Schneier on Security
A blog covering security and security technology.
« Camouflaging Test Cars |
| Friday Squid Blogging: Tentacle Pot Pie »
November 12, 2010
Long article on convicted hacker Albert Gonzalez from The New York Times Magazine.
Posted on November 12, 2010 at 12:49 PM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The article appears to be behind a "register-wall" do you know if there is unfettered access else where?
The thing that surprised me most about the case was U.S. District Judge Douglas Woodlock unsealing the court records and thus allowing the public to know of two further companies who's security had been breached.
In one case (J.C.Penny) had been promissed anonymity by the U.S. Secret Service. One of the layers representing the two (then anonymous) companies actually argued to the judge that companies would commit a federal crime (Misprision of Felony) by not co-operating in future investigations. It appears from what was reported afterwards that the Judge to grave exception to this notion.
Misprision of Felony was originaly a crime in the UK and became codified in US federal law in 1909 where it still lurks waiting to be used it basicaly says the following,
"Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both."
This offense, however, usually requires the active concealment of a felony rather than just failing to report it unless an active duty to report exists, however this is a very fine dividing line in the case of a company that has suffered a security breach and possible PII data loss.
I suspect we might hear more on it in the future.
For a brief moment I thought I read 'Alberto Gonzalez' and 'convicted' in the same sentence.
Once again, the security problem is with stores and credit card processors, rather than individual credit card users. You'd hope they would learn at some point.
If anything, I find it hard to feel any anger toward these black hats. I may have focused my anger on them if they ingeniously victimized companies and individuals who had taken effective measures to protect the data. In this case, the only thing ingenious was how the operations were executed so masterfully. The attacks all relied on common, well-known exploitation strategies that we've known how to beat (even cheaply) for years. My anger is directed at the complacent companies that make this possible. They are the crooks and we consumers are their victims.
Although I usually hate government IT involvement, I'd almost like to see the government impose strict and useful regulations on transaction processing. They already do to a degree with PCI, but it's not good enough. Companies should experience fines for complacency-related breaches that are tied to their profit margin in such a way that risk management forces the company to operate in a fairly secure fashion. I repeat my assertion that buffer overflows, wireless crypto, XSS, SQL injection, etc. are basically solved problems for those investing in security. A remote hacker shouldn't be able to find a vulnerability in 5 minutes. That's just complacency and should be punishable by law. Current economic losses justify the regulation.
While the driver's license is not a financial transaction card, it is used as ID/data for financial transactions. That's only one of the reasons that I was taken aback on the most recent election day to notice that the bar code of my Georgia driver's license had just been scanned with a handheld scanner such as is used in libraries. The poll worker assured me that it (the data) is just for them.
It's a pity that an inventive mind, got corrupted by a petty little scheme as this.
I know there is nothing new in SQL attacks nor with "war driving" and WiFi hacks, although I thought the corrupting the Point Of Sale terminals was an interesting twist. But putting it together and coordinating the effort is not to be trivialized.
What seems to set this fraud apart from say Berrni Madoff's, is that many of the victims quickly realized that something was wrong, in contrast to Berrn's where confidence in the underlying business relationship was maintained for decades. Bernie's fraud was far more transparent, and obvious, the deceptions were not even backed by real numbers, the claimed trades didn't even exist, which is something that any client could have easily established. Yet Bernie enjoyed $B's and at least 30 years high life from illicit gains and Albert enjoyed a few million and less than 5 years high life. I think there is a lesson in there somewhere.
Now imagine Albert had never actually stolen money from the credit card accounts but rather had borrowed against the asset value associated with these accounts. If he had say followed a simple double down betting scheme, then given access to practically infinite capital( from the asset value of all the cards) he could always win these simple bets. Better still he would win without ever actually stealing from the accounts. Sure there would be some odd canceled transactions, requiring feeble apologies from an outsourced call center employee. BUT if no actual money is missing from the accounts then most people will not complain, or EVER get to the bottom of the unusual reimbursed transactions. Believe me I had some such transactions a few years ago and was hampered at every level, the "what's your problem dude! nothing's missing" attitude is epidemic within these organizations.
It brings to mind that Albert used a get-in and get-out method like robbery. He was said to have a hard time handling spoils -- in a rush to accumulate, launder and then switch to a different pass-time. Bernie, however, developed wide tentacles that massaged victims into a symbiotic and carefully engineered relationship. The last thing he wanted was to get out.
This whole thing reminds me of a post on a Hedge fund quant strategy site that I used read.
There was a long detailed post dissecting the trading strategy of a fund (interestingly in part formed by the GCHQ crypto great Nick P). The quant program, through the way it executed trades, was claimed to be breaking innumerable trading laws (mostly intended to control trading in live person to person sessions). Interestingly, at the time, very few Wall St'ers had the mathematical skills needed to analysis the trades and from the trade patterns establish the nature of the trading algorithm. So the fund went unpunished and amassed a fortune for all involved.
Now I have no knowledge of SEC laws, so I definitely cannot claim to understand the nature of any possible crimes committed, BUT the simple fact that the process involved complex cryptography like algorithms, based on extracting patterns from data, and the money shifting from here to there and lots of trades and and and ...made the whole mess impenetrable and therefore legal, or more correctly impossible to prosecute.
It seems to me that Albert's greatest error was that his system was the cyber equivalent of hitting little old ladies over the head and stealing there pension check's. This sort of activity always attracts the interest of departments with real muscle rather than the toothless variety like the SEC. What Albert really needed was a way to obfuscate the process by which funds in his accounts were related to the stolen credit card details.
Mr.Schneier, probably because you linked to it, NYTIMES wants the user to register to view th article for free.
This kind of sucks.
Picking up on @Nick P's comments:
This is pretty much always going to happen because of the way current risk management strategies work.
Most companies I have consulted for take the line that they are only going to spend money defending against a quantifiable loss to the company. The risk to customer data is measured by how much knock-on loss the company will suffer.
Invariably this comes out quite low and even then still encourages other strategies (such as PR or paying damages to keep breaches off the record).
While this infuriates me, I am banging my head against the wall while the executives view it as a legitimate strategy that maximises their profits.
Once I thought things like PCI-DSS would help, but so far all have proven to be a toothless tiger. Even the UK ICO powers are an empty threat so far.
Until this changes, "hacks" like Gonzalez will continue, losses will be incurred (and tolerated), criminals will get rich and people will lose money - just not enough to make society want to change.
For those unable to get behind the paywall: http://www.bugmenot.com .
I suscribe to the print edition, and it is a fascinating article ...
double down betting probably won't work because of house limits and time constraints, but you can just keep a float going and collect interest. Having said that, someone will notice the immense number of transactions and it will blow up.
As Anton says, the immense number of transactions would be the undoing of the scheme.
However the zero-net idea is a good one. Instead of just stealing the DB and grabbing as much as possible from the CCs, you instead inject fake (merchandise) returns into the business's system. The system reverses the CC transaction, putting the money back on the card. You then go to the ATM and steal that amount. Customer won't know there was something screwy going on until they look at their statement. If you keep the ratio of fake-to-real returns low enough and you ramped up the number slowly over several accounting cycles, your fakes may go unnoticed (common accounting practice is to estimate future returns, just don't upset the ratio by more than the margin of error for the estimate). Depending upon how careful they are about handling returned merchandise, they may never suspect there is a problem with their computer system.
"someone will notice the immense number of transactions and it will blow up"
Maybe, but why would I need to limit myself to one account doing the betting. If I'm in control of the database than I can easily create say 1000 dummy accounts and transferred small amounts between real CC's and these fake accounts. I can bet and loose on one account than bet same amount each account but with two accounts and so on. No house limits.
I don't see excessive transactions as a problem. unless you get really greedy.
i was thinking that the bets would be done on the stock market, something simple like up / down tick on a ETF. So the bets will not be visible within the massive amount of HF trading that already happens.
I don't condone thievery, and can certainly understand that Mr. Gonzalez deserved swift and harsh punishment for the thousands (millions?) he and his cohorts victimized, but 20 years just seems cruel and unnecessary. I feel little sympathy for the companies that were targeted and breached, the ease with which they were compromised points to an ineffective and irresponsible security policy (shocking). Leaving your keys in the ignition while you run into the convenience store to grab a cup of coffee is a crime, even if the person who takes advantage of your negligence is still a thief.
It just seems like (and there are quotes in the article that support this) he is being punished so harshly for pulling the wool over a government agency's eyes. I wonder how much of his sentence has to do with government-sized egos as opposed to his crimes or the law. It could be worse, he could be serving 30 years in a Turkish prison like his Ukrainian friend, but a 20 year sentence doesn't seem like justice to me. Maybe that's why I'm not a judge.
I am dealing with a virus infestation today, so have little sympathy for computer miscreants. Besides which, it is about time white-collar criminals who steal or harm millions are punished just as, if not more, severely than the guy who holds up a 7-11 ...
A guy robbing a liquor store can have deadly consequences. Cc fraud liability of fifty bucks rarely has that effect. I think crooks who use or threaten lethal force should be treated harsher than common thieves.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.