July 12, 2021 | 1 minute read
As a recognized expert in cybersecurity and data breach response, Sherri has been called a “security badass” by the New York Times, and has conducted cybersecurity training for many distinguished organizations including the Department of Defense, the American Bar Association, FFIEC/FDIC, and many more.
She is a faculty member at the Pacific Coast Banking School, and an instructor for Black Hat, where she teaches her “Data Breaches” course.
Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:All Posts by Malicious Life Podcast
It’s early 2004, and one of the two or three greatest cybercriminals to ever walk the planet–Albert Gonzalez–is on the payroll of the United States Secret Service.
And not just working for them–thriving with them. For months, sometimes all day and night, he works alongside bona fide agents out of a satellite office in an army repair garage in Jersey City. And those agents actually like him. One prosecutor later told the New York Times, quote: “It was kind of a bonding experience. He and the agents developed over time a very close bond. They worked well together.” End quote. They even give him a nickname: “Soup,” a play off his online persona “soupnazi.”
And Albert is teaching them all kinds of new things. It’s like when he was 14, and the FBI visited to figure out how a kid who’d only just reached puberty managed to hack into NASA. Remember what happened? An agent took Albert into a room, they sat there for an entire afternoon and, by the time they came out, it was the agent–not the child–who was left dizzy. “This kid is amazing,” Albert’s lawyer recalled the man saying, “He’s running circles around me.” Now, at 23, Albert is running circles around the Secret Service. The prosecutor recalled how, quote, “Spending this much time with an informant this deeply into a cybercrime conspiracy — it was a totally new experience for all of us.”
By springtime, the Service trusted Albert enough to make him the fulcrum for their biggest ever cyber operation.
It’s ironic, actually, that they were about to use one of history’s great cybercriminals to attempt the most ambitious sting in the history of cybercrime to date.
FIREWALL I: THE VPN
[Sherri] So at this time,
That’s Sherri Davidoff, CEO of LMB Security, and author of the book ‘Data Breaches’.
[Sherri] Albert is an administrator on the ShadowCrew site and he actually begins to climb even further within their ranks as he – at the same time that he’s working with the Secret Service.
You might’ve assumed that, once he went clean, Albert left the cyber underground for good. But the Service had him do the exact opposite–stay active, become more embedded in the community.
It was all part of the plan.
[Sherri] The other thing to understand about this time is that the dark web doesn’t exist. [. . .] the dark web doesn’t exist and that means that as all these hackers are visiting ShadowCrew and buying and selling credit card numbers, this is all on the normal internet.
The web domain for ShadowCrew is “www.shadowcrew.com”–as simple to type into your browser as “google.com.” That means all this cybercrime is hiding in plain sight. ShadowCrew users are in a real need of more reliable ways to cover up what they’re doing.
One way you can hide yourself on the open web is via a virtual private network, or VPN. A VPN is basically a remote computer that functions as a ‘proxy’ for all your data transfers.
As an analogy – say that I want to send a letter to Ben Or, our sound designer, to tell him I really love the music he adds to the episodes. But I don’t want him to know that I wrote the letter, since he might ask for a raise… so I write ‘Dear Ben Or – I really love your music!’, and I place the note in an envelope – but I don’t send that letter to Ben Or, I send it to Nate, instead. Nate then takes the letter, removes the original envelope that had my name and address on it – and replaces it with a new envelope with his name and address. He then sends it over to Ben Or, who gets the note…
[Ben Or] Wow, Gee, Thanks!
…and since the note came from Nate and not from me – he has no idea that I’m the true originator of the letter!
[Ben Or] Ha. I’d recognize Ran’s handwriting everywhere. He probably doesn’t want me to ask for a raise. Such a cheapskate, geez…
VPNs work in a similar fashion. You establish a secure, encrypted connection to a remote server, and ‘tunnel’ all your browsing activity through that remote server so that your true identity is hidden. There are ways to supersede VPN connections to figure out who’s behind certain internet activity, but it’s difficult.
So you can imagine how useful a VPN would be for members of ShadowCrew. The Secret Service knew it.
[Sherri] So Albert says to everybody, “Hey, I’ve set up a VPN service.”
soupnazi starts promoting his own VPN.
[Sherri] He first does this quietly behind the scenes and he gets the ShadowCrew leadership on board. Then after a few months, he starts offering it to the whole ShadowCrew community.
Albert is a well-respected member of the community–he’s got cred.
[Sherri] Eventually the whole ShadowCrew site was moved onto servers that the Secret Service couldn’t monitor and it’s not like the members didn’t realize the risk. There were certainly times that members said, “Hey!” jokingly. There were certainly times that members jokingly said things like, “Hey, if the Secret Service had a backdoor, they could listen to everything we said,” and Albert would just sort of laugh it off and reassure them.
Except they’re right.
[Sherri] the Secret Service has a backdoor into Albert’s VPN and is actually monitoring everything that they do.
FIREWALL II: SPYING
The U.S. government now has an unobstructed view into almost all the activity happening on the biggest cybercrime website in the world, right down to the most granular levels. The book “Kingpin” describes what they found, quote:
“There were deals every day and every night, with a weekly surge in trading Sunday evenings. The transactions ranged from the petty to the gargantuan. On May 19, agents watched [one user] transfer 115,695 credit card numbers to another number; in July, [another user] moved a counterfeit UK passport; in August, [someone] sold a fake New York Driver’s license, an Empire Blue Cross health insurance card, and a City University of New York student ID card to a member in need of a full identification portfolio.”
It’s like this, but a hundred times over. The agents record everything they can. After a few months, when they’ve gathered enough evidence, it’s time for phase three.
FIREWALL III: THE BUST
Albert is sent to the Secret Service HQ in Washington D.C. Just before 9:00 P.M. eastern time, he gets on a keyboard.
[Sherri] Albert calls a meeting online and when he does that, people listen. He gets the ShadowCrew leaders and key members into a chat forum.
Meanwhile, in 28 locations across eight U.S. states and six countries, law enforcement agents are quietly gathering around houses. Weapons drawn.
[Sherri] the investigators really need to link the person at the keyboard to the stuff that they’re – to their online persona. So it’s important to catch them in the act as it were.
Albert keeps the ShadowCrew members talking, until 9 PM strikes.
Then, all at once, 28 front doors bust open.
[Sherri] they put out an indictment with 62 counts at a public press release and this is like the biggest cybercriminal bust in history.
19 individuals would end up being indicted. Many served years-long prison sentences.
[Sherri] So this is not only a bust and something where the leaders and some buyers and sellers are going to be held accountable. It’s also serving as a warning for others, which is very frightening to hackers and the cybercriminal underground.
By October 27th, the homepage of www.shadowcrew.com looked a lot different than usual. In a move reminiscent of the Keebler Elves, the Secret Service defaced the page, posting their logo at the top and a stock photo of a man behind bars. Then, in all caps, quote: “CONTACT YOUR LOCAL UNITE STATES SECRET SERVICE FIELD OFFICE…BEFORE WE CONTACT YOU!!”
Fittingly, ShadowCrew’s slogan–“For those who wish to play in the shadows”–was crossed out. There were no more shadows to play in.
The bust, dubbed “Operation Firewall,” was a resounding success–the biggest in cyber history to that point. Albert Gonzalez transformed from most wanted to most lauded. But it didn’t take long for his fellow comrades from ShadowCrew to realize that just one person inconspicuously avoided being arrested.
Albert’s coworkers at the Secret Service urged him to move back home, to Miami, for his own safety. He did, but continued to work as a paid informant in a series of new investigations.
Again, he was outstanding. He was such a good Secret Service employee, in fact, that they had him do seminars, and speak at government conferences. At one point he met personally with the then Director of the Secret Service. Albert gave a presentation, and got to shake the man’s hand.
It’s a remarkable redemption story, you’d have to say. There was just one caveat. You see, Albert Gonzalez went from stealing millions of credit cards to quarterbacking the largest cyber crime bust in U.S history. And then?
He went back.
Even before he got to Miami, Albert was researching how to breach corporate networks.
[Nate] Why would he think to go back there?
[Sherri] I think Albert was addicted to hacking. I think it was a lifestyle for him at that point and remember, all his friends are doing it. It’s his community.
In some sense, it’s debatable whether Albert “went back” to hacking, or simply never stopped.
[Sherri] I’m not sure there was ever a clean break that Albert really stopped working with “the dark side”. I think that this was a continuous process for him.
You need to try and get out of your own head, and place yourself in his for a moment. Think back on everything you heard earlier in this story. What was Albert actually doing for the Secret Service?
Was he helping bust ShadowCrew and other cybercrime operations? Yes.
Was he performing the ultimate data breach, by convincing the U.S. government to grant him access to their internal systems and communications, in order to better understand their capabilities and weaknesses? Crazy as it sounds, that too.
Exactly what his motivations were at any given point in time are, to this day, only known to him. Maybe there was a time when, as his Secret Service coworkers believed, he genuinely turned to the good side. Maybe he liked working with them, but never quite gave up the idea of going back. Or, it’s entirely possible–likely, even–that Albert Gonzalez was a triple agent the entire time.
Actually, not even triple–we’re going to have to come up with a new term entirely. A triple agent is somebody pretending to be a double agent for one side, while actually acting as a double agent for the other side. Albert wasn’t pretending, though–he was doing good work for the U.S. government, and enjoying it, while also infiltrating them and gathering information he could use later for malicious purposes.
What do you call that, a quadruple agent? For now, let’s just call it: playing both sides.
And he continued playing both sides, even years after this point in the story. It’s almost unbelievable. By the end of this episode, Albert will have pulled off one of the biggest data breaches of the decade while on government payroll.
His best friend in the Service–an agent named Michael–later reflected on how an actual government intelligence agency missed the signs. Quote: “Looking back, we knew what he wanted us to know [. . .] He was leading a double life within a double life.” End quote.
Nobody felt quite so betrayed as Michael, who’d taken Albert under his wing like a brother. They worked side by side for years. Michael was the one who gave Albert his nickname, Soup. He watched over him, mentored him. When Albert moved to Miami, Michael was also transferred there. More than anything else, hearing how Michael tells it really drives home how Albert wasn’t some devious criminal whom they were utterly oblivious to–he was a genuinely beloved guy, which made his decisions all the more disappointing. Quote:
“I put a lot of time and effort into trying to keep him on the straight and narrow and show him what his worth could be outside of that world, keep him part of the team. And he knows that, and he knew what good he could have done with his talent.
We work with a million informants, but for me it was really tough with him.”
INTRO 2 J. JAMES (& CHRIS)
Working at the Service was the kind of insight and experience money couldn’t buy. With all his expertise both with the cops and the robbers, you could make a good case that, at this time–the mid-2000s–Albert Gonzalez was the single most powerful hacker on the planet.
And now he was going to use his power against corporate networks.
As Albert researched new ways of breaking into the most lucrative targets in the country, he decided to reconnect with some old buddies.
One of those buddies was Christopher Scott–not exactly a mastermind of Albert’s caliber. A journalist once described Christopher as, quote, “a depressed, overweight geek.” End quote. He’d met Albert over internet relay chat years back, and he made a decent hacker. But the most useful thing about him was probably who he happened to be good friends with: a handsome, skinny 22 year-old with short brown hair and glasses. Someone we actually mentioned in our last episode. At the time, one of the most famous hackers in the world. Far more so than Albert Gonzalez.
While they’re completely unalike in personality–one reserved and emotional, the other outgoing and charismatic–Jonathan James was in many ways like Albert’s mirror image. He grew up an eight minute drive from Albert, in a pretty similar house in a somewhat more affluent but largely similar neighborhood. His parents were pretty ordinary folks, and religious–Jewish, in his case.
Also like Albert, Jonathan picked up computers at a young age–really young, in fact. At only six years old he began spending entire days on his father’s PC. By middle school he was good enough that he decided to switch its OS from Windows to Linux, to allow for finer control.
Similar to Albert’s parents, the Jameses had conflicting feelings about their son’s behavior. On one hand, he was already as talented as professional computer experts by high school. But it was also clear that this wasn’t a hobby, it was an obsession. Jonathan rarely had time for anything else, and he acted out at the slightest provocation. For example, at age 13 he ran away from home because his mother confiscated his computer. When he called to say that she needed to return it or he wouldn’t come back, she had to have the police trace his location. In another instance, Mr. James went so far as to physically cut his son’s connection to the internet. In response, Jonathan rebraided the severed wire by hand.
Though he may have only known Albert as “soupnazi” at the time, Jonathan James was also a member of Keebler Elves. And where Albert had hacked NASA with the group at age 14, Jonathan independently hacked NASA, along with the U.S. Department of Defense, at age 15.
Jonathan and Albert had a ton in common, up until a very crucial inflection point.
Recall what happened to Albert after he hacked NASA: not much. The FBI went to his school, then talked with him a while, then they went away and Albert quietly returned to hacking.
After Jonathan hacked the U.S. government, he made a severe error: he bragged about it to fellow hackers. According to the Miami New Times, that’s what turned prosecutors against him: aside from the sheer embarrassment he caused, the bragging earned him fame and prevented them from effectively using him to catch anyone else.
And so, at age 16, Jonathan James became the first ever minor to be incarcerated for a cyber crime. Between 2000 to 2003 he spent half a year under house arrest, half a year in juvy, and the rest under probation.
Then, when his sentence was through, he and his friend Chris Scott linked up with their old Keebler Elf buddy, Albert.
Albert, you’ll recall, was researching corporate breaches. At the same time, Jonathan and Chris were starting to explore a novel way of breaching retail stores. A strategy called “wardriving.”
[Sherri] let me try to visualize this for you.
The three friends start wardriving along Route 1 in Miami.
[Sherri] So you’re sitting in the car in a parking lot or maybe you’re literally just walking around to nearby and you have a really good antenna with you so that you can pick up wireless networks, maybe further than a normal person’s computer. So they sold really nice antennas at the time even at just Best Buy. But you can also build your own or get one that was especially made.
So you get this powerful antenna and you can use software like Kismet that you run on your computer and get a listing of all the networks that are available and what kind of security is on them.
Albert and his friends pull into the parking lots of major retailers, one by one, looking for easy marks.
[Sherri] And some of them literally just have no password. That’s it. You literally see them, you connect to them, they have no password, and from there, you’re on that company’s network.
In other cases, they’re using a protocol called, WEP. And WEP was supposed to be secure, but unfortunately, by then it clearly wasn’t. There were a lot of very well-known vulnerabilities in the WEP protocol and tools that hackers were using and penetration testers we’re using that could crack it and enable you to access those networks as well. [. . .]
[Nate] And we always hear about like the hacker in the coffee shop, but I never hear about wardriving. Is it still a thing? If so, why don’t I hear about it more often and if not, why not?
[Sherri] Yeah. So I mean, you can still go wardriving, but it’s not as effective as it was at the time. I mean back then in 2005, 2006, wardriving was like shooting fish in a barrel. So many different organizations had open wireless networks or insecure wireless networks, particularly retailers because financial institutions were investing in security, but retailers, not as much. They were not regulated. There were no examiners coming in checking on their security. And at the same time, they had all this very valuable payment card information on their network. So they were really a perfect target.
It doesn’t take Chris, Jon and Albert very long to find some barrel fish worth shooting.
[Sherri] So Christopher Scott and Jonathan James find this weak wireless access point. They break into OfficeMax. They break into other retailers and they start stealing hard numbers from those retailers and they find that it’s very lucrative.
Chris and Jonathan are the coders, Albert is the money guy. Together they hack Office Max, BJ’s Wholesale, Sports Authority, DSW, Barnes and Noble and more. Each time it’s the same: breach a vulnerable access point, steal credentials, move laterally, access point-of-sale machines. Thousands of credit and debit cards flood in. Albert and his associates map the stolen data onto blanks, then “runners” cash them out at ATMs.
It’s all just too easy. Albert starts thinking bigger.
[Sherri] Albert is always into the state-of-the-art. He always likes to understand what’s going on and be on that cutting-edge of his industry, which unfortunately for him is cybercrime.
One day, in July, 2005, Chris Scott drives up to Marshalls clothing store. The WiFi network looks ripe for the taking. As usual, he parks the car, and quickly breaks into a vulnerable access point. He does it again at another nearby location.
This time, the group tries something different. They don’t just settle for two Marshalls’–they decide, instead, to use the stores as entry points in a much larger scheme.
Within a matter of weeks, Christopher and Jonathan map the Marshalls’ network, steal unprotected authentication data, and escalate to the headquarters of their parent organization, TJX Companies, a multibillion dollar organization.
[Sherri] In May of 2006, Albert’s colleague set up a VPN to TJX’s network which enabled them to more persistently steal card numbers. Now, Albert started getting frustrated because TJX was storing a huge amount of data.
For whatever reason, if you had shopped at a Marshalls or a T.J. Maxx in the mid-2000s, TJX Companies would just keep your card data in their system.
[Sherri] a lot of it was for expired cards. So here he is putting a lot of work into stealing payment card numbers and a lot of those card numbers are expired. So he says, “I need fresh card numbers and I have access to this network.” So he turns to his friend, Stephen Watt.
Stephen Watt. Albert’s best friend, and one of the most confounding people you’ll ever come across.
The first thing anybody notices about Stephen Watt is that he’s taller than almost every NBA player–coming in at seven feet tall–and more jacked than most NFL players. His face is chiseled; his forehead is more like an eight-head. He wears earrings, and his long, blonde ponytail falls well below his shoulders. In a DefCon presentation you can find online, the emcee aptly refers to him as “Thor.” But Chris Hemsworth would absolutely cower in fear if he had to face up against Stephen Watt.
And if that weren’t enough, the guy’s a certifiable genius. After graduating high school at age 16 with a 4.37 GPA, and graduating college at age 19, Stephen landed a job at Morgan Stanley. 20 years old, on Wall Street. He was earning 130,000 dollars a year when his best friend Albert came calling, asking for the kind of program that could get him fresh card numbers.
In later court hearings, Stephen claimed not to have known what his code was being used for. He told Wired Magazine, quote: “I assumed it would have something to do with web traffic or instant messaging conversations or logins of some other protocol not related to the credit card information,” end quote. Later court documents would refute that claim.
[Sherri] So he reportedly didn’t know exactly what Albert was up to, but when Albert asked him for a little program that could sniff card numbers off the network, Stephen Watt was all too happy to oblige.
DATA FLOWING IN
This “sniffer” that Albert wanted from Stephen was, in essence, the difference between a data breach and a data waterfall.
Albert already had access to millions of cards, but he wanted “fresh” ones. A packet sniffer software could be installed on TJX’s point of sale networks, to scrape credit cards in real time while they were being swiped.
For Stephen Watt, the genius Wall Street bodybuilder, that kind of thing was a breeze. He did it free of charge.
[Sherri] So he spent about 10 hours creating this little script called, Blah Blah and he emailed it to Albert.
Blah Blah–named after how little effort it took its creator–could pull card data from POS machines. Once it reached a certain threshold, the program grouped all the numbers together, encrypted and compressed the package, then forwarded it straight to Albert’s computer. Automatically.
[Sherri] Albert then install that on TJX’s network and use that to steal millions and millions of card numbers fresh off the network as they were being processed.
Estimates vary. According to the New York Times, he managed to steal 40 million credit cards. According to Wired Magazine, over 100 million. The problem here is that there’s no reliable way to count–there were way too many to keep track of.
And does it even matter? Even 10 million is difficult to picture. 100 million? Almost impossible to fathom. Perhaps it would be more helpful to think about it like this: Albert Gonzalez had stolen credit cards from somewhere between 20 to 50% of the entire American adult population. While he was only 25 years old. And still on the payroll of the United States Secret Service.
It’s probably stating the obvious at this point, but let’s just say: it’s about to go down in the next episode of Malicious Life.