crime reduction

Is it just me or did anyone else find it strangely ironic that President Obama appointed Howard A. Schmidt as national cybersecurity coordinator on the same day that the Wall Street Journal uncovered a massive hacker attack on Citigroup that allegedly resulted in the loss of tens of millions of dollars?

Maybe they were waiting for the guy to sign on the bottom line before they dropped that bomb on him. Talk about responsibility.

In case you missed the Citigroup story, the bank is denying the report and any losses, but the Journal is sticking by its story.

Citing anonymous government officials, the Journal reported that the hackers were connected to a Russian cyber gang. Two other computer systems, at least one of connected to a U.S. government agency, were also attacked ... The Journal reported that the attack on Citigroup's Citibank subsidiary was detected over the summer, although it may have occurred up to one year earlier. The FBI, the National Security Agency, the Homeland Security Department and Citigroup worked together to investigate the attack.

But apparently, Internet attacks on banks are very common (which isn't surprising since, well, that's where the money is), says Tom Kellermann, a former senior member of the World Bank's Treasury security team and now vice president of security awareness for Core Security Technologies.

"Ninety-eight percent of bank heists are now occurring virtually and not in the real world," he said, adding that the industry is "hemorrhaging funds" as a result.

Hemorrhaging funds, huh? That's never a term you want to hear, in any context, really.

And the worst part is that even if the government or a corporation is able to identify and catch these hackers, it's really hard to punish them. For example, Albert Gonzalez, the infamous hacker who stole 130 million credit cards from various retailers, card processing companies, a series of foreign banks and a brokerage house has agreed not to be sentenced to less than 17 years in prison, which frankly is a pretty darn good deal, right?

I guess he was quite cooperative with authorities (including telling them where he buried the $1.1 million in his parent's backyard). Perhaps this new Schmidt fella should just acknowledge right off the bat that the government has neither the people nor the resources to adequately fight off these hacker attacks and just give Gonzalez a job to pass the time.

Just read an article from Wired about Albert Gonzalez pleading guilty last week to orchestrating the largest computer hacking crime in U.S. history. During his trial, Gonzalez told prosecutors that he, along with at least two other Russian accomplices, breached at least four card processing companies, a series of foreign banks, a brokerage house and several retail store chains. Among these retailers includes TJX, Hannaford Bros, BJ’s Wholesale Club, 7-Eleven, Dave & Busters restaurant chain, and at least two other national retailers that haven't been named. Altogether, he is responsible for stealing more than 130 million credit cards.

While he is currently awaiting sentencing (scheduled for Dec. 21) it is expected that he will only receive between 15 to 25 years in prison, despite the fact that he is eligible for life imprisonment. Apparently, he's bee quite cooperative with prosecutors about identifying others involved in this breach:

The document reveals that six months after his May 2008 arrest, Gonzalez located and provided prosecutors with the “complicated” and “lengthy” password to decrypt his laptop, which contained “a vast array of historical data and communications” that helped the government indict other members of Gonzalez’s team, and could be used in future search warrants. It also reveals that Gonzalez drew prosecutors a map that helped them find more than $1.1 million that he had buried in his parents’ backyard.

I guess burying dough in your parents yard is really one of your only options when you have that kind of cash on hand. I sure hope law enforcement remembered to check his mattress.

While this is certainly a massive breach of IT security, how much of this should concern physical security folks? As IT and physical security departments continue on this road to convergence (in which there's no turning back, I'm afraid), I would say more and more physical security professionals are going to have to be proficient in the vulnerabilities of both aspects of security. As a matter of fact, I think the security professional of the future may even have, let's say, a degree in computer science over criminal justice? That's pure speculation on my part. Apparently, Gonzalez wants to help corporations protect themselves, against, well, people like him:

“Gonzalez made complete disclosure of information ranging from how weaknesses in the corporate security systems were identified, how data was exported from the companies, how it was stored on foreign servers in the Ukraine and Latvia, how stolen data was de-encrypted and by whom, how profits were received via web-currency, who was involved in the flow of currency, and the identities of two persons who were used as couriers of money to Gonzalez,” according to the document.

By identifying intrusions that “had not yet been detected,” his lawyer wrote, Gonzalez helped the companies institute protective measures to secure their data and prevent future breaches.

And, as a side note, the only reason there is so much information about the details of this case is because someone improperly redacted the sentencing document. This inability to properly redact information is apparently becoming a trend.