Forgot your password?
typodupeerror
Businesses Crime Security Your Rights Online

The Great Cyberheist 57

Posted by kdawson
from the meelions-and-meelions dept.
theodp writes "In this week's cover story, the NY Times Magazine delves into the mind of Albert Gonzalez, the hacker who is currently doing time (the longest sentence ever handed down for computer crime in the US) for masterminding attacks on the nation's leading retailers, reportedly costing TJ Maxx, Heartland, and other victimized companies more than $400 million. And that may just be the tip of the iceberg. 'The majority of the stuff I hacked was never brought into public light,' said one of Gonzalez's partners-in-crime. Another claims there 'were major chains and big hacks that would dwarf TJX. I'm just waiting for them to indict us for the rest of them.' Online fraud is still rampant in the US, but statistics show a major drop in 2009 from previous years when Gonzalez was active. While reportedly not a gifted programmer, even the Feds that Gonzalez two-timed admired his ingenuity, likening him to top CEOs. When asked how Gonzalez rated among criminal hackers, a prosecutor replied: 'As a leader? Unparalleled. Unparalleled in his ability to coordinate contacts and continents and expertise. Unparalleled in that he didn't just get a hack done — he got a hack done, he got the exfiltration of the data done, he got the laundering of the funds done. He was a five-tool player.' Accounting for time served and good behavior, Gonzalez is expected to get out of prison in 2025." Last June Rolling Stone ran a long profile of Albert Gonzalez written by Sabrina Rubin Erdely; they have dusted it off now that producer Eric Eisner has embarked on the development of a feature film based on Erdely's piece.
This discussion has been archived. No new comments can be posted.

The Great Cyberheist

Comments Filter:
  • by viralMeme (1461143) on Saturday November 13, 2010 @09:34AM (#34215386)
    Yet another 'journalist who thinks he's the new Tom Wolfe :)

    Biggest Cybercrime of All Time

    "Albert Gonzalez remained focused on business — checking his laptop constantly, keeping tabs on the rogue operators he employed in Turkey and Latvia and China, pushing, haranguing, issuing orders into his cellphone in a steady voice. "Let's see if this Russian asshole has what I need," he'd say calmly. Then he would help himself to glass plates of powder, each thoughtfully cut into letters for easy identification: "E" for Ecstasy, "C" for coke" link [rollingstone.com]

    "Dude," he wailed, "I can't fucking read!"

    Dude, you can't write :)
    • by devbox (1919724) on Saturday November 13, 2010 @09:47AM (#34215452)
      I loved this part

      Before long, he discovered Internet Relay Chat, a web forum popular with hackers who discussed the how-tos of breaching Internet security at its highest levels.

      • by bobdotorg (598873)

        Hey: Eye are see is where those hackers refine their "sequel attacks", because apparently the first attack didn't fully tell the story.

    • To be fair you should note that your quote is from the Rolling Stone article. The NY Times magazine article (first link in TFS) is quite good.
  • by Anonymous Coward on Saturday November 13, 2010 @09:45AM (#34215442)
    The hack consisted of accessing wireless POS terminals from the car park and then going on to access the internal CC database for over eighteen months, without anyone noticing. They only took action when the banks phones them up and asked about all the fraudelent activity out TJX stores.

    "TJX admit that 45.7 million credit and debit cards was stolen from the company in a computer data security breach over an 18-month period" link [itpro.co.uk]
    • Re: (Score:3, Insightful)

      by hedwards (940851)
      I'm wondering at what point a retailer ought to be responsible for the breach. It seems to me that whatever the consequences of that sort of irresponsibility is, that it's not enough. There's absolutely no reason why they need to have an internal CC database. They could just as easily hash the CC information and compare that with a stored hash.
      • There is not enough entropy in credit card numbers to make hashing a serious obstacle.

      • by bjourne (1034822)
        Is it even legal to store credit card info when you don't have any use for it? In other countries there are laws against retailers storing CC info because of the huge risks involved. They don't need the info after the purchase is made and a single rogue employee can cause havoc without any hacking involved.
      • by evilviper (135110)

        A) You may just be over-generalizing, but yes, full CC#s do need to be stored for a decent bit of time to handle any number of order processing issues that may occur.

        B) Even if you as a company may not want to keep CC#s lying around forever, your lawyers may well tell you it is required. Though I dont deal with the lawyers myself and cant give specifics, I can tell you that my employer treats CC info the same as all other business info that might possibly be needed by the IRS up to 7 years down the line.

    • by TheKidWho (705796)

      Typical /. goon, "Pshh I could do that with one hand and blindfolded!"

    • by yuhong (1378501)

      The hack consisted of accessing wireless POS terminals from the car park

      By cracking WEP, BTW. Any other real-world incident that involved WEP cracking you have encountered? BTW, I found this paper on "IVs to Skip for Immunizing WEP against FMS Attack [aist.go.jp]" from 2008, which seems to be a better attempt at skipping weak IVs than before. Of course it is still better to use WPA if you can.

  • by petes_PoV (912422) on Saturday November 13, 2010 @10:23AM (#34215554)
    All media reports of (caught) cyber-criminals (or just plain "criminals" as they actually are) stresses how talented, or brilliant or "mastermind" they were. None of them were simply petty crooks that just happened to use a comuter rather than a jemmy as their tool of trade.

    You could be forgiven for thinking that the world of the cyber-criminal is wholly populated by geniuses who have "gone bad", or the sorts of people that James Bond regularly vanquishes. Where are all the averagely intelligent, nondescript, stupid-but-lucky criminals who stalk the world of online, as they do the ordinary underworld?

    The answer, I suspect, is that they're the very same people who are described above, but who's skills are exaggerated by police forces all over the world in an attempt at self-aggrandisement. To make their own lucky breaks appear to be much more significant than they actually were. Just as anglers everywhere have stories about the "massive" catches they made when no-one else was around I reckon the police are pursuing the same policy to try and convince the public that they, too are masterminds. Hmmm.

    • by Bazouel (105242)

      Is the article making the police forces look good ? Hardly. They caught the hackers by luck (thanks to the Russian CC reseller) and it is repeated many times that Gonzalez considered them ignorant and outwitted. The lyric description of the hackers lifestyle rather glorifies them and make them look like superstars, which we all know on slashdot is far from the reality.

  • idiot press (Score:2, Insightful)

    by Anonymous Coward

    If he was so poorly educated and not a particularly well-skilled hacker, and it still took the FBI so long to figure out it was him and bring a conviction, what are they doing against hackers who are actually good? How are they fairing against highly intelligent, well-organized, and well-funded teams of hackers being employed by other nations to the infiltrate US government, commercial, and industrial systems. We know those bad guys exist. Where are all the arrests and front-page stories?

    Uneducated and und

    • The thing is that the FBI has basically diverted all their white collar crime resources, and probably whatever might be used to track hacking / financial crime stuff, into stupid counter-terror campaigns. This whole mess is really a permutation of white-collar crime.

      They haven't sent a single greater-than-pawn level obvious fraudulent white collar criminal to prison in like a decade. They catch a couple hackers running large creditcard schemes but they haven't done jack about the industrial espionage, which

  • by Anonymous Coward
    "BY THE SPRING of 2007, Gonzalez .. was also tired of war driving. He wanted a new challenge. He found one in a promising technique called SQL injection ..

    When you log on to the Web site of a clothing store to buy a sweater, for example, the site sends your commands in SQL back to the databases where the images and descriptions of clothing are stored. The requested information is returned in SQL, and then translated into words, so you can find the sweater you want ..

    SQL is the lingua franca of online
  • by Black Gold Alchemist (1747136) on Saturday November 13, 2010 @02:03PM (#34216778)
    People think cybercrime is about misbegotten geniuses launch attacks using incomprehensible methods. They think cyberwar is about vast arrays of foreign hackers breaking into our high tech military systems and stealing our secrets. However, that's not what cybercrime and cyberwarfare are about. Cybercrime and cyberwarfare are about people bruteforcing some bigshot's low strength password. It's about some stupid spyware program exploiting some obvious old bug in windows and emailing your credit card to the former USSR. It's about your grandma downloading a set of "kitty" icons and infecting her computer with a botnet virus. It's about some small-time hacker calling up one secretary and getting the CEO's username, and then calling another and getting the CEO's password. These problems can't be solved by advanced security systems. They have to be solved by people. It's kind of like trying to fight cave-dwelling terrorists with a high-tech stealth bomber.
  • when I read that last bit about him being expected to get out of prison in 2025, I had the mental image of Simon Phoenix hacking into the public terminal in demolition man....
  • >Another claims there 'were major chains and big hacks that would dwarf TJX. I'm just waiting for them to indict us for the rest of them
    This leads me to believe the rumors that we are never really told what is going on behind the scenes of these fraud cases by the banks themselves, so how are we to know what is what, and if the banks are doing an adequate job ? Maybe some regulations for this specifics might be in order?

Passwords are implemented as a result of insecurity.

Working...