Retired Cryptocloud forum
Retired Cryptocloud forum
Retired Cryptocloud forum
Would you like to react to this message? Create an account in a few clicks or log in to continue.
Retired Cryptocloud forum

forum moved to permanent home at!
HomeHome  SearchSearch  RegisterRegister  Log in  

Display results as :
Rechercher Advanced Search
Latest topics
June 2021
free forum


 The long arm of (Amerikan) law... {Ars Tech}

Go down 

Posts : 57
Join date : 2012-08-04

The long arm of (Amerikan) law... {Ars Tech} Empty
PostSubject: The long arm of (Amerikan) law... {Ars Tech}   The long arm of (Amerikan) law... {Ars Tech} EmptySun Aug 05, 2012 5:46 pm

Quote :
No safe haven: the global Secret Service hunt for three hackers
Dave & Buster's hack leads agents from Turkish jail to Dubai "sneak-and-peek."

by Nate Anderson- July 31 2012, 6:00pm PDT

Dave & Buster's store #32 in Islandia, New York—a restaurant and electronic funhouse for adults—seemed an unlikely target for an international credit card theft ring. Certainly no patron drinking beer and shooting miniature basketballs into a miniature hoop expected their credit card data to end up inside an encrypted Latvian server, waiting to be sold off to international criminals who would ring up more than $600,000 in charges on the cards. But that was because no patron knew anything about the Estonian hacker Aleksandr "JonnyHell" Suvorov.

On May 18, 2007, Suvorov electronically entered the point of sale (POS) server at store #32. Every Dave & Buster's has a POS server, which vacuums up all the credit card data collected by each store's credit card swipe terminals and relays it upstream to a payment processor for verification and approval of the transaction. With full access to the server, Suvorov had no trouble installing a customized bit of code called a packet sniffer, and the program promptly turned its digital nose upon all traffic flowing into and out of the server. The sniffer used this privileged position to find and extract from the data stream the key "track 2" data—numbers and expiration dates, but not names—from every credit card used in store #32, saving it to a local file creatively named "log" for later retrieval.

Suvorov didn't hack his way in, exactly—he actually had the proper credentials for the POS server. He had obtained them by hacking a bit further up the credit card food chain and breaking into servers run by Micros, maker of the POS system used at Dave & Buster's. Inside the Micros system, Suvorov had found a file which he hoped would make him rich: it contained access information for POS systems deployed at Micros client locations, including Dave & Buster's.

Even with easy access to Dave & Buster's POS servers, Suvorov ran into difficulties; the sniffer, it turned out, was not a perfect piece of code. The sniffer had come from a young Miami man, Albert Gonzalez, who was at the time running one of the largest commercial hacking crews in US history. Gonzalez provided a sniffer that he had used for other jobs, and Suvorov first deployed it in a test run at the Dave & Buster's location down the Eastern seaboard in Arundel, Maryland. It failed to capture any track 2 data at all. After getting the code fixed, Suvorov tried again and expanded to 11 Dave & Buster's in May 2007—including store #32.

This time, the sniffer worked, grabbing credit card data as intended, but it now showed another flaw: it failed to restart itself any time the POS server rebooted. Fixing the problem appears to have been too much trouble for Suvorov. Instead, he simply logged into the Dave & Buster's POS servers every few months, grabbed the existing "log" files, and moved them to an encrypted Latvian server. Then he manually restarted his sniffer.

By September, Suvorov had collected nearly 5,000 credit cards from store #32 alone—and many thousands of more card details from the other stores. He compiled the card numbers into a database and sold his list for $25,000. Easy profit.

Suvorov hailed from Sillamäe, a small resort town of just 16,000 on the northeastern border of Estonia. Only 23 years old, he had never been to college, but who needed college when profits could be had so easily? Suvorov was already a veteran at running card numbers. He had partnered with a Ukrainian named Maksym "Maksik" Yastremskiy, and the two became highly specialized middlemen: they bought up databases of stolen credit card numbers from people like Gonzalez for a few thousand dollars apiece, then found buyers before the numbers became useless. In later 2006, for instance, Suvorov and Yastremskiy tried to sell a list of 160,000 credit card numbers to a San Diego man who had approached them through the Internet's darker back alleys. In the end, the man only had the cash to buy 6,798 credit card details—for which Suvorov and Yastremskiy charged him $10,000.

The pair had done well for themselves; Yastremskiy alone was alleged to have earned $11 million in revenue from his card-fencing activities. But by virtue of doing well, they attracted the attention of some people they must have thought could never reach them: the US Secret Service. And the Secret Service was very interested. The agency had been running a three-year undercover operation called "Carder Kaos" to bag people like Gonzalez, Suvorov, and Yastremskiy, whose hacking and fencing had achieved record levels of US-based fraud. For instance, who was that San Diego man who paid $10,000 for the card numbers? A Secret Service agent.

Had Suvorov known about the pursuit, he might have considered a move to Russia, whose border was only a few miles from Sillamäe. (The Russian Constitution forbids the extradition of its citizens). But, flush with his earnings, Suvorov indulged in a March 2008 vacation to Indonesia, with a stopover in Germany. He was promptly arrested in Frankfurt by the German Federal Police acting on a US warrant.

Suvorov spent much of 2008 in a German jail, awaiting an extradition hearing, and he might well have spent his nights pondering just how many US government resources had been expended to track him down: Secret Service investigations, undercover agents, federal lawsuits, international warrants, extradition requests. But government resources go far deeper still, as his co-conspirator Yastremskiy found out the hard way.

A little "sneak-and-peek"

In 2006, the year before the Dave & Buster's break-ins began, a Secret Service team was already on Yastremskiy's tail, and they weren't about to let a little geography stop them. In June 2006 agents arrived in Dubai, where the peripatetic Yastremskiy had traveled. Yastremskiy himself was not the team's immediate goal—at the moment, they wanted only his Lamborghini-branded PC with a Cyrillic/English keyboard. On June 14, the Secret Service accompanied United Arab Emirates officials on what the US government would later call a "sneak-and-peek search" of Yastremskiy's hotel room.

Waiting until Yastremskiy was out, the team accessed his room and imaged his laptop's hard drive. The main contents of the drive were encrypted, however, hidden inside a container called "New PGP Disk1.pgd." The agents left with their disk image, restoring the laptop to the room and leaving no trace of their presence. They couldn't immediately make use of the encrypted image, but who knew what secrets it might spill down the road?

Quote :
"The medical reports clearly state that no signs of physical harm have been detected on his body."

The investigation continued. Yastremskiy continued his work with Suvorov. The men sold their $10,000 in credit card numbers to an undercover agent, but the US government took no action. In 2007, apparently fed up with simply purchasing credit card numbers from hackers, Yastremskiy and Suvorov decided to acquire them more directly and the Dave & Buster's break-ins became their latest endeavor. As the group began exfiltrating the card data for sale, the Secret Service investigation had a reached a point at which the agency was ready to act. They obtained a provisional arrest warrant from a federal judge in southern California and took it to the Turkish National Police (TNP), since Yastremskiy had left Dubai for a visit to Turkey.

The TNP was happy to help. Secret Service agents arrived in Antalya, Turkey during late July 2007 and followed a protocol much like the one from Dubai. On July 25, TNP officials entered Yastremskiy's hotel room when he was out and snatched the Lamborghini computer, again. They took it across the hall to another room in which the Secret Service team waited. This time, instead of making a complete image, the agents opened the machine and snapped photos of its login screen, which displayed the username "Mars"—everything appeared identical to the machine they had "sneaked-and-peeked" at back in Dubai.

The next day, the TNP arrested Yastremskiy on the US warrant. What was Yastremskiy doing in Turkey in the first place? Secret Service agents had arranged the meeting there, convincing Yastremskiy they wanted to make a big buy.

But rather than extradite Yastremskiy, the Turks discovered an interest in his fraudulent ways and decided to prosecute him locally. (He had apparently gone after many Turkish banks.) This meant the existence of two parallel investigations into the man's activities, and that meant two parallel attempts to break into his laptop. On July 30, a TNP forensic examiner back in Ankara provided the Secret Service with a complete image of the laptop's hard drive—again, mostly made up of an encrypted volume—and each side went to work.

The Turks physically had Yastremskiy, so they decided to see if he might simply tell them the password—and he did, just days after his arrest. Why? Suvorov's lawyers would later claim darkly that the entire episode surrounding Yastremskiy's password revelation "shocked the conscience"—but this was speculation. US lawyers offered no opinion about why Yastremskiy had revealed his password except to note that US defendants also did so, usually as a way to reduce criminal sentences.

But security researcher Chris Soghoian talked to four people who listened to a private presentation by Howard Cox, a Department of Justice official, back in 2008. Cox allegedly joked that leaving a suspect alone with Turkish police for a week might be a good way to get them to reveal a password. The Turkish Embassy to the US eventually responded, saying that "Maksym Yastremskiy has not filed any complaint for being subject to ill-treatment or police violence or brutality. The medical reports issued by the Turkish forensic medicine clearly state that no signs of physical harm have been detected on his body."

However they acquired the 17-character password, the Turks and Americans took very different approaches to using it. The Americans went through a detailed forensic process on the drive image, with Secret Service Agent Stuart Van Buren needing an entire month "to undertake a lengthy and difficult process to make the Yastremskiy Image readable and searchable," due to the encryption.

The Turks simply turned on Yastremskiy's laptop and entered the password, then began viewing files. (Forensically, this might create all sorts of problems by altering "last accessed" dates and opening the entire laptop's evidence to charges that material had been planted). US lawyers were later diplomatic about the differences, calling it "a different approach than the USSS may have used." Yastremskiy's computer evidence eventually pointed to both Suvorov and Gonzalez as co-conspirators.

Despite a US extradition request, Yastremskiy was charged with a host of violations of Turkish law and sentenced to 30 years in prison there—where he remains today.

Now it was time to bring in Gonzalez.

Sniff, sniff

At the center of the Dave & Buster's hack was the packet sniffer that actually secured the credit card information. When Suvorov and Yastremskiy decided to get into the direct hacking game, they had no reason to reinvent the wheel. Yastremskiy reached out to Miami resident Albert "Segvec" Gonzalez, a twenty-something from whom he had previously purchased stolen credit card databases, and asked about obtaining a customized sniffer for the Dave & Buster's POS system.

Gonzalez had not gone much beyond a high school education, doing only a single semester at Miami Community College before withdrawing, but he had an obsessive streak and had become something of an expert on such sniffers and the various ways to use them. He had spent the previous few years overseeing a massive "wardriving" hacker operation that eventually broke into the computer networks of TJ Maxx, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW, and other retailers. His team drove around in cars, found weak corporate wireless networks to use as entry points to the broader corporate network, then installed custom sniffers to grab credit card data as it moved to payment processing networks.

For instance, the team broke into fashion retailer Marshall's by infiltrating two wireless access points at two Marshall's stores in Miami. Once inside the corporate network, the team found files holding unencrypted credit card numbers—but only until 2003. The data was so old, many of the cards had expired by the time the hackers found them. For transactions after 2003, all the numbers were stored encrypted.

Gonzalez turned one of his team members loose on the system, asking him to find some way to use a packet sniffer to grab credit card data whenever it transited the network in unencrypted form. Here's how a US Attorney later described the result:

Quote :
There was, however, just a very brief period during the processing of each transaction when an individual payment card was not [encrypted]. It was by keenly and aggressively taking advantage of this instant of vulnerability that Gonzalez sought and ultimately succeeded in stealing current unencrypted payment card data.

One problem with the approach: the team still had to sit in cars right outside Marshall's to collect the data. This was bound to look suspicious over time, so in the middle of 2006, Gonzalez had his team install VPN access to the Marshall's network so that they could access it from anywhere. Their sniffer, first called "blabla" and later "Issas," helped the team steal huge amounts of track 2 data from credit cards, which they sold to people like Yastremskiy and Suvorov.

In the end, Marshall's corporate parent TJX claimed to suffer $200 million in losses and expenses from the hacks. Gonzalez and his various associates were involved in, as Attorney General Michael Mukasey later put it, "the single largest and most complex identity theft case ever charged in this country." (During this entire spree, Gonzalez was actually a Secret Service informant helping to lock up other criminals.)

So when Yastremskiy came asking about a sniffer for Dave & Buster's, Gonzalez had just the thing ready to go. He provided a sniffer that was nearly identical to the one used in the Marshall's attack—and it was this code which ended up running on the POS server at store #32 in Islandia, New York.

The Secret Service came for Gonzalez in May 2008, with Suvorov already in a German jail and Yastremskiy doing time in Turkey. Gonzalez was wanted in numerous cases, especially the TJX case and the Dave & Buster's hacks, though a good deal of the incriminating evidence against him was stored on the Latvian server that the whole team used to store code and card data.

Criminals routinely appear to believe that storing their data overseas is a deterrent to the feds—and it can be, until your crimes get big enough that the government commits to bring you down. In this case, the Secret Service actually keeps agents stationed in Latvia to combat electronic crimes. Working with Latvian police, they obtained an image of the server from local hosting provider Cronos IT. An agent personally flew it back to the US for processing.

Forensic analysis showed two encrypted containers on it, each secured with a program called "Best Crypt." As the government later admitted in court, this tool is "extremely effective, and, especially in light of the length and complexity of the password, there is no real possibility" that agents could pop it open with a lucky guess or break it through brute force.

Stymied at last? Nope. US authorities convinced "Cooperating Witness 1"—a co-conspirator of Gonzalez who was one of two people with root access to the server—to simply hand them the password, apparently for a reduced sentence. Inside the encrypted containers, agents found copies of the packet sniffer used in the Dave & Buster's attack, along with millions of stolen passwords.

Living large while it lasts

Hacking can be a lucrative endeavor. After Gonzalez was arrested, the government went hunting for his assets. Much of the money had been frittered away already, but the government was able to track down a blue 2006 BMW, a Miami condo, two laptops, $1 million in cash, a Glock 27 handgun, three Rolex watches, and a Tiffany diamond ring—which Gonzalez had given to a woman as a gift.

Gonzalez at first pled not guilty, and he cited the judgment of a psychiatrist (hired by Gonzalez) who opined that the young man might have lacked "capacity to knowingly evaluate the wrongfulness of his actions and consciously behave lawfully and avoid crime." The reason? Asperger's syndrome and "Internet addiction."

The government wasn't having any of this, but in the end it hardly mattered: Gonzalez pled guilty and cooperated with investigators. At sentencing in March 2010, the government tore into Gonzalez.

Quote :
Gonzalez knew exactly the harm he was causing and was proud of it. Why did he do it then? Ego, challenge, greed, of course. He crowed to his Ukrainian fence of stolen credit and debit card numbers that his crimes were infamous and causing widespread damage, and he urged his Ukrainian fence to speed up the sales of victims' card numbers before banks caught on and could shut the accounts down.

Gonzalez's lawyer backed off the Asperger's defense a bit, but did make an eloquent pitch for his client. While Gonzalez committed crimes, the lawyer argued, he didn't—say—bring down the world financial system.

Quote :
He didn't, as many CEOs do and many people invested with the fiduciary duties, take tens and hundreds of millions of dollars away from people whose lives were devastated. He's not a Ponzi schemer. He's not a person who endorsed false accounting statements that led to stock market crashes...

But certainly the crimes of the Skillings and Enron and the Ebbers and WorldCom, and the people that drove down American corporations and ruined the retirement funds of their customers, the stock value of their stockholders, that those are the people that destroy people's faith in America, not Mr. Gonzalez, although his crime is serious and deserves a serious sentence.

And then, with his parents and sister in the front row of the court, Gonzalez spoke.

Quote :
I blame nobody but myself. I've impacted the lives of millions of individuals, and I violated the sanctity of my parents' home by using it to stash illegal proceeds. These millions of people's whose lives I've impacted, I never once gave much thought of what it felt to them to have their privacy violated until these 22 months that I've had time to think over and over about this because I always thought that they were being made whole by their financial institutions. I'd like to publicly apologize to my family. I feel as if they are the true victims in my actions, and I plead for leniency so I may one day prove to them that I love them just as much as they love me. Thank you.

He was sentenced to 240 months in prison and $14,000 in fees, and he forfeited all the proceeds of his crimes. One month later at a separate restitution hearing, Gonzalez was ordered to pay $69,143,862.80 to his victims.

His probation officer was told to work out a payment plan.

A question of resources

With Yastremskiy occupying a Turkish jail for 30 years and Gonzalez doing 20 years in a federal prison—he's currently in Michigan—the strange saga of the Dave & Buster's hack only required one more sentence to complete the story: Suvorov's.

The Germans eventually did send him to the US. On January 16, 2009, the young man from Sillamäe ended up in the Eastern District of New York facing federal judge Sandra J. Feuerstein. A Russian interpreter was present to help Suvorov make his plea on the Dave & Buster's charges—he pled not guilty on every count.

By May, he changed his mind. He pled guilty to the Dave & Buster's hack and in 2011 pled guilty to selling those credit card numbers to a Secret Service agent for $10,000. His cases were eventually combined, the California charges doing a transcontinental trip to New York, and this month Suvorov finally stood before a federal judge in Central Islip to learn his fate.

Now 28, Suvorov was sentenced to seven years in prison, ordered to pay $675,000 in restitution, and told to forfeit $300,000 of assets.

The government used his sentence to make one major point to criminals: the "borderless" Internet won't save you from prosecution.

Quote :
“Suvorov reached across an ocean to victimize thousands of Americans,” said one US Attorney in a statement after the ruling. “That ocean was no protection from the reach of US law enforcement, whose coordinated efforts put a stop to Suvorov and his cohorts’ criminal scheme. He will now serve his sentence in the country of his victims. Computer hackers and identity thieves who prey on innocent American consumers, businesses, and financial institutions will find no refuge from US criminal justice in any corner of the globe.”

Tough words, and certainly a bit hyperbolic. Many cybercriminals, especially low-level ones, are in little danger of being picked up. But the Dave & Buster's case does make one thing perfectly clear: when the government intends to take you down, the resources at their disposal are phenomenal. "Sneak-and-peeks" in Dubai, agents in Latvia, hiding in Antaly hotel rooms, extradition requests, the cooperation of police on several continents, informants, months of expensive forensic work, hand-couriered drive images, a three-year undercover Secret Service investigation, years of work by US attorneys—federal resources are not unlimited, but they are immense.

That's why it's worth casting a skeptical eye on regular claims that investigators need new powers. The FBI, for instance, has long claimed that strong encryption means that the bad guys are "going dark" and can't be surveilled anymore. But neither encrypted machine in the Dave & Buster's case ultimately stopped the government for long. Cops have also complained about encrypted chat channels like Skype, but US wiretap reports routinely show that crypto doesn't stymie wiretap warrants (though investigators may simply not apply for warrants on encrypted communications that lack a back door or central server). Laws like SOPA are said to be necessary because it's simply too hard to reach people operating online from other jurisdictions, though cases like Megaupload show that it's possible in many cases where the government wants someone badly enough.

And that's the key question: how easy should crypto-breaking or website takedowns or foreign arrests for Internet crimes be? Having a higher barrier to their use—say, by requiring expensive police work that can develop and turn informants, or by leaving Skype unbreakable and forcing cops to install malware on targeted computer endpoints to spy on conversations—makes investigations harder and runs up their bills. It undoubtedly leads to some people going free who might, more productively for the rest of us, spend time in confinement. But it can also prevent dragnet surveillance, casual overreach, and the unwarranted use of extradition.

But in this case, at least, the Secret Service bagged some truly deserving targets.
Back to top Go down
The long arm of (Amerikan) law... {Ars Tech}
Back to top 
Page 1 of 1
 Similar topics
» +447031746659 aka or

Permissions in this forum:You cannot reply to topics in this forum
Retired Cryptocloud forum :: :: General Discussion-
Jump to: