Historic Hacks of the 2000s, Part 2
Note: This is Part 2 of 2. To read Part 1, click here.
The 1990s saw the fall of Communism, the rise of alternate media and the widespread adoption and integration of the World Wide Web. It was also the decade where cyberattacks came out of the shadows and onto the front pages of newspapers.
Hackers may have come of age in the 90s, but it was during the following decade that they really hit their stride in both notoriety and level of damage done. In this installment of our series, we'll consider five historic hacks of the new millennium.
Los Angeles Traffic Light Attack (2006)
Never underestimate the impact of a little premeditated random violence.
In August of 2006, unionized traffic engineers in the City of Angels scheduled a work stoppage, declaring that the city "wasn't going to be a fun place to drive." Frightened officials took the threat seriously and blocked access to the computer that controlled 3,200 traffic signals.
Longtime engineering employees of city, Kartik Patel and Gabriel Murillo decided to do more than walk the picket line — they hacked the traffic system, changing the timing of signals at four busy intersections located near freeways and major destinations. Red lights for the most congested approaches to the intersections were set to be of an unusually long duration. They also inserted a code that prevented an easy fix of the hack.
Normal gridlock was nothing compared to the chaos unleashed by Patel and Murillo. It was a Gordian mess; traffic snarled at the Los Angeles International Airport; the Glendale Freeway was clogged; and the streets around Little Tokyo and the Civic Center completely inaccessible. The impact rippled outward from each location.
It took four days for managers to figure out what was happening. Patel and Murillo were soon arrested and charged with seven different felonies. They refused to admit guilt but did eventually accept a plea bargain and received a two-year probation sentence — an extremely light punishment for endangering the lives of hundreds of thousands, if not millions of Los Angelinos.
City officials learned that little hacks can have major consequences. There are 4,400 intersections in L.A., Patel and Murillo brought traffic to a standstill targeting just four of them.
The upside was that the hack actually awoke government officials around the world to the risks of having city and state systems for power plants, water and sewage departments, and other essential services accessible from outside computers.
Heartland Payment Systems (2007)
Criminal masterminds don't always operate in the shadows. Some, like Albert Gonzalez, pretend to don a white hat and work with authorities — all while practicing their nefarious craft.
Gonzalez was another highly intelligent child in need of supervision. He got his first computer at age 12 and soon showed off his talents by hacking NASA. He also had some serious organizational skills. At age 24, he masterminded the largest ever criminal breach of payment card data.
Amazingly, Gonzalez did his crime while hiding in plain sight. Arrested in 2003 on charges of ATM and debit card fraud and accused of being the kingpin of the underground marketplace, ShadowCrew, Gonzalez avoided prosecution by turning on his accomplices, helping to send 30 of them to jail.
Between 2005 and 2007, while assisting the U.S. Secret Service in their investigation, Gonzalez cobbled together a new team who wardrove the Miami area identifying unsecured Wi-Fi wireless networks of large retailers including the giant payment processing and technology provider Heartland Payment Systems.
Once an unsecured Wi-Fi network was identified, Gonzalez's team would launch SQL injection attacks to create backdoors and plant packet sniffers in the systems. Over 18 months, they stole the digital information encoded onto the magnetic stripes from more the 170 million credit and debit cards. They would then create counterfeit cards and sell the data to other hackers.
Gonzalez made so much money that he buried more than $1 million in his parents' backyard and once complained of having to count $340,000 by hand because his currency-counting machine broke.
The authorities eventually realized they were being played for suckers and arrested him in 2008. There was no turning informant this time and Gonzalez was eventually convicted and is presently serving concurrent 20-year sentences for his crimes. Twenty years may seem like a long time but compared to one of his confederates in crime, who received 30 years in a Turkish prison, Gonzalez got off easy.
Heartland took a serious hit, having to pay $145 million in compensation for fraudulent payments. They were also deemed "out of compliance" with the Payment Card Industry Data Security Standard (PCI DSS) and as a result not allowed to process payments from major credit card issuers for one year.
The Financial Services industry got real serious real fast about safeguarding customer account data. Security expertise and planning was emphasized for C-level executives and industry executives created the Processing Information Sharing Council (PPISC) to facilitate sharing of information about security threats.
Ongoing efforts to secure data in transit led to the development and eventual widespread implementation of end-to-end encryption, tokenization for card transactions and embedded chip technology.