[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

JAP backdoor fallout story on full-disclosure

----- Forwarded message from Goncalo Costa <goncalo.costa@kpnqwest.pt> -----

From: Goncalo Costa <goncalo.costa@kpnqwest.pt>
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Java Anonymous Proxy (JAP) backdoored - another interesting story
Date: Tue, 26 Aug 2003 11:02:32 +0100

For those of you shocked at learning that JAP had been backdoored at
the request/order of a judge/court to investigate a criminal, here is
another interesting story.

Notice the SURFOLA.com disclaimer.

----------  Forwarded Message  ----------

>Date: Sat, 23 Aug 2003 00:00:11 +0200
From: Barry Wels <b.wels@nah6.com>
>Subject: blackmail / real world stego use
>Sender: owner-cryptography@metzdowd.com
>To: cryptography@metzdowd.com
>So far I have only found one English item in the news about this.
>So let me translate some of the dutch information about this
>interesting case :
>A 45-year old chip designer from Utrecht was arrested June 3.
>He confessed to have tried to blackmail the 'Campina' food company.
>He had threatened to poison their products, and demanded 200.000 euro.
>The most remarkable thing about this case is however how he
>communicated with Campina, and how he thought to receive the money.
>He forced Campina to open a bank account, and get a 'world card' with
>it. Then they had to deposit 200.000 Euro on it (about 185.000
>US dollar). He ordered them to buy a credit card reader, and read the
>information off the magnetic-stripe of the 'world card'.
>Then they had to send him the output of the card reader, together with
>the pin code. With this information, he then could create a copy of
>the 'world card' using a card-writer and a blank card.
>To send him the information, he made them use steganography!
>Campina received an envelope via snailmail containing a floppy with a
>stego program and instructions.
>They had to encode the 'world card' info into a picture of a red VW
>golf, using the stego program, and a fixed crypto key that was
>included in the envelope.
>Finally, they had to place the picture in a fake add on a website
>where large amounts of people sell/buy second hand cars.
>He would then read the add, and make a copy of the picture.
>Decode the stego info out of it, write his own copy of the card,
>and withdraw money. Without ever having personal contact with Campina
>(or the police). To be real clever, he did not approach the website
>with the car adds directly. Police found out the add was approached
>trough a US anonymizer called SURFOLA.com. SURFOLA.com claims on their 
>website :
>"We will not give out your name, residence address, or e-mail address
>to any third parties without your permission, for any reason, at any
>time, ever."
>The Utrecht police informed the FBI, and asked for assistance. Within
>24 hours, the FBI cracked the case, supplying the Dutch police with
>a '@wxs.nl' e-mail address and some paypal.com financial data.
>This data led to the 45 year old chip programmer.
>After his identity was known, the police ofcourse started surveillance on
>him. The 'desert terrorist' was arrested red-handed when he withdrew money
>from an ATM using the world-card copy....
>Barry Wels.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

----- End forwarded message -----

To unsubscribe, e-mail: debate-unsubscribe@lists.fitug.de
For additional commands, e-mail: debate-help@lists.fitug.de