The Department of Justice in San Francisco released a number of interesting details today in their indictment of Albert Gonzales, a former informant for the Secret Service already in custody.

In brief, the largest and most sophisticated breaches of credit-card data are now being tied to a relatively small group with special knowledge.

Gonzalez was a Secret Service informant who once went by the nick “Cumbajohnny.” He was a top administrator on a carding site called Shadowcrew when he was arrested in 2003. Authorities discovered his connection to Shadowcrew and soon put him to work undercover on the site, setting up a VPN for the carders to communicate, which was controlled out of the Secret Service’s New Jersey office.

That undercover operation, known as “Operation Firewall,” led to the arrest of 28 members of the site in October 2004. After the site went down, Gonzalez changed his nick to “Segvec” and moved to Miami, Florida, where he resumed his life of crime under the nose of authorities who were in pursuit of “Segvec,” while being ignorant of the fact that he was their old informant.

Gonzales learned from helping take down the Shadowcrew. You might even say it helped him eliminate his competition as he then set out to run a new criminal operation that evaded the Secret Service and befuddled investigators.

Gonzalez, in the proud tradition of federal informants dating back to the Mafia crackdowns of the 1970s, was already an informant for the U.S. Secret Service when the retail war-driving scheme hatched, and he’s accused of using his inside knowledge of prosecutions to steer select underground allies clear of trouble.

His success also was in no small part due to help from others who trained and worked with security operations. We saw already, for example, that a former employee of Qualys and close friend of Gonzales named Stephen Watt wrote software called “blabla” and modified it at Gonzales’ request to sniff card data. Watt’s name appeared after Gonzales was arrested and charged in August of 2008 with attacking TJX, OfficeMax, Dave & Busters, BJ’s Wholesale Club, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. Gonzales, also known as “j4guar17” and “soupnazi” ran his operation from Miami. He amassed $1.6 million in a bank account and supposedly was awash in cash. He will go on trial next year for that set of breaches but today’s indictment ties him to the latest 7-Eleven, Heartland and Hannaford incidents with connections to new and different co-conspirators.

The description of this as an “insider” threat seems to center around the use of security knowledge, rather than any true insider role by the attackers. The group apparently did not have anyone actually working as an employee of the breached targets. Instead they used known weaknesses in wireless security, as well as databases (SQL injection), to remotely access the targets. They then installed programs specifically designed to evade the top 30 antivirus vendors, dumped card data, and then erased their tracks. Those four steps combined are what everyone will be calling a highly sophisticated attack. Any one of the steps alone is in fact sophisticated, but to put them all together and run an invisible operation for many months across multiple sites is why the “insider” label is likely to be applied. Nonetheless, I would argue this neither diminishes compliance regulations nor suggests that defense against attack is impossible.

Plausable Deniability brought up this line of thinking last year. They asked the usual questions about how one should ever hope to find a dedicated attack when it is based on specialized and sophisticated knowledge.

Is it unnerving that malware was designed and tested by the Gonzales’ operation to escape detection by the top 30 antivirus vendors? I say no. We have known for a very long time that antivirus software is limited in its ability. That is why it is not the one and only security control required for compliance.

Other controls such as a properly managed firewall and code reviews are also required. I have discussed this in detail in my top ten breaches presentation. There are at least five and maybe six distinct steps that could have tripped a security team in the Hannaford case, completely outside the role of antivirus. Note that major antivirus vendor McAfee recently released a “Virtual Criminology Report” and Symantec has published a “Report on the Underground Economy”.

I believe this is recognition of the fact that while antivirus software might catch a lot of bad code for known vulnerabilities it is definitely not the answer to cybercrime or emerging threats. These reports thus start to scratch the surface of social and economic factors that play into security and antivirus management with a nod to traditional anti-fraud concepts as well as law enforcement response techniques. Fighting cybercrime, as any of your local law enforcement officers will tell you, is not just about holes and patches and it is not just for techies anymore.

That’s it for now. I will put together a webcast with much greater detail on the methods used in these cases, the success of PCI compliance, where threats are going and how to catch the next Gonzales. Hope you will have a chance to listen. Hint: a common theme of the emerging attacks, as discussed in my top ten breaches presentations, is communication among conspirators.

The AP reports that a false positive led to a US attack on innocent civilians in Afghanistan:

An American bombing that killed up to 90 Afghan civilians last month was based on false information provided by a rival tribe and did not kill a single Taliban fighter, the president’s spokesman said Sunday.

The claim contradicted a U.S. contention that the Aug. 22 raid on the western village of Azizabad killed up to 35 Taliban fighters.

Although the new more sophisticated campaigns are a big improvement over prior years of conventional warfare they are not without serious risk. It should be obvious that to make progress, intelligence gathering has to be able to factor in social issues such as rivalries and politics in order to determine military targets and potential for “blow back”.

I am reminded of this again today, when looking at first-person photographs of the US bombing campaign in Somalia:

People walk through rubble after U.S. war planes killed an Islamist rebel said to be al Qaeda’s leader in Somalia and as many as 30 other people in Dusamareb, May 1, 2008. REUTERS/Abdi Guled

Information integrity is a cornerstone of intelligence-based warfare. A related problem, I have noticed recently, is pressure in American politics by those who say they are defiant and suspicious of “highly-educated” people and anyone who presents a data or fact-based approach to problems. I think some Americans approach food in a way that is an apt metaphor for their military and political strategy:

We fry things nobody ever considered friable – things like cupcakes, banana sandwiches and batter dipped artificial cheese…even pickles.

Fire, ready, aim. Did I lose the good with the bad? Civilians? Facts? Unfortunate. Fry again.

Republican Sen. Lisa Murkowski of Alaska said that Palin and other critics were not helping the GOP by tossing out false claims. Portions of the Democratic health care bills “are bad enough that we don’t need to be making things up,” Murkowski said, invoking a phrase that Palin used in her resignation speech, when she asked the news media to “quit making things up.”

This is not to condemn firing or frying, but to say that both need to be handled with care and a focus on outcomes or they may makes things worse than what existed before. At this point I feel like taking this story into a historical reference to the Maginot-line but perhaps that will be a post for another day.

Annoying? Yes, a URL flaw in the WordPress password reset should be on many to-do lists for today:

…a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

Patch, patch, patch…

Edited to add: 11 Tips to Secure WordPress