Robert Novak, the longtime Washing-ton columnist and pundit who died recently famously said, "Always love your country - but never trust your government."
His caution about lack of trust referred to sinister motives, I think, but sometimes it seems our government is just inept. That rings true with the recent indictment of former Secret Service informant Albert Gonzalez, 28, now infamous as the mastermind behind the attacks that harvested more than 130 million credit and debit card numbers from Heartland Payment Systems, 7-Eleven, Hannaford Brothers, and others. It seems Gonzalez became a Secret Service informant around 2003, as part of the FBI's takedown of Shadowcrew. At the ripe old age of 22 he was trusted to recruit Shadowcrew members to join his VPN, which was monitored by Federal agents, and reportedly resulted in the arrest of 28 other hackers.
The same sources say Gonzalez was a double agent of sorts, tipping off some hackers to help them avoid the trap. When that operation was wrapped up Gonzalez was given the green light to return to honest society. Did the Feds really think they'd scared him straight, that he'd get a computer science degree from Yale and go on to work at IBM or Microsoft?
That he was allowed to continue his life of crime for another few years, cruising Miami in a BMW and carrying a Glock, while costing companies hundreds of millions of dollars, is outrageous.
Similarly outrageous is that Gonzalez was able to cherry pick companies off the Fortune 500 list and use a relatively simple SQL injection attack to worm into their networks and place the malware that yielded the payday that he and his cohorts were after. This attack wasn't new, the first paper on SQL injection was published in 1998. Remember CardSystems? That company went out of business after a SQL injection attack led to its massive breach in 2005.
"It's definitely a huge problem, it hasn't gone away, and isn't going to go away. There's a whole lot of code to be fixed," says Jeremiah Grossman, founder and CTO of WhiteHat Security, noting that WhiteHat finds SQL injection vulnerabilities in just under 20 percent of the Websites it scans.
Even on the site of one of the world's largest payments processors? SQL injection flaws are fairly easy for decent application scanners to spot, begging the question why Heartland's wasn't. Was it found and ignored, or not found at all?
Two wrongs don't make a right - it's tough to fathom how the Secret Service let Gonzalez ride after they were done with him, and how these companies' auditors missed relatively simple SQL injection flaws - but the aftermath of the breach has had some positive effects. Heartland is piloting the end-to-end encryption topology that CEO Robert Carr promised after the breach, an advance significant enough to earn it the top spot on BTN's list of must-have security innovations (p 20). Let's hope the rest of the industry learns these lessons the easy way.
