The Great Cyberheist 57
theodp writes "In this week's cover story, the NY Times Magazine delves into the mind of Albert Gonzalez, the hacker who is currently doing time (the longest sentence ever handed down for computer crime in the US) for masterminding attacks on the nation's leading retailers, reportedly costing TJ Maxx, Heartland, and other victimized companies more than $400 million. And that may just be the tip of the iceberg. 'The majority of the stuff I hacked was never brought into public light,' said one of Gonzalez's partners-in-crime. Another claims there 'were major chains and big hacks that would dwarf TJX. I'm just waiting for them to indict us for the rest of them.' Online fraud is still rampant in the US, but statistics show a major drop in 2009 from previous years when Gonzalez was active. While reportedly not a gifted programmer, even the Feds that Gonzalez two-timed admired his ingenuity, likening him to top CEOs. When asked how Gonzalez rated among criminal hackers, a prosecutor replied: 'As a leader? Unparalleled. Unparalleled in his ability to coordinate contacts and continents and expertise. Unparalleled in that he didn't just get a hack done — he got a hack done, he got the exfiltration of the data done, he got the laundering of the funds done. He was a five-tool player.' Accounting for time served and good behavior, Gonzalez is expected to get out of prison in 2025." Last June Rolling Stone ran a long profile of Albert Gonzalez written by Sabrina Rubin Erdely; they have dusted it off now that producer Eric Eisner has embarked on the development of a feature film based on Erdely's piece.
from the skool of bad journalism :) (Score:5, Insightful)
Biggest Cybercrime of All Time
"Albert Gonzalez remained focused on business — checking his laptop constantly, keeping tabs on the rogue operators he employed in Turkey and Latvia and China, pushing, haranguing, issuing orders into his cellphone in a steady voice. "Let's see if this Russian asshole has what I need," he'd say calmly. Then he would help himself to glass plates of powder, each thoughtfully cut into letters for easy identification: "E" for Ecstasy, "C" for coke" link [rollingstone.com]
"Dude," he wailed, "I can't fucking read!"
Dude, you can't write
Re:from the skool of bad journalism :) (Score:5, Funny)
Before long, he discovered Internet Relay Chat, a web forum popular with hackers who discussed the how-tos of breaching Internet security at its highest levels.
Re: (Score:2)
Hey: Eye are see is where those hackers refine their "sequel attacks", because apparently the first attack didn't fully tell the story.
Re: (Score:1)
two-time
verb [trans.] informal
deceive or be unfaithful to (a lover or spouse)
The parentheses indicate common usage, but the meaning seems perfectly clear to me in this context. It is more fun to feign ignorance though.
And speaking of feigning ignorance, I thought maybe we were going to delve in to the mind of Alberto Gonzalez when I first glanced at the summary. Now that would be a story. But then I remembered personally reading about and discussing this Albert Gonzalez on a previous occasion. What di
Re: (Score:1)
Is it not obvious? :) He was sucking the KGB behind the FBI's back.
Okai, that was in lousy taste, I know.. :| But you're right, I can't imagine what two-timing could have happened. And if there really was some kind of two-timing going on, the writer obviously did not have the sense to mention it in TFA for us. What joy in incompetence, yeah!?
Re: (Score:2)
Everyone knows that the KGB had hot russian chicks as their spies. Haven't you ever watched a James Bond movie? :)
Well, it's shown in reality too. Some are: Anna Chapman, Anna Fermanova, Patricia Mills, Krystyna Skarbek, Josephine Baker, and Violette Szabo. They don't exactly resemble the Bond girls though. I'm still trying to figure out how to convince a hot russian spy chick that I have secrets worth seducing. It's not that I'd give them up, but the seduction is always fun. :)
Re: (Score:2)
POO (Point of Order): Violette Szabo is Hungarian, not Russian.
Re: (Score:1)
We're assuming things here.. I'm sure there are some non-homophobic members on both sides. :-D
But I rhyme with your thoughts. :) I'm sure I have secrets worth seducing out of me too. I just have to find some Russian chicks to work on me before I expose myself.
Re: (Score:1)
And if there really was some kind of two-timing going on, the writer obviously did not have the sense to mention it in TFA for us. What joy in incompetence, yeah!?
Excerpts from the article ...
"After a couple of interviews, Gonzalez agreed to help the government so he could avoid prosecution ... After aiding another investigation, he became a paid informant in the Secret Service field office in Miami in early 2006. Agent Michael was transferred to Miami, and he worked with Gonzalez on a series of investigations on which Gonzalez did such a good job that the agency asked him to speak at seminars and conferences ... As far as the agency knew, that’s all he was doing. “It seemed he was trying to do the right thing,” Agent Michael said... He wasn’t. Over the course of several years, during much of which he worked for the government, Gonzalez and his crew of hackers and other affiliates gained access to roughly 180 million payment-card accounts from the customer databases of some of the most well known corporations in America ..."
The two-timing is spelled out in just over the first page.
Re: (Score:1)
Re: (Score:1)
what great cyberheist ? (Score:3, Informative)
"TJX admit that 45.7 million credit and debit cards was stolen from the company in a computer data security breach over an 18-month period" link [itpro.co.uk]
Re: (Score:3, Insightful)
Re: (Score:2)
There is not enough entropy in credit card numbers to make hashing a serious obstacle.
Re: (Score:2)
Still better than not hashing them, especially given how little additional work is required to do so.
No, because "so little work" involves changing credit card processing terminals around the world. For that kind of cost/effort, it better be a good solution.
Re: (Score:2)
Re: (Score:2)
A) You may just be over-generalizing, but yes, full CC#s do need to be stored for a decent bit of time to handle any number of order processing issues that may occur.
B) Even if you as a company may not want to keep CC#s lying around forever, your lawyers may well tell you it is required. Though I dont deal with the lawyers myself and cant give specifics, I can tell you that my employer treats CC info the same as all other business info that might possibly be needed by the IRS up to 7 years down the line.
Re: (Score:2)
Typical /. goon, "Pshh I could do that with one hand and blindfolded!"
Re: (Score:2)
He's an amateur.
This is what I call a great cyberheist:
http://www.bloomberg.com/apps/news?pid=newsarchive&sid=armOzfkwtCA4 [bloomberg.com]
http://www.bloomberg.com/apps/news?pid=newsarchive&sid=aGvwttDayiiM [bloomberg.com]
Or if fancy computer tricks are required:
http://www.nytimes.com/2009/07/24/business/24trading.html [nytimes.com]
http://www.nytimes.com/imagepages/2009/07/24/business/0724-webBIZ-trading.ready.html [nytimes.com]
Re: (Score:2)
The hack consisted of accessing wireless POS terminals from the car park
By cracking WEP, BTW. Any other real-world incident that involved WEP cracking you have encountered? BTW, I found this paper on "IVs to Skip for Immunizing WEP against FMS Attack [aist.go.jp]" from 2008, which seems to be a better attempt at skipping weak IVs than before. Of course it is still better to use WPA if you can.
the long tradition of bigging up criminals (Score:5, Interesting)
You could be forgiven for thinking that the world of the cyber-criminal is wholly populated by geniuses who have "gone bad", or the sorts of people that James Bond regularly vanquishes. Where are all the averagely intelligent, nondescript, stupid-but-lucky criminals who stalk the world of online, as they do the ordinary underworld?
The answer, I suspect, is that they're the very same people who are described above, but who's skills are exaggerated by police forces all over the world in an attempt at self-aggrandisement. To make their own lucky breaks appear to be much more significant than they actually were. Just as anglers everywhere have stories about the "massive" catches they made when no-one else was around I reckon the police are pursuing the same policy to try and convince the public that they, too are masterminds. Hmmm.
Re: (Score:1)
Re: (Score:2)
I agree.
I've had frank conversations with folks that work in banks. I've also had to cash some large checks, which is frequently a nightmare to pull off. It's not all in verification, that's easy. They call the issuer, the issuer verifies it. The hard part is for them to come up with the funds. I've been left waiting for up to an hour for the armored truck to arrive and drop off more cash, so I could get mine. Teller drawers rarely have enough to make a bank robbery a val
Re: (Score:2)
What an idiotic thing to do. Stash it when you leave, and then come back later when all the cops are swarming all over the place? Or come back later only to find that someone else has already taken your loot?
Re: (Score:2)
Agreed. Bankrobbers are a breed of low-intelligence, violent psychopaths. Robbery is a high risk crime (to the perpetrator as well as the victims), so a clever criminal would not engage in such activities. The return usually isn't worth it when judged against the risk.
Re: (Score:2)
It's almost unbelievable that no-one's thought of that before.
Re: (Score:2)
Re: (Score:2)
By exaggerating the very trait that cyber-criminals value in themselves (i.e. their intelligence, cunning, abilities etc.) all thepolice are doing is re
Re: (Score:2)
Is the article making the police forces look good ? Hardly. They caught the hackers by luck (thanks to the Russian CC reseller) and it is repeated many times that Gonzalez considered them ignorant and outwitted. The lyric description of the hackers lifestyle rather glorifies them and make them look like superstars, which we all know on slashdot is far from the reality.
idiot press (Score:2, Insightful)
If he was so poorly educated and not a particularly well-skilled hacker, and it still took the FBI so long to figure out it was him and bring a conviction, what are they doing against hackers who are actually good? How are they fairing against highly intelligent, well-organized, and well-funded teams of hackers being employed by other nations to the infiltrate US government, commercial, and industrial systems. We know those bad guys exist. Where are all the arrests and front-page stories?
Uneducated and und
FBI has shutoff all non-terror resources basically (Score:2)
The thing is that the FBI has basically diverted all their white collar crime resources, and probably whatever might be used to track hacking / financial crime stuff, into stupid counter-terror campaigns. This whole mess is really a permutation of white-collar crime.
They haven't sent a single greater-than-pawn level obvious fraudulent white collar criminal to prison in like a decade. They catch a couple hackers running large creditcard schemes but they haven't done jack about the industrial espionage, which
Re: (Score:1)
Oh, wait. This is Slashdot. Nobody reads the articles, and very few even read the summaries. My bad. In Soviet Russia, etc, etc.
a promising technique called SQL injection ?? (Score:1, Funny)
When you log on to the Web site of a clothing store to buy a sweater, for example, the site sends your commands in SQL back to the databases where the images and descriptions of clothing are stored. The requested information is returned in SQL, and then translated into words, so you can find the sweater you want
SQL is the lingua franca of online
Re: (Score:1, Flamebait)
Property is theft, etc. But since you bring up a method of your most rowdy puppet state (not Israel - way too smart to be puppets)...
I can't make up my mind whether it is Americans or Saudi Arabians who are more convinced of the impossibility of a flaw in their belief systems and the resultant society created. Although I have always got better discussions from adherents to conservative Islam than from arch-capitalists, probably because only the former understand what fundamental faith-based assumptions they
People Don't Want To Understand Cybercrime (Score:5, Insightful)
Did anyone else.. (Score:1)
Why hide? (Score:1)
>Another claims there 'were major chains and big hacks that would dwarf TJX. I'm just waiting for them to indict us for the rest of them
This leads me to believe the rumors that we are never really told what is going on behind the scenes of these fraud cases by the banks themselves, so how are we to know what is what, and if the banks are doing an adequate job ? Maybe some regulations for this specifics might be in order?