Stolen code, 9-month hacking spree lead to criminal charges

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://arstechnica.com/security/2012/11/stolen-code-9-month-hacking-spree-lead-to-criminal-charges/

By Dan Goodin
Ars Technica
Nov 15 2012

Federal officials have accused a Dutch man of hacking into a New 
Hampshire-based game company, tampering with sensitive user data, and 
using the stolen source code to start a competing online game.

Anil Kheda, 24, of the Netherlands, began his hacking spree in November 
2007 after one of his accounts was deleted from Outwar (an online 
role-playing game with 75,000 active players), according to documents 
filed in US District Court in New Hampshire. Prosecutors allege that two 
months later, he started a competing game called Outcraft using source 
code obtained from the hacked servers. The game earned Kheda at least 
$10,000 in profits. Over the next nine months, he allegedly continued the 
hacks and agreed to stop only if the hacked company?Portsmouth, New 
Hampshire-based Rampid Interactive?paid him money and provided other 
benefits.

According to prosecutors, Kheda claimed to have found vulnerabilities in 
Rampid's network and the Outwar source code that allowed him to gain 
administrator access to the underlying functions of the game. His ability 
to repeatedly delete a user database seemed to indicate his claims were at 
least partially true. The tampering caused Outwar to go down for a total 
of about two weeks over the nine-month stretch, causing Rampid to incur 
more than $100,000 in lost revenue, wages, and other costs, according to 
prosecutors.

"You guys have the following three options," Kheda wrote in a December 
2007 e-mail included in the federal indictment. "1. Let me play again on 
my master account (with everything that was on it), and I will report 
everything when I come across a vulnerability. 2. Pay me $1500 and you 
will never hear from me again. 3. Don't reply to this e-mail and you are 
gonna wish you picked one of the other options."

[...]

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.