Who Can You Trust? Hacker/Security Expert Busted for Credit Card Theft
This is the kind of story that could be from a Robert Ludlum novel or maybe an episode of Alias where you're not quite sure if the guy who acts good is really bad or not. ComputerWorld is running a story on Max Ray Butler, sometimes security expert, sometimes hacker, maybe soon to be guest of the government at a federal penitentiary, of massive credit card theft. Mr. Butler, who is facing 40 years in prison (and $1.5 million in fines for good measure) is accused of wire fraud and transferring identity information. It looks like he collected data using war-driving methods around the Pentagon Federal Credit Union and Citibank branches.
According to the indictment, Butler hacked multiple computer networks of financial institutions and card processing firms, sold the account and identity information he stole from those systems, and even received a percentage of the money that others made selling merchandise they'd purchased with the stolen card numbers. The U.S. Secret Service ran the investigation into the hacks and resulting scams, which took place between June 2005 and September of this year.
The article also reports that Cardsmarket, a site used to exchange identity information, is warning it's members to cover their tracks with the following post on the site:
"Everybody who hasn't already done so, I would strongly advise that you delete all PMs you have saved," achilous advised. "Also, any unsecured data you have, now would be the time to make sure it is very strongly encrypted. These precautions seemed justified given the severity of the situation. It may only be a matter of time before a government agency takes over this forum, and I did not want them to get the raw SQL database containing all the threads and posts."
But this guy that is causing such a problem for CardsMarket members used to be on the right side of the law:
Ironically, Butler, then 28, was a well-known security researcher before his arrest, frequently posting to security mailing lists. He had also created arachNIDS, a once-popular open source collection of attack signatures used intrusion detection systems. During court hearings in 2000, it also came to light that he had been an FBI informant for at least two years, and perhaps as many as five years, before his arrest.
So what is the moral of the story? Trust but verify, or more precisely, trust but rotate duties. Occasionally good guys do bad things. Occasionally, trusted system managers, database administrators and application managers will become disgruntled and try to stick it to the Man. Protect yourself.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
