EDD Update

The feds aren’t the only ones trying to build Mr. Gonzalez up as a hacker extraordinaire. In an Aug. 20 Associated Press story, Miami-based computer security expert Sean Arries called Mr. Gonzalez the “Tony Montana of credit card theft.”

Really? I’d say Mr. Gonzalez is more akin to David Lightman, the young, underachieving hacker portrayed by Matthew Broderick in the 1983 film “WarGames.” Lightman was no genius. He just had a basic understanding of how computer networks worked and exploited their weaknesses using readily available software.

That’s exactly what Mr. Gonzalez allegedly did, according to the Aug. 5 indictment filed in the United States District Court for the District of Massachusetts. Here’s a breakdown of his alleged less-than-innovative methods for stealing people’s credit card information:

 ·         Wardriving – A technique where hackers drive through different areas with a laptop searching for vulnerable wireless networks. Retailers and restaurants are the preferred targets. Ironically, Wardriving was derived from the term wardialing, which is from “WarGames.” Wardialing involved searching for computer systems to connect to using software that dialed numbers sequentially to see which ones were connected to a fax machine or computer.

 ·         Malware – Mr. Gonzalez allegedly purchased malware from known hacker sites and then logged onto the unprotected wireless networks and installed it. The malware sniffed those networks for credit card data. Once he had captured the data, Mr. Gonzalez allegedly tried to sell it.

 ·         Zombies – Mr. Gonzalez allegedly used commonly available scripts (programming language) to locate Internet-connected computers unprotected against third-party use. These zombie computers were allegedly co-opted into receiving reports from the sniffer programs regarding credit card transmissions.

Big deal. I, and many, many others, could have done the same thing with minimal effort. It’s what we in the e-discovery and computer forensics industries call “script-kiddy” stuff. Sophisticated hackers write their own scripts and malicious code. Script kiddies use readily available code. All it requires is the will to do it, and the payment card industry’s continued refusal to lock itself down. In most cases, Mr. Gonzalez allegedly targeted unencrypted, unsecure and poorly patrolled data transmission streams.

The indictment also alleges that Mr. Gonzalez, known in the online world as “soupnazi,” was part of an international conspiracy. However, that claim is misleading in that it lends more import to Mr. Gonzalez’s alleged exploits than they deserve. The zombie computers allegedly used in the execution of these crimes were connected to the Internet, which is global in nature. It’s no surprise that some of these alleged zombies were located in Latvia, the Ukraine and the U.S. Mr. Gonzalez shouldn’t be given any extra “hacker cred” for allegedly using zombies.

Law enforcement spent years and no doubt millions of dollars tracking down what turned out to be a well-known player who was moonlighting as a Secret Service informant. Yet, there are common methods already in use by the e-discovery and computer forensics industries that could have easily allowed for Mr. Gonzalez’s capture.

The Associated Press reports that Gonzalez lived a lavish lifestyle that included throwing a $75,000 birthday party for himself and a $118,000 one-bedroom condominium in Miami, purchased in 2005.

When he was arrested on May 7, 2008 on unrelated federal charges, he was staying with his girlfriend at the National Hotel in swanky South Beach. Agents seized two computers, $22,000 in cash and a Glock 9 handgun.

If that lifestyle extended to his car, chances are that the vehicle has a built-in GPS system. Auto systems typically record many thousands of miles of driving activity, which can then be mapped to connect a suspect to unlawful conduct known to have been perpetrated at specific times and places.

Along the same lines, wireless carriers keep records of their customers’ mobile phone usage. Law enforcement has used such data for years to triangulate the time and location of calls made by suspects, an increasingly accurate method for tracking down suspects. I find it hard to believe that a 28-year-old, tech-savvy man like Mr. Gonzalez never used a mobile phone.

Other sources of evidence would also exist. Drafts and shadow files would be on his computers. IP addresses associated with known hacker sites could be gleaned from his computer, router and Internet service provider. His alleged victims’ computers would also hold evidence about the malware and sniffer applications he allegedly used to infiltrate networks such as install dates and times and incoming IP addresses.

I’m also guessing Mr. Gonzalez had numerous credit cards that he used to purchase those alleged malware and sniffer programs. Or, perhaps he had a PayPal account. Either way, there would be data proving he made those purchases.

In the latest federal indictment, prosecutors allege that Mr. Gonzalez worked with two Russian co-conspirators. They describe him as the operation’s ringleader. However, I happen to agree with James Lewis, a senior fellow at the Center for Strategic and International Studies.

“It’s relatively common in these crimes for the masterminds to live overseas and have a partner in the United States,” Lewis told the Associated Press. “At the end of the day, Gonzalez was the bagman.”

The lesson here is simple: Credit card companies are so focused on storage security that they’ve neglected their efforts to lock down data transmission streams, which hackers now target in increasing numbers.

Eric P. Blank is the founder and managing attorney of Blank Law + Technology PS. His practice focuses on electronic discovery counseling, e-security response planning and implementation, investigations and computer forensics. Mr. Blank has conducted more than 300 investigations into computer and software-related torts and employee misconduct since 2001 and has frequently been a court-appointed special master or neutral in e-discovery matters.He is also a former Washington, D.C. police officer.