Incident(s) of the Week: Recent Updates from Prior Incidents

Posted on January 22, 2010 by Gabriel M. Helmer

1.  The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster

This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas.  The defendant agreed to the fine, which amounts to $875 per box, as well as a stipulated order (.pdf) requiring him to adopt a comprehensive written information security program.  We first posted on this case a year ago, after the FTC filed its complaint (.pdf). 

In addition to the dumping of consumer financial information, the FTC alleging that Navone had failed to implement physical and electronic security procedures and or take reasonable steps to secure the customer records he stored at home in his garage.  According to the FTC, these activities violated the FTC Act, the Federal Credit Reporting Act (FCRA) and Navone's own information security policy which read:

We take our responsibility to protect the privacy and confidentiality of customer information very seriously.  We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.

(See Complaint (.pdf), Para. 9).  Everyone subject to document destruction laws may want to note this case and keep in mind that $35,000 is the fine imposed on an individual / small business.

 2.  Fight Breaks Out Over Whether Hacker Responsible For Largest Data Breach In History Suffers From "Internet Addiction"

In December, Albert Gonzalez, aka "segvec," "soupnazi" and "j4guar17" pled guilty to charges that he masterminded the theft of over 100 million consumer credit card numbers and other financial information from Heartland Payment Systems, 7-Eleven and other companies.  We posted on his indictment last August and again on his curious role as government informant.  The public recently gained a new window on Gonzalez's soul from filings made by defense attorneys that portray the hacker as an "Internet addicted" youth compelled to commit cybercrime.  Collecting statements from Gonzalez's psychologist, family members and a former girlfriend, the defendant's sentencing memorandum (.pdf) provides an interesting point of view on the life of the hacker:

As a young boy, Gonzalez was an outwardly normal enough kid -- he had friends, engaged in activities, worked alongside his father, received good grades in school, and was part of a warm and loving family which continues to stand by him.  In middle school, things began to change, and by high school Gonzalez had become a different person -- a loner, without friends, who passed up normal teenage activities, including dating, to devote himself to his new-found and rapidly escalating obsession: computers.

*    *    *

Seeking to break Gonzalez of his computer habit, his mother periodically sought to deny him access to his computer or to at least curtail his usage, once putting it in his sister's room.  Rather than be deprived of access to his computer, Gonzalez would go to his sister's room in the middle of the night to use it.  Gonzalez's social contacts narrowed to computer chat rooms where he communicated with others with knowledge of computers and to meetings of other computer-savvy individuals, many of whom were hackers and from whom he learned much that we would, unfortunately, later convert to unlawful purposes.

*    *    *

[B]y [ ] early 2002 -- Gonzalez, age 21, had developed a serious drug and alcohol problem . . . which played a substantial role in the subsequent course of his life.  This is not to say that his substance abuse affected Gonzalez' [sic] ability to tell right from wrong.  It did not, and he knew when he turned to cyber-crime that it was wrong.  What it did do, however, was contribute to his inability to stop himself.  What developed over time was a destructive cycle of using drugs to permit him to stay awake and alert for long hours at the computer but also using them to try to get away from the computer . . . .

*    *    *

Computers . . . had become the center of his life, his raison-d'etre, if you will.  He and his computer in many ways became one: he though in computer-speak instead of normal words, and, when his computer was infected by a virus, [he] referred to the event as if it were he, himself, who had gotten the virus.

Describing Gonzalez as unable to stop his urge to commit cybercrime, defense counsel has asked the Court to sentence him to 15 years in prison, the minimum sentence permitted.  Last week, federal prosecutors renewed their request to have a government psychologist examine Gonzalez to combat the defendant's claim that his "internet addiction" merits leniency within the 15 to 25 year sentencing range. 

Tags: , , , , , , , ,

Incident of the Week (Year?): Hacker Responsible for Largest Data Breach in U.S. History Indicted

Posted on August 18, 2009 by Jeff Bone

According to a press release from the United States Attorney's Office for the District of New Jersey, yesterday an "indictment was returned against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history."  According to the press release, the indictment describes a scheme whereby Albert "Segvec" Gonzalez and two unnamed Russian defendants (identified as "Hacker 1" and "Hacker 2") stole "more than 130 million credit and debit card numbers together with account information" from Heartland Payment Systems, 7-Eleven, Inc., and Hannaford Brothers Co.," and also hacked into two unidentified corporate victims.

Note that this is the same Albert Gonzalez that is awaiting trial for his role in the notable attack suffered by TJX that is now only the second largest known breach of its kind.

The indictment alleges that, between October 2006 and May 2008, Gonzales and an uncharged co-conspirator named "P.T." identified potential corporate victims by, among other things, reviewing a list of Fortune 500 companies.  They would then travel to retail stores of potential victims to identify point of sale terminals (checkout machines) and learn about potential vulnerabilities of those systems.  P.T. would visit the corporate websites of potential victims to identify vulnerabilities in the payment processing systems the victims used.  According to the indictment, the conspirators maintained computers in New Jersey and around the world that stored malware and other information critical to the hack.  Gonzalez, P.T. and Hackers 1 and 2 then hacked into the victims' networks using various methods, including SQL injection attacks, which is a well-known attack that exploits security vulnerabilities between an online interface and the back-end customer database.

Once they had hacked into the computer networks, the conspirators placed malware on the victims' networks that enabled them to access the networks at a later date.  They would then find credit and debit card data and transmit it to servers they controlled.  At the same time, they installed "sniffer" programs, which would conduct real-time interception of data being processed by the victims and periodically transfer this data to the conspirators.  The indictment alleges that the conspirators often worked together on a real-time basis via instant messaging to advise each other how to navigate the victims' networks.  The conspirators concealed their actions in numerous ways, including disguising the IP addresses of their computers through intermediary (or "proxy") servers, and by placing additional malware on the victims' networks that could evade anti-virus software and would erase traces of the malware's presence on the networks.

Each defendant faces a maximum of 35 years in prison and more than $1 million in fines or twice the gain from the crimes, whichever is greater.  According to the press release, Gonzalez is currently in jail in Brooklyn, New York and awaiting trial in New York and Massachusetts related to prior instances of data theft. 

While it is certainly good to know that the Department of Justice continues to take an active role in large-scale incidents, the description of the scheme in the indictment should give retailers and other institutions pause and perhaps a reason to review information security measures.  While the perpetrators in this case are obviously skilled programmers, it appears that they obtained some of the information essential to executing their scheme simply by observing check out registers and visiting corporate websites.  [Editor's note: the FTC has considered SQL injection attacks to be "commonly known or reasonably foreseeable" since at least 2000, see FTC's enforcement action against Guess? and comments by the FTC's chief privacy officer. If your company has not hardened its website to these attacks, it may be assuming an undue risk.]  Moreover, it appears from the indictment that three of the four individuals are still at large, and of course there are likely numerous individuals out there with both the means and the motive to perpetrate similar schemes.  Because the indictment is fairly general in the details of the mechanics of the hacks, it will be interesting to see what details come out in the prosecution of the case and what lessons, if any, companies can learn from those details.

Links:

 

Tags: , , , , , , , , , , , ,