Federal authorities have charged a previously indicted hacker with breaching additional corporate computers and stealing data for at least 130 million credit and debit cards, the biggest identity theft case ever prosecuted in the United States. Albert "Segvec" Gonzalez and two unnamed Russians were indicted on Monday for attacks …
Why are these companies hosting their own web sites? The surest way to cut off that mode of attack is to pay someone else to physically host your web site (including its online store) completely separately from your corporate network.
Should have been indicted for 130 M counts of identity theft. If they penalty was one hour in prison for each count, he'd be looking at 14,840 or so years. I bet he'd give up Hacker 1 and Hacker 2 for a reduction to, say, 1000 years.
Too bad drawing and quartering has gone out of fashion.
NB. I was one of the TJX victims. No money lost, but do you have any idea how many places you have that card information stored?
"The alleged perpetrators worked hard to cover their tracks, according to the indictment. In addition to using proxy servers that masked their real IP addresses"
Please correct me if I am wrong, but wouldn't breaching those servers and collecting/selling the data via different wifi hotspots (McD's, coffee shops, poorly secured domestic AP's), from several different locations/cities, as well as going through proxies in countries that are let's say unsympathetic to the US have made it just about impossible to trace?
I am not an accomplished nor clever hacker but I think I could avoid detection.
Re: AC Huh?
Sometimes it's just not that easy. For multi-channel organisations, a lot of the information the web site needs is stored or calculated somewhere in the backend. An example might be a complex financial services quote engine that sits on an old mainframe; or a telco that offers online billing. You can't easily replicate the algorithms, or do nightly batch updates if real-time information is required.
What /should/ be happening (and PCI DSS requiring) is that all web servers sit in a DMZ, and that any system storing or processing card data is segregated from the rest of the network.
Sadly, PCI DSS is a little ambiguous, and organisations can be lazy in maintaining their implementation (despite annual audits). In the cases above, TJX where not PCI DSS compliant, while Heartland were.
Dan Goodin Have you every seen the PCI DSS?
"Monday's indictment is likely to revive criticism that so-called PCI DSS, or payment card industry data security standards, are an ineffective means of preventing modern attacks against servers containing sensitive card data."
Complete crap from somebody who doesn't know what he's talking about
Section 6.5.2 of PCI DSS specifically mentions removing injection flaws in webservers and 11.2 requires external scanning to test for flaws including SQL.
The PCI DSS is far from perfect but at least get your facts rights.
The problem is obviously that the QSA was negligent and didn't ensure that the systems had been tested accordingly.
I know our acquiring bank insists on seeing vulnerability free scans from our ASV every quarter.
"Heartland executives have said repeatedly that their systems were in full compliance with the rules"
Obviously they meant to say was "... except for requirement 6.5.2 which explitly makes us validate user input to protect against injection flaws in our code...."
How come this is always blamed on the PCI DSS? The standard is fine.... some of the 'Qualified' Security Assessors maybe less so..... one recently asked me if I could make all the router ACLs filter by MAC address on the clients network :S
Also @AC 21:27.... WTF? Where their kit is hosted is nothing to do with how their code is written. And there is nothing inherintly less secure about hosting in your own datacentre (or colo space) on you kit compared to someone elses.... can be more secure as your not exposed to the chance that the 3rd party are muppets.
My thoughts exactly.... spoof a different mac address on each network, pass it through a few oversees proxies (that don't insert REMOTE ADDRESS or VIA headers) and I would think it would be next to impossible to trace.
However, as he was already known to them, it's more likely that his activities came to their attention some other way. He certainly wouldn't be the first crim to come unstuck due to an unrelated mistake.
Indictment Available Here
I have the full indictment available as a PDF in a link at the bottom of my blog post if you want to read it.
- Product Round-up Smartwatch face off: Pebble, MetaWatch and new hi-tech timepieces
- Geek's Guide to Britain The bunker at the end of the world - in Essex
- FLABBER-JASTED: It's 'jif', NOT '.gif', says man who should know
- If you've bought DRM'd film files from Acetrax, here's the bad news
- Microsoft reveals Xbox One, the console that can read your heartbeat