Incident of the Week (Year?): Hacker Responsible for Largest Data Breach in U.S. History Indicted

Posted on August 18, 2009 by Jeff Bone

According to a press release from the United States Attorney's Office for the District of New Jersey, yesterday an "indictment was returned against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history."  According to the press release, the indictment describes a scheme whereby Albert "Segvec" Gonzalez and two unnamed Russian defendants (identified as "Hacker 1" and "Hacker 2") stole "more than 130 million credit and debit card numbers together with account information" from Heartland Payment Systems, 7-Eleven, Inc., and Hannaford Brothers Co.," and also hacked into two unidentified corporate victims.

Note that this is the same Albert Gonzalez that is awaiting trial for his role in the notable attack suffered by TJX that is now only the second largest known breach of its kind.

The indictment alleges that, between October 2006 and May 2008, Gonzales and an uncharged co-conspirator named "P.T." identified potential corporate victims by, among other things, reviewing a list of Fortune 500 companies.  They would then travel to retail stores of potential victims to identify point of sale terminals (checkout machines) and learn about potential vulnerabilities of those systems.  P.T. would visit the corporate websites of potential victims to identify vulnerabilities in the payment processing systems the victims used.  According to the indictment, the conspirators maintained computers in New Jersey and around the world that stored malware and other information critical to the hack.  Gonzalez, P.T. and Hackers 1 and 2 then hacked into the victims' networks using various methods, including SQL injection attacks, which is a well-known attack that exploits security vulnerabilities between an online interface and the back-end customer database.

Once they had hacked into the computer networks, the conspirators placed malware on the victims' networks that enabled them to access the networks at a later date.  They would then find credit and debit card data and transmit it to servers they controlled.  At the same time, they installed "sniffer" programs, which would conduct real-time interception of data being processed by the victims and periodically transfer this data to the conspirators.  The indictment alleges that the conspirators often worked together on a real-time basis via instant messaging to advise each other how to navigate the victims' networks.  The conspirators concealed their actions in numerous ways, including disguising the IP addresses of their computers through intermediary (or "proxy") servers, and by placing additional malware on the victims' networks that could evade anti-virus software and would erase traces of the malware's presence on the networks.

Each defendant faces a maximum of 35 years in prison and more than $1 million in fines or twice the gain from the crimes, whichever is greater.  According to the press release, Gonzalez is currently in jail in Brooklyn, New York and awaiting trial in New York and Massachusetts related to prior instances of data theft. 

While it is certainly good to know that the Department of Justice continues to take an active role in large-scale incidents, the description of the scheme in the indictment should give retailers and other institutions pause and perhaps a reason to review information security measures.  While the perpetrators in this case are obviously skilled programmers, it appears that they obtained some of the information essential to executing their scheme simply by observing check out registers and visiting corporate websites.  [Editor's note: the FTC has considered SQL injection attacks to be "commonly known or reasonably foreseeable" since at least 2000, see FTC's enforcement action against Guess? and comments by the FTC's chief privacy officer. If your company has not hardened its website to these attacks, it may be assuming an undue risk.]  Moreover, it appears from the indictment that three of the four individuals are still at large, and of course there are likely numerous individuals out there with both the means and the motive to perpetrate similar schemes.  Because the indictment is fairly general in the details of the mechanics of the hacks, it will be interesting to see what details come out in the prosecution of the case and what lessons, if any, companies can learn from those details.

Links:

 

Tags: , , , , , , , , , , , ,

Newly released opinions on privacy shed light on past government practices

Posted on March 3, 2009 by Aaron Wright

On Monday the Department of Justice released a previously classified opinion entitled “Authority for Use of Military Force To Combat Terrorist Activities Within the United States” (.pdf), which concluded, among other things, that “the Fourth Amendment [of the U.S. Constitution] does not apply to domestic military operations designed to deter and prevent further terrorist attacks.” This may come as a shock to some because the Fourth Amendment expressly prohibits the government from searching or seizing individuals or their property absent a warrant and probable cause, without any special carve out for domestic military operations. The DOJ opinion, written by Deputy Assistant Attorney General John C. Yoo and Special Counsel Robert J. Delahunty, also concluded that these constitutionally exempt counter-terrorism operations would include “making arrests, seizing documents or other property, searching persons or places or keeping them under surveillance, intercepting electronic or wireless communications, setting up roadblocks, interviewing witnesses, and searching for suspects.” The evidence recovered from these operations could then be used “for criminal investigations or prosecutions.”

Commentators have reacted with concern to the opinion as it placed the power to decide whether or not the Fourth Amendment applied to a military action in the hands of the President (“If the President concludes that it is necessary to use military force domestically to counter [terrorists], the Fourth Amendment should be no more relevant than it would be in cases of invasion or insurrection.”).  Many have also noted that have noted that because NSA is part of the military, this opinion was probably part of the justification for the past administration’s warrantless wire-tapping program, which caused great concerns among civil libritarians.

It is unlikely that this opinion will govern during the Obama presidency: the DOJ formally renounced this opinion on January 15, 2009.  However, the disclosure of this opinion does help shed light on (or confirm) the last administration's view of privacy during the war on terror.

Links:

  • Department of Justice website
  • The October 23, 2001 opinion can be found here (.pdf) or from the DOJ’s website here (.pdf)
  • Department of Justice Press Release announcing the disclosure of the opinion memorandum is available here or from the DOJ’s website here
  • Glenn Greenwald’s column “The newly released secret laws of the Bush administration” is available here
  • National Security Agency website
  • New York Times article “Memos Reveal Scope of the Power Bush Sought” is here (registration required)
  • New York Times article first reporting on the warrantless wiretapping program is here (registration required).
Tags: , , , , , , , ,