Security Watch

Prisoner's Appeal

Albert Gonzalez, the convicted mastermind behind many of the major payment data breaches reported in recent years, has a new excuse: He claims he had the government's permission.

Gonzalez was an informant for the Secret Service during the time he broke into the networks of retailers such as TJX Cos. Inc. Though he did not have explicit permission to do so, Gonzalez argued that he had to conduct the breach to maintain a high enough profile among fellow hackers to collect useful information as an informant, the retail news site StorefrontBacktalk reported April 13.

Mark Rasch, StorefrontBacktalk's legal columnist, said that Gonzalez is attempting a public authority defense, wherein suspects argue that they believed what they were doing was legal because a government official told them it was legal.

Gonzalez's filing does not demonstrate, however, that the government gave him explicit permission to hack into TJX or the other retailers.

Gonzalez also argued that some of the evidence used against him was obtained through torture by a Turkish police investigation of another suspect. The article notes that this contradicts the public authority defense, in that it suggests the Secret Service would not have known of Gonzalez's activities — the ones he is arguing that they authorized — without this evidence.

"There is another possible explanation for these legal maneuvers," the article said. "Gonzalez has plenty of time on his hands, and being transported to various courtrooms to make arguments is a lot more interesting than sitting in prison waiting for the years to pass."

Guilty Plea

Lin Mun Poo, the man accused of hacking into Federal Reserve computers and of stealing thousands of credit card numbers last October, pleaded guilty last Wednesday to one count of fraud in federal court in Brooklyn, according to a story Reuters published April 13.

Poo, of Malaysia, is being held in Brooklyn.

Within hours of his arrival last fall, authorities observed him selling stolen credit cards for $1,000 in a Brooklyn restaurant. A search of his laptop revealed more than 400,000 encrypted, stolen credit and debit card numbers.

A spokeswoman for the Federal Reserve Bank of Cleveland said Poo hacked into 10 test computers and did thousands of dollars in damage, though no data was stolen from the computers, Reuters reported. Prosecutors have also accused Poo of hacking into the computers of a Department of Defense contractor that manages military transport operations.

Poo will be sentenced Sept. 13, and faces up to 10 years in prison.

Late Arrival

GlaxoSmithKline PLC said it too was affected by the breach at Alliance Data Systems Corp.'s marketing business Epsilon, weeks after many other companies disclosed their involvement.

Glaxo said this past weekend that the email addresses and names of consumers who registered with its websites were exposed, The Wall Street Journal reported Monday. A spokeswoman would not tell the paper which websites were affected.

Fraudsters could use the stolen data to create convincing spoofed emails representing Glaxo or another company, requesting more sensitive information, such as Social Security numbers.

Glaxo, a maker of prescription and nonprescription drugs, warned that any phishing attacks resulting from the exposure may name specific drugs that consumers registered online to learn about.

Many banks and major retailers were affected by the Epsilon breach, which Alliance Data disclosed April 1.

Most of the companies that have reached out to their customers about the breach did so within days of the original Epsilon disclosure.

Botnet Bust-Up

U.S. officials have taken control over a botnet used to steal data from infected computers — and issued a command to shut it down.

The action from the Justice Department is the first instance of a U.S. agency requesting permission to take control of a botnet, though it has been done before by Dutch officials, CNET News said in an April 13 article.

Coreflood malware is a keylogger that steals usernames, passwords, and other sensitive information, such as banking details.

Coreflood has infected more than 2 million Windows machines worldwide over the past decade, the article said.

Prosecutors say the data it stole from infected machines can be used to hijack an online banking session and send instructions to transfer funds to a foreign account.

The temporary restraining order obtained by U.S. officials allowed them to send commands to the infected machines, knocking out the malware and preventing further data and funds from being stolen.

The government is working with Internet service providers to allow end users a way to opt out of this process if they do not want the government to send instructions to their computers. The government also stressed that it is not accessing any personal information stored on the infected machines, the article said.

Big Deposit

A teen who expected to get a big payout from breaking into an ATM must instead pay $2,166.87 in restitution.

Dakota L. Grimsled, 18, of Wisconsin Dells, pleaded no contest to a felony charge of theft as party to a crime, the Portage Daily Register reported April 17. The crime took place early last year.

In one incident, Grimsled and an accomplice broke into the JustAGame Fieldhouse at 3:30 a.m. through a door they had unlocked during business hours, the paper said. They cracked an automated teller machine using a crowbar, removing $3,000. They took an additional $200 from a safe and another $200 from the company's cash register.

Police later recovered the stolen cash as well as the crowbar and other implements used in the burglary.

Grimsled was sentenced to pay restitution and serve two years probation for the incident. His suspected accomplice, Boris Milicevic, 19, is scheduled for a jury trial Aug. 11.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.