The article goes into great depth about the progression of Albert Gonzalez, a black hat hacker out of Miami who was essentially the brains behind the crimes on Marshall's/TJX and a number of other large corporations. It begins by going into Gonzalez's first run in with the law and how this led to him becoming an informant for the Justice Department in "Operation Firewall". The goal of this operation was to take down a number of black hat hackers who gathered together on this web site called Shadowcrew, which served as an eBay/Monster/Myspace for black hat hackers. As a rising star in the world of cybercrime, Gonzalez became an irreplaceable piece of the puzzle in taking down dozens of these hackers.
As many people say, however, once a criminal, always a criminal. The case is no different for Albert Gonzalez. Like many black hat hackers, his original motives were purely monetary. But as his actions snowballed from 2003-2007, Gonzalez found himself performing these crimes purely out of greed and stubbornness. While working for the government, Gonzalez and his crew of Jonathan James, Patrick Toey, Christopher Scott, Jonathan Williams, and Maksym Yastremskiy were able to gain access to roughly 180 million payment card accounts from Office Max, BJ's wholesale club, Dave & Busters, TJ Maxx and Marshalls, Target, Barnes & Noble, JC Penney, Sports Authority, Boston Market and 7/11. In the words of Gonzalez's chief prosecutor, "The sheer extent of the human victimization caused by Gonzalez and his organization is unparalleled."
After becoming bored with Operation Firewall, Gonzalez began working on business wi-fi networks by the end of 2004. Because of the rush for companies to get online and adjust to the payment card industry, Gonzalez saw a number of vulnerabilities in their networks and protection of data. Gonzalez was able to get Christopher Scott and Jonathan James to do a lot of the grunt work in terms of sitting outside the stores with the antennas and laptops.
Originally, Gonzalez was running into the problem of companies like TJX storing expired credit card information (since they held data for so long). Soon, however, he was able to find a way to find the most recently used credit cards and have that uploaded directly to his computer. It was his ability to breach point-of-scale terminals at stores that enabled him to get cards right after the customers used them. This method of attack was first tried on JC Penney, Wet Seal, Hannaford Brothers grocery chain and Dave & Busters. This was ultimately what led to such a great hit on TJX's databases. By the end of 2006, they had legitimate credit card information for over 40 million users.
Gonzalez went through an intricate process of setting up fake businesses, laundering money and using his international connections to hide and obtain his money. He went completely undetected in these actions, but it was his selling of personal information to Yastremskiy, a Ukranian hacker, that ultimately led to his demise. Gonzalez had been providing credit card information for Yastremskiy to sell over the web and it just so happened that an undercover cop in San Diego had been buying information from Yastremskiy for two years. Once TJX and Heartland Payment Systems (a credit card processing company), reported these breaches, this cop was able to provide a lead in what seemed like an unsolvable case. Once they raided Yastremskiy they were only able to find Gonzalez's IM address, which initially gave no lead to the hackers identity. Once they were able to obtain the IM registration info, however, they saw one piece of information: an email address. Listed as soupnazi@efnet.ru, those who knew Gonzalez from Operation Firewall knew immediately that it was Gonzalez providing the credit card information.
In the end, it was estimated that Gonzalez and his team cost TJX, Heartland and other companies roughly 400 million in reimbursements and forensic and legal fees. The number could be much, much higher, however. The article goes into much more detail about the whole process and how Gonzalez was able to do what he did. I encourage you to read it if you have the time.
http://www.nytimes.com/2010/11/14/magazine/14Hacker-t.html?pagewanted=all
Posts
It is interesting to learn that Gonzalez had a history of criminal activity before he was employed for the government. I understand that the government would want him on its team- for his ability to think like a hacker and for his technical skills- but I would think his previous run in with the law is a red flag. His criminal tendencies were already there, so there would not be much holding him back from taking advantage of his governmental access privileges.
ReplyDeleteHe gained such a large volume of credit card information during his time with the Justice Department, and though he probably would find other ways to steal account data if he did not have higher access, it probably would not be as easy. This makes us wonder what could have been prevented if the government thought twice about hiring Gonzalez. Perhaps the damage done would be significantly less.
Epalag, I do agree with you regarding the government not being as cautious as they should have been, but for a few different reasons. Gonzalez was 22 when he was "cashing out" these blank debit cards. Yes, he did have a previous history with hacking as a teenager, but so do thousands of other kids. They knew that his knowledge in a changing technological age was more valuable to them than keeping him behind bars. He was able to help them imprison dozens of black hat hackers. Ultimately, however, he was partaking in other activities that undermined all of their original intentions.
ReplyDeleteThe moral of the story here is that no matter how much you might want to trust a criminal, you should always be aware that they are indeed a CRIMINAL. Lastly, Gonzalez wasn't being granted governmental access privileges. The reverse was actually the case. He was the one educating Agent Michael and Agent Peretti the whole time. They were able to acquire all of their knowledge about this through Gonzalez's cooperation. So while I do fault the government for not monitoring his activities while he was an informant, it was not because of him actually taking advantage of government documents. All of his activities were on the side.
As both the commentors have stated, hiring a hacker with a criminal record for a government position is a very difficult thing to handle. While the line between good and bad hackers is a blur, one would assume that it would be better to get those black hat hackers who have committed a crime to use their knowledge and skills for the benefit of society. Because of this, I can understand why the government would take the risk of hiring Gonzalez. However, knowing his past, the government should have exercised more caution by monitoring and restricting his actions more. This post is a great reflection on the struggle to define the line between white and black hat hackers.
ReplyDeleteI read that Post and got it fine and informative. 신용카드 현금화
ReplyDeleteI’ve been surfing online more than three hours today, yet I never found any interesting article like yours. It’s pretty worth enough for me. In my opinion, if all webmasters and bloggers made good content as you did, the web will be a lot more useful than ever before. 신용카드 현금화
ReplyDelete