Gonzalez: The Al Capone Of Cyber Thieves?

Albert Gonzalez, the Miami resident who was indicted last summer with stealing credit card data from TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW can now add Heartland, Hannaford and 7-Eleven to the lengthy list of retailers that the federal government says he penetrated. In case you feel left out, there are two to three additional major retail chains that the feds have accused him of attacking, although those chains have yet to disclose that they were breached. (That's likely to be divulged at trial and may never come to light if Gonzalez works out a plea bargain.)

And while he is accused—along with others—of having used POS networks as his own personal ATM machine, he's also being accused of breaking into actual ATMs (and trying to use them as his own personal POS system?).

(Editor's Note: There is a new story published that updates this one: J.C. Penney, Target Added To List Of Gonzalez Retail Victims. Gonzalez Agrees To Plead Guilty To Key Charges.)

The indictment—handed up Monday (Aug. 17) in Newark, NJ—offered a handful of new details about the breaches, but those disclosures brought more confusion. For example, 7-Eleven is a new name in the breach circle, and the indictment said that the $54 billion convenience store chain's POS network files were directly—and successfully—attacked. In August 2007, "7-Eleven was the victim of a SQL injection attack that resulted in malware being placed on its network and the theft of an undetermined number of credit and debit card numbers and corresponding card data," the indictment said.

But a statement that 7-Eleven issued on Tuesday (Aug. 18) tells a very different story. The 7-Eleven statement said that "affected transactions were limited to customers’ use of certain ATMs, owned and operated by a third party, located in 7-Eleven stores over a 12-day period from October 28, 2007, through November 8, 2007."

That's a very key difference, given that third-party ATM data—from machines that essentially leased space from various stores—would never be in the possession of 7-Eleven. Could it be that the stolen data was only used on such machines? Seems unlikely. When the TJX indictments against Gonzalez were handed up exactly a year ago (August 2008), one unidentified major retail chain victim also spoke of ATM assaults.

Another numerical mystery created by the indictment involves Heartland. Heartland has been adamant that it has no idea at all how many cards were impacted by the breach. Monday's indictment gave the Heartland breach a very explicit number: 130 million. Said the indictment: "Beginning on or about December 26, 2007, Heartland was the victim of a SQL injection attack on its corporate computer network that resulted in malware being placed on its payment processing system and the theft of more than approximately 130 million credit and debit card numbers and corresponding card data."

Heartland on Monday issued its own statement, which in journalistic circles would be called a non-statement statement as it didn't actually say anything, except to congratulate the government for bringing the indictment. But Heartland Spokesperson Jason Maloni on Monday stood by the position that Heartland does not know the number of pieces of card data impacted. Asked how the government had figures that Heartland didn't have, Maloni referred to the government's number and said "We don't see what this is based on."

There's plenty of wiggle room for Heartland here, as the comments certainly do not dispute the government's figures.

The indictment lays out the rough means of attack that Gonzalez and three others used to access the retail databases. The others indicted on Monday with Gonzalez were identified solely as Hacker 1 and Hacker 2. (Wasn't that taken from an updated Cat In The Hat book?) There is also a coconspirator referenced, identified only as P.T.

There's an excellent chance that "PT" is actually Damon Patrick Toey, who plead guilty in December to working with Gonzalez on the TJX breach and strongly suggested to the sentencing judge that he was now working with the feds against Gonzalez. (Editor's Note: Gonzalez's attorney, Rene Palomino Jr., was quoted in a NYTimes story posted Wednesday (Aug. 19) confirming that PT was Patrick Toey and added that one of the unnamed Russian co-conspirators was Maksym Yastremski, who is currently serving a 30-year sentence in a Turkish prison. The Times story also quoted the attorney as saying that Gonzalez was about to plead guilty to federal cyber crime charges in New York and Massachusetts when New Jersey accelerated its indictment and, in effect, killed the plea negotiations.)The attacks began with Gonzalez and others "reviewing a list of Fortune 500 companies," to identify targets that would likely have tons of credit card data on file. "It was further part of the conspiracy that Gonzalez and P.T. would travel to retail stores of potential corporate victims, both to identify the payment processing systems that the would-be victims used at their point of sale terminals and to understand the potential vulnerabilities of those systems. It was further part of the conspiracy that P.T. would also visit potential corporate victims’ websites to identify the payment processing systems that the would-be corporate victims used and to understand the potential vulnerabilities of those systems."

Other research: They tested their malware "against approximately 20 different antivirus programs."

They would create backdoors and install sniffers to "capture credit and debit card numbers, corresponding card data and other information on a real-time basis as the information moved through the Corporate Victims’ credit and debit card processing networks, and then periodically transmit that information to the coconspirators." The malware also erased some evidence of the attack, according to the indictment (and, for that matter, common sense).

One retail security expert, who agreed to discuss the indictment if neither her name nor employer was identified, said much in the indictment points out inherent weaknesses in PCI.

The back door approach used, a time-honored hacking technique for decades, is a red flag. "Being on the inside, these probably would have passed right through firewalls as the data would be travelling in the 'safe' direction. Also note that any gains a company would have from a password rotation scheme would be negated by the installation of a back door. My main point there is that password rotation schemes are not an effective defense, and shouldn’t be elevated to such by PCI or corporate 'security policies.' In any case, Hackers 2, PCI 0."

Another concern that she listed involved Heartland details. "The attackers installed sniffers to capture the traffic, they did not harvest data intentionally stored by Heartland on hard drives. PCI doesn’t say anything about encrypting data on private networks, only that you must protect stored cardholder data or encrypt data traveling over open, public networks. And the networks obviously have the business need-to-know, that’s what they do: carry data. That’s a three-point shot for the Hackers; Hackers 6, PCI 0."

She also questioned the PCI requirement to update antivirus software. There's no doubt it's a good thing to do, but she pointed to the indictment as evidence it won't block any serious attack. "The hackers coded their own malware and tested their code against 20 anti-virus programs (I didn’t even know there were 20 AV programs out there!) Of course custom code is not going to be recognized as viral, especially if it performs no viral behaviors," the expert said."PCI says that you must regularly test security systems. These hackers dodged every bullet point of PCI. A test would (and probably did) prove nothing more than PCI-test-detectable breaches would have been detected. And finally, the hackers apparently didn’t feel compelled to comply with corporate security policies. Game, set, and match: Hackers 12, PCI 0," she said. "Yes, PCI compliance may have successfully defended Heartland against lesser attackers. But the bottom line is that Heartland could have been (and probably was) breached while being 100 percent PCI 1.1 compliant on all their points. The real observation here is that PCI DSS compliance was completely ineffective against these guys, no matter how the PCI guys spin it."

Another security expert—and one who doesn't mind in the slightest if we quote him by name—is Mark Rasch, the former head of the U.S. Justice Department's high-tech crimes unit and today an attorney specializing in data security cases.

Rasch thought one of the more interesting takeways from this case is the fact that Gonzalez had served as a confidential informant to the U.S. Secret Service and, indeed, started these cyber attacks while still working for the feds. He extrapolates from that advice for IT executives looking to use cyber thieves—and supposedly former cyber thieves—to test their network security.

"One of the things about confidential informants is that, by their nature, they have knowledge of criminal activity. Most have knowledge because they were involved in criminal activity and have demonstrated that they're really not trustworthy, particularly computer hackers who occupy a netherworld. They run the gamut from black to gray. This guy was really a dark grey and relatively untrustworthy. He was also what I would call amoral. Not immoral. He does not have a value system where he thought it wrong," Rasch said. "What we're going see more often is confidential informants who are doing undercover work for the FBI, hacking for the government. This is the same philosophy that teaches you why you should never hire hackers to do tests of your system. They are not trustworthy."

Another security expert, albeit one who works for an encryption vendor, said a major concern for him was the fact that two and potentially three major retail chains have still yet to disclose data breaches from a year or more.

"Companies have a duty of care for their customers’ information that does not end at the swipe of a credit card. Some states have recognized and legislated that the loss of a customer’s personal data must be disclosed. To do anything else simply leaves that person open to more losses," said Richard Wang, a manager with Sophos Labs US. "A culture of secrecy leads to underestimation of the problem, lack of response and therefore makes data breaches more likely in future, not less."

"I think that the fact that we’ve gotten two years past the breach and to an indictment, and some of the retail players are still not revealed exposes the weaknesses in consumer protections and why breach disclosure laws--like in Massachusetts--get continuously watered down while they wait in legislative purgatory," Wang said. "At issue in my mind is the conflict between the general feelgood concept of corporate and government transparency, and a sorry lack of actual accountability."