November 05, 2004

e-gold to track Cisco extortioner

In line with my last post about using payment systems to stupidly commit crimes, here's what's happening over in the hacker world. In brief, some thief is trying to sell some Cisco source code he has stolen, and decided to use e-gold to get the payout. Oops. Even though e-gold has a reputation for being a den of scammers, any given payment can be traced from woe to go. All you have to do is convince the Issuer to do that, and this case, e-gold has a widely known policy of accepting any court order for such work.

The sad thing about these sorts of crooks and crimes is that we have to wait until they've evolved by self destruction to find out the really interesting ways to crack a payment system.

E-gold Tracks Cisco Code Thief
November 5, 2004 By Michael Myser

The electronic currency site that the Source Code Club said it will use to accept payment for Cisco Systems Inc.'s firewall source code is confident it can track down the perpetrators.

Dr. Douglas Jackson, chairman of E-gold Ltd., which runs, said the company is already monitoring accounts it believes belong to the Source Code Club, and there has been no activity to date. ADVERTISEMENT

"We've got a pretty good shot at getting them in our system," said Jackson, adding that the company formally investigates 70 to 80 criminal activities a year and has been able to determine the true identity of users in every case.

On Monday, a member of the Source Code Club posted on a Usenet group that the group is selling the PIX 6.3.1 firewall firmware for $24,000, and buyers can purchase anonymously using e-mail, PGP keys and, which doesn't confirm identities of its users.

PointerClick here to read more about the sale of Cisco code.

"Bad guys think they can cover their tracks in our system, but they discover otherwise when it comes to an actual investigation," said Jackson.

The purpose of the e-gold system, which is based on 1.86 metric tons of gold worth the equivalent of roughly $25 million, is to guarantee immediate payment, avoid market fluctuations and defaults, and ease transactions across borders and currencies. There is no credit line, and payments can only be made if covered by the amount in the account. Like the Federal Reserve, there is a finite value in the system. There are currently 1.5 million accounts at, 175,000 of those Jackson considers "active." Special Report: Internet Security To have value, or e-gold, in an account, users must receive a payment in e-gold. Often, new account holders will pay cash to existing account holders in return for e-gold. Or, in the case of SCC, they will receive payment for a service.

The only way to cash out of the system is to pay another party for a service or cash trade, which Jackson said creates an increasingly traceable web of activity.

He did offer a caveat, however: "There is always the risk that they are clever enough to figure out an angle for offloading their e-gold in a way that leads to a dead end, but that tends to be much more difficult than most bad guys think."

This is all assuming the SCC actually receives a payment, or even has the source code in the first place.

PointerDavid Coursey says securing source code must be a priority. Read about it here.

It's the ultimate buyer beware-the code could be made up, tampered with or may not exist. And because the transaction through e-gold is instantaneous and guaranteed, there is no way for the buyer to back out.

Next Page: Just a publicity stunt?

Dave Hawkins, technical support engineer with Radware Inc. in Mahwah, N.J., believes SCC is merely executing a publicity stunt.

"If they had such real code, it's more likely they would have sold it in underground forums to legitimate hackers rather than broadcasting the sale on Usenet," he said. "Anyone who did have the actual code would probably keep it secret, examining it to build private exploits. By selling it, it could find its way into the public, and all those juicy vulnerabilities [would] vanish in the next version."

PointerFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzer's Weblog.

"There's really no way to tell if this is legitimate," said Russ Cooper, senior scientist with security firm TruSecure Corp. of Herndon, Va. Cooper, however, believes there may be a market for it nonetheless. By posting publicly, SCC is able to get the attention of criminal entities they otherwise might not reach.

"It's advertising from one extortion team to another extortion team," he said. "These DDOS [distributed denial of service] extortionists, who are trying to get betting sites no doubt would like to have more ways to do that."

PointerCheck out's Security Center for the latest security news, reviews and analysis.

Posted by iang at November 5, 2004 11:38 AM | TrackBack

Payment systems that claim to honor court orders are not really allowing the intent of the law to be carried out . The ease of establishing a Paypal or for that matter any bank account allows theft to go unchecked in every manner imaginable. So regardless of e-gold honors or does not honor a court order does not limit the ability of a criminal to open hundreds of accounts at various firms to recieve payment. The question is has Cisco damaged itself by allowing the information to leak? The way one could avoid detection is have Cisco purchase online currency from a dealer that has a financial interest in the deal. Perhaps the relationship of the payment system to the source code should be examined? If a payment system where to require an invoice to be logged against the incoming cash then linkage could be shown and Cisco would have to accept this prior to payment. If they agree then they have allowed themselves to pay black mail. So if the hacker where to send thru e-gold an invoice that was coded for his purposes and Cisco where to accept it then their payment would be proof of its understanding. If Cisco refused then the payment system would simply have an invoice with no identity involved. So a proposed invoice with not direct contract gets paid when the hacker gets the money then the crime is perfected. So by using an undefined invoicing structure with a suggested payment for unstated services would allow a hacker to get closer to escaping the long arm of the law. What is in place now is crude and blunt if invoices could be sent without being confirmed by those being billed the criminality can be determined later.

Posted by: Jimbo at November 6, 2004 05:21 AM