of the company network. Suspiciously, Prugar asked his employer to pay him for the scripts he wrote for the company, the same scripts that weren’t working because of the attack. PA Online management sent a request to the FBI to investigate the case and find out if Prugar was involved.

The company service was shut down for a whole week affecting many customers and costing the company a lot of money and its reputation. The FBI investigation showed that Prugar was involved in the incident. He sentenced to two years in prison and a fine of $26,000 for computer hacking and wire fraud.

Written by Mohammed Alhamadah

Sources:

https://www.justice.gov/usao-mdpa/pr/new-york-man-sentenced-computer-hacking-shut-down-internet-service-provider

https://www.bleepingcomputer.com/news/security/sysadmin-gets-two-years-in-prison-for-sabotaging-isp/

Spam Call Verification System Expanded to T-Mobile and Sprint

It is no secret to say that over the past few years the rate of spam calls to the average person has increased dramatically. Many people commonly receive two, three, four blatant spam calls a day. These calls pose an danger to those who fall for the tricks employed by these scammers but even to those who are more cautious they act as a constant nuisance throughout the day. For anyone on a consumer level it is impossible to deal with the issue on their own. They can block hundreds of numbers but there will be thousands more to take their place. They could place their number on the do not call list just for that to be ignored by anyone with less than wholesome intentions. That is where the government and the actual phone providers need to step in.

Just over a month ago President Trump signed a bill into law intended to help quell some of these spam calls. The bill requires cell phone providers to implement systems to detect and notify users of incoming spam calls. The newest companies to add this feature to their networks are T-Mobile and Sprint. The system being put in place is called SHAKEN/STIR. The system is used to verify that the call is coming from the customer of the network and that they are authorized to be calling from that number. If those requirements aren’t met then the call still goes through but the potential risk of the call is indicated in the caller id.

This system is by no means a perfect fix. In order for it to be totally effective network providers would have to share information as the system can only check the information provided. It does however mark a large step in the right direction for companies and the government taking a strong stand against spam and actually implementing systems to help quell the issue.

-Evan Schimberg

Sources

https://www.fcc.gov/call-authentication

https://www.bandwidth.com/glossary/stir-shaken/

https://www.nbcnews.com/politics/politics-news/trump-signs-law-reduce-robocalls-though-they-won-t-end-n1108896

https://www.theverge.com/2020/2/4/21122154/tmobile-sprint-call-verification-shaken-stir-protocol-robocalls-spam

A CONTEMPORARY Case Involving the CFAA – United States vs. Van Buren

I stumbled upon an interesting case that involved a violation of the CFAA. The crimes occurred in 2015, but the trial finally happened in 2019 and is called United States vs. Van Buren . Van Buren was a sergeant for Cumming, Georgia, Police Department. While an officer, he forged a relationship with a shady character named Albo. Van Buren’s finical situation wasn’t the greatest and he saw a chance to improve his finical situation through Albo. Van Buren approached Albo asking him for a loan, but unbeknownst to Van Buren, Albo recorded their conversations and report Van Buren to the local county Sheriff’s Office. This act tipped off the FBI and they wanted to see how far Van Buren out go to achieve the money. They gave Albo a fake license plate number and Albo contacted Van Buren to ask if the license plate belongs to an undercover cop who was trying to bust Albo for prostitution. In exchange for money, Van Buren would run the license plates and report back to Albo.

Albo paid Van Buren to use a sensitive police database to run the plates. This act immediately violates CFAA and Van Buren has commited computer fraud. The police data base is only supposed to be used for law enforcement purposes only. Officers are trained with proper and improper use of the system and this action falls onto the improper use category. The jury found Van Buren guilty without a reasonable doubt for committing computer fraud for finical gain. Van Buren was sentenced to prison for a year and six months followed by two years of supervised release.

I believe the CFAA did an effective job of punishing the criminal in this case. In class we discussed United States vs. Swartz, a case where I believe the CFAA failed to enforce reasonable a punishment on a criminal. Swartz faced a million dollars in fines and up to 35 years in prison for illegally downloading academic documents from a database, while Van Buren faces a lesser punishment for committing an arguably worse crime. In this case, the CFAA does a good job and I would like to see this trend continue in future cases regarding the CFAA.

Author: Daniel Perrelli

Sources:

  1. https://www.eff.org/document/amicus-brief-van-buren-v-united-states
  2. https://law.justia.com/cases/federal/appellate-courts/ca11/18-12024/18-12024-2019-10-10.html

United States v. Anastasio N. Laoutaris

The United States v. Anastasio N. Laoutaris Case was filed on the 29th of January, 2018. The trial lasted seven-days, where the defendant Anastasio N. Laoutaris was found guilty by a jury of his peers. Laoutaris was found guilty on two counts of computer intrusion that caused damages to the intruded systems, and in violation of 18 U.S.C. § 1030(a)(5)(A) and (c)(4)(B)(i). The United States Fifth Circuit Court of Appeals affirmed the verdict presented by the jury, that found Laoutaris to be guilty.

Laoutaris was an Information Technology (IT) Engineer for Locke Lord LLP before his termination in August of 2011 from the Texas Law Firm. Upon termination from the law firm, Laoutaris initiated an attack on the company in December of 2011 which

accessed the firm’s computer network without authorization…issued instructions and commands that caused significant damage to the network, including deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user e-mail accounts.

In regards to his conviction, Laoutaris claims that there is an insufficient amount of evidence presented against him; the evidence provided isn’t enough to connect him to the infiltration of the law firm’s network. Although, a substantial amount of circumstantial evidence was submitted that proved Laoutaris to be the intruder. Logs automatically created by the servers on the Locke Lord LLP network showed the intruder connecting to the network via LogMeIn, which has an installation on the HOBK01 backup server located in Houston, and accessing the network using a Windows “master services account”. Additional IP addresses were found to have linked Laoutaris to the attack. Due to the attack occurring after Laoutaris’s termination, it can be seen that the access was without authorization.

The final sentencing stated Laoutaris was to serve 115 months in prison and pay $1.7 million in restitution. Laoutaris challenged all charges; stating false statements were and miscalculation in the increase of base-level offenses were made. However,

The finding for the lost revenue based on calculations by Locke’s forensic accountant, who also testified at sentencing. The accountant;s extensive calculations present, at the very least, a reasonable estimate of the amount of lost revenue based on available information.

which the same can be said in regards to all other contested charges. The evidence was thoroughly analyzed and charges properly brought forth.

 

Sources:

By Small and Simple Things Are Great Damages Avoided

https://www.justice.gov/usao-ndtx/pr/former-law-firm-it-engineer-convicted-computer-intrusion-case-sentenced-115-months

Case 16-10516: United States of America v. Anastasio N. Laoutaris

 

Written by Killiaun Blatche

FBI uses NSA surveillance data to conduct investigations

Earlier this week, a FISA court ruling from October 2018 was declassified. In it, there are details about the FBI using information gathered by the NSA’s mass surveillance tools to conduct investigations on U.S. citizens without warrants.

At this point, it is common knowledge that the NSA practices mass surveillance on American citizens. This is attributed to whistleblower Edward Snowden, who leaked documents to the press about tools and techniques that the NSA uses to conduct “bulk data collection.” However, until now, little has been shown to demonstrate how other agencies, like the FBI and the CIA, may use that information to do the same.

 

 

Searching through this data is known as “backdoor searching,” and the declassified document states that the FBI conducted over three million of these searches on “U.S. persons.” The main issue is that these searches were not legally justified. According to the FISA court ruling, the FBI did not base their backdoor searching on potential criminal investigation; or any other genuine justification. This further validates the claim that these agencies are attempting to create a kind of “permanent record” on the American citizens.

After  9/11, policy within the FBI has been altered in such a way that obtaining a warrant to investigate a U.S. citizen is unnecessary so long as the person of interest is suspected of being a “potential national security threat.” This stipulation has been used vaguely and can have a broad range of application.

While maintaining security through secrecy is a noble goal for the NSA, the information that they gather must be used justly and fairly if their practices are to be accepted by the American people.

– Jared Albert