The Great Cyberheist

theodp writes "In this week's cover story, the NY Times Magazine delves into the mind of Albert Gonzalez, the hacker who is currently doing time (the longest sentence ever handed down for computer crime in the US) for masterminding attacks on the nation's leading retailers, reportedly costing TJ Maxx, Heartland, and other victimized companies more than $400 million. And that may just be the tip of the iceberg. 'The majority of the stuff I hacked was never brought into public light,' said one of Gonzalez's partners-in-crime. Another claims there 'were major chains and big hacks that would dwarf TJX. I'm just waiting for them to indict us for the rest of them.' Online fraud is still rampant in the US, but statistics show a major drop in 2009 from previous years when Gonzalez was active. While reportedly not a gifted programmer, even the Feds that Gonzalez two-timed admired his ingenuity, likening him to top CEOs. When asked how Gonzalez rated among criminal hackers, a prosecutor replied: 'As a leader? Unparalleled. Unparalleled in his ability to coordinate contacts and continents and expertise. Unparalleled in that he didn't just get a hack done — he got a hack done, he got the exfiltration of the data done, he got the laundering of the funds done. He was a five-tool player.' Accounting for time served and good behavior, Gonzalez is expected to get out of prison in 2025." Last June Rolling Stone ran a long profile of Albert Gonzalez written by Sabrina Rubin Erdely; they have dusted it off now that producer Eric Eisner has embarked on the development of a feature film based on Erdely's piece.

from the skool of bad journalism :)

[viralMeme]

Yet another 'journalist who thinks he's the new Tom Wolfe :)

Biggest Cybercrime of All Time

"Albert Gonzalez remained focused on business — checking his laptop constantly, keeping tabs on the rogue operators he employed in Turkey and Latvia and China, pushing, haranguing, issuing orders into his cellphone in a steady voice. "Let's see if this Russian asshole has what I need," he'd say calmly. Then he would help himself to glass plates of powder, each thoughtfully cut into letters for easy identification: "E" for Ecstasy, "C" for coke" link [rollingstone.com]

"Dude," he wailed, "I can't fucking read!"

Dude, you can't write :)

Re:from the skool of bad journalism :)

[devbox]

I loved this part

Before long, he discovered Internet Relay Chat, a web forum popular with hackers who discussed the how-tos of breaching Internet security at its highest levels.

Re:

[bobdotorg]

Hey: Eye are see is where those hackers refine their "sequel attacks", because apparently the first attack didn't fully tell the story.

Re:

[sirrunsalot]

two-time
verb [trans.] informal
deceive or be unfaithful to (a lover or spouse)

The parentheses indicate common usage, but the meaning seems perfectly clear to me in this context. It is more fun to feign ignorance though.

And speaking of feigning ignorance, I thought maybe we were going to delve in to the mind of Alberto Gonzalez when I first glanced at the summary. Now that would be a story. But then I remembered personally reading about and discussing this Albert Gonzalez on a previous occasion. What di

Re:

[angiasaa]

Is it not obvious? :) He was sucking the KGB behind the FBI's back.

Okai, that was in lousy taste, I know.. :| But you're right, I can't imagine what two-timing could have happened. And if there really was some kind of two-timing going on, the writer obviously did not have the sense to mention it in TFA for us. What joy in incompetence, yeah!?

Re:

[JWSmythe]

Everyone knows that the KGB had hot russian chicks as their spies. Haven't you ever watched a James Bond movie? :)

Well, it's shown in reality too. Some are: Anna Chapman, Anna Fermanova, Patricia Mills, Krystyna Skarbek, Josephine Baker, and Violette Szabo. They don't exactly resemble the Bond girls though. I'm still trying to figure out how to convince a hot russian spy chick that I have secrets worth seducing. It's not that I'd give them up, but the seduction is always fun. :)

Re:

[Whiteox]

POO (Point of Order): Violette Szabo is Hungarian, not Russian.

Re:

[angiasaa]

We're assuming things here.. I'm sure there are some non-homophobic members on both sides. :-D

But I rhyme with your thoughts. :) I'm sure I have secrets worth seducing out of me too. I just have to find some Russian chicks to work on me before I expose myself.

Re:

[Doggabone]

And if there really was some kind of two-timing going on, the writer obviously did not have the sense to mention it in TFA for us. What joy in incompetence, yeah!?

Excerpts from the article ...

"After a couple of interviews, Gonzalez agreed to help the government so he could avoid prosecution ... After aiding another investigation, he became a paid informant in the Secret Service field office in Miami in early 2006. Agent Michael was transferred to Miami, and he worked with Gonzalez on a series of investigations on which Gonzalez did such a good job that the agency asked him to speak at seminars and conferences ... As far as the agency knew, that’s all he was doing. “It seemed he was trying to do the right thing,” Agent Michael said... He wasn’t. Over the course of several years, during much of which he worked for the government, Gonzalez and his crew of hackers and other affiliates gained access to roughly 180 million payment-card accounts from the customer databases of some of the most well known corporations in America ..."

The two-timing is spelled out in just over the first page.

Re:

[Doggabone]

Ah, I'm quoting the Times and missed the point ... the Rolling Stone piece is certainly crap.

Re:

[osvenskan]

To be fair you should note that your quote is from the Rolling Stone article. The NY Times magazine article (first link in TFS) is quite good.

what great cyberheist ?

[Anonymous Coward]

The hack consisted of accessing wireless POS terminals from the car park and then going on to access the internal CC database for over eighteen months, without anyone noticing. They only took action when the banks phones them up and asked about all the fraudelent activity out TJX stores.

"TJX admit that 45.7 million credit and debit cards was stolen from the company in a computer data security breach over an 18-month period" link [itpro.co.uk]

Re:

[hedwards]

I'm wondering at what point a retailer ought to be responsible for the breach. It seems to me that whatever the consequences of that sort of irresponsibility is, that it's not enough. There's absolutely no reason why they need to have an internal CC database. They could just as easily hash the CC information and compare that with a stored hash.

Re:

[Florian Weimer]

There is not enough entropy in credit card numbers to make hashing a serious obstacle.

Re:

[Corbets]

Still better than not hashing them, especially given how little additional work is required to do so.

No, because "so little work" involves changing credit card processing terminals around the world. For that kind of cost/effort, it better be a good solution.

Re:

[bjourne]

Is it even legal to store credit card info when you don't have any use for it? In other countries there are laws against retailers storing CC info because of the huge risks involved. They don't need the info after the purchase is made and a single rogue employee can cause havoc without any hacking involved.

Re:

[evilviper]

A) You may just be over-generalizing, but yes, full CC#s do need to be stored for a decent bit of time to handle any number of order processing issues that may occur.

B) Even if you as a company may not want to keep CC#s lying around forever, your lawyers may well tell you it is required. Though I dont deal with the lawyers myself and cant give specifics, I can tell you that my employer treats CC info the same as all other business info that might possibly be needed by the IRS up to 7 years down the line.

Re:

[TheKidWho]

Typical /. goon, "Pshh I could do that with one hand and blindfolded!"

Re:

[TheLink]

He's an amateur.

This is what I call a great cyberheist:
http://www.bloomberg.com/apps/news?pid=newsarchive&sid=armOzfkwtCA4 [bloomberg.com]
http://www.bloomberg.com/apps/news?pid=newsarchive&sid=aGvwttDayiiM [bloomberg.com]

Or if fancy computer tricks are required:
http://www.nytimes.com/2009/07/24/business/24trading.html [nytimes.com]
http://www.nytimes.com/imagepages/2009/07/24/business/0724-webBIZ-trading.ready.html [nytimes.com]

Re:

[yuhong]

The hack consisted of accessing wireless POS terminals from the car park

By cracking WEP, BTW. Any other real-world incident that involved WEP cracking you have encountered? BTW, I found this paper on "IVs to Skip for Immunizing WEP against FMS Attack [aist.go.jp]" from 2008, which seems to be a better attempt at skipping weak IVs than before. Of course it is still better to use WPA if you can.

the long tradition of bigging up criminals

[petes_PoV]

All media reports of (caught) cyber-criminals (or just plain "criminals" as they actually are) stresses how talented, or brilliant or "mastermind" they were. None of them were simply petty crooks that just happened to use a comuter rather than a jemmy as their tool of trade.

You could be forgiven for thinking that the world of the cyber-criminal is wholly populated by geniuses who have "gone bad", or the sorts of people that James Bond regularly vanquishes. Where are all the averagely intelligent, nondescript, stupid-but-lucky criminals who stalk the world of online, as they do the ordinary underworld?

The answer, I suspect, is that they're the very same people who are described above, but who's skills are exaggerated by police forces all over the world in an attempt at self-aggrandisement. To make their own lucky breaks appear to be much more significant than they actually were. Just as anglers everywhere have stories about the "massive" catches they made when no-one else was around I reckon the police are pursuing the same policy to try and convince the public that they, too are masterminds. Hmmm.

Re:

[misexistentialist]

Stupidity is commoner than you think, judging from your bank robbery plan.

Re:

[JWSmythe]

I agree.

I've had frank conversations with folks that work in banks. I've also had to cash some large checks, which is frequently a nightmare to pull off. It's not all in verification, that's easy. They call the issuer, the issuer verifies it. The hard part is for them to come up with the funds. I've been left waiting for up to an hour for the armored truck to arrive and drop off more cash, so I could get mine. Teller drawers rarely have enough to make a bank robbery a val

Re:

[indiechild]

What an idiotic thing to do. Stash it when you leave, and then come back later when all the cops are swarming all over the place? Or come back later only to find that someone else has already taken your loot?

Re:

[indiechild]

Agreed. Bankrobbers are a breed of low-intelligence, violent psychopaths. Robbery is a high risk crime (to the perpetrator as well as the victims), so a clever criminal would not engage in such activities. The return usually isn't worth it when judged against the risk.

Re:

[tehcyder]

So your ingenious bank-robbery plan is to get a gun, run out with some cash and not get caught?

It's almost unbelievable that no-one's thought of that before.

Re:

[Nikker]

Ha I just hacked the NSA,CIA,FBI and CSIS using RFC2594 with a DBSA(distribution of bird seed attack) and that was while I was posting to Slashdot, Twitter, Facebook and writing an advanced stock market algorithm in BrainFuck.

Re:

[petes_PoV]

True, but in the case of cyber-criminals, finding themselves described as brilliant or genius or whatever is more of an encouragement than a criticism. For example, the question "Which is the bigger insult - being called ugly or being called stupid?" Most geeks would say that stupidity was the bigger insult, whereas most ordinary people would go with ugly.

By exaggerating the very trait that cyber-criminals value in themselves (i.e. their intelligence, cunning, abilities etc.) all thepolice are doing is re

Re:

[Bazouel]

Is the article making the police forces look good ? Hardly. They caught the hackers by luck (thanks to the Russian CC reseller) and it is repeated many times that Gonzalez considered them ignorant and outwitted. The lyric description of the hackers lifestyle rather glorifies them and make them look like superstars, which we all know on slashdot is far from the reality.

idiot press

[Anonymous Coward]

If he was so poorly educated and not a particularly well-skilled hacker, and it still took the FBI so long to figure out it was him and bring a conviction, what are they doing against hackers who are actually good? How are they fairing against highly intelligent, well-organized, and well-funded teams of hackers being employed by other nations to the infiltrate US government, commercial, and industrial systems. We know those bad guys exist. Where are all the arrests and front-page stories?

Uneducated and und

FBI has shutoff all non-terror resources basically

[HongPong]

The thing is that the FBI has basically diverted all their white collar crime resources, and probably whatever might be used to track hacking / financial crime stuff, into stupid counter-terror campaigns. This whole mess is really a permutation of white-collar crime.

They haven't sent a single greater-than-pawn level obvious fraudulent white collar criminal to prison in like a decade. They catch a couple hackers running large creditcard schemes but they haven't done jack about the industrial espionage, which

Re:

[Nero Nimbus]

Hah, this got modded down? The NY Times article is paywalled off, and nobody else posted it, so I fail to see how the fact that I potentially saved a bunch of people from going to bugmenot to grab a username/password for nytimes.com is redundant.

Oh, wait. This is Slashdot. Nobody reads the articles, and very few even read the summaries. My bad. In Soviet Russia, etc, etc.

a promising technique called SQL injection ??

[Anonymous Coward]

"BY THE SPRING of 2007, Gonzalez .. was also tired of war driving. He wanted a new challenge. He found one in a promising technique called SQL injection ..

When you log on to the Web site of a clothing store to buy a sweater, for example, the site sends your commands in SQL back to the databases where the images and descriptions of clothing are stored. The requested information is returned in SQL, and then translated into words, so you can find the sweater you want ..

SQL is the lingua franca of online

Re:

[FuckingNickName]

Property is theft, etc. But since you bring up a method of your most rowdy puppet state (not Israel - way too smart to be puppets)...

I can't make up my mind whether it is Americans or Saudi Arabians who are more convinced of the impossibility of a flaw in their belief systems and the resultant society created. Although I have always got better discussions from adherents to conservative Islam than from arch-capitalists, probably because only the former understand what fundamental faith-based assumptions they

People Don't Want To Understand Cybercrime

[Black Gold Alchemist]

People think cybercrime is about misbegotten geniuses launch attacks using incomprehensible methods. They think cyberwar is about vast arrays of foreign hackers breaking into our high tech military systems and stealing our secrets. However, that's not what cybercrime and cyberwarfare are about. Cybercrime and cyberwarfare are about people bruteforcing some bigshot's low strength password. It's about some stupid spyware program exploiting some obvious old bug in windows and emailing your credit card to the former USSR. It's about your grandma downloading a set of "kitty" icons and infecting her computer with a botnet virus. It's about some small-time hacker calling up one secretary and getting the CEO's username, and then calling another and getting the CEO's password. These problems can't be solved by advanced security systems. They have to be solved by people. It's kind of like trying to fight cave-dwelling terrorists with a high-tech stealth bomber.

Did anyone else..

[Lanteran]

when I read that last bit about him being expected to get out of prison in 2025, I had the mental image of Simon Phoenix hacking into the public terminal in demolition man....

Why hide?

[hesaigo999ca]

>Another claims there 'were major chains and big hacks that would dwarf TJX. I'm just waiting for them to indict us for the rest of them
This leads me to believe the rumors that we are never really told what is going on behind the scenes of these fraud cases by the banks themselves, so how are we to know what is what, and if the banks are doing an adequate job ? Maybe some regulations for this specifics might be in order?