Last week I wrote about the
legality of wardriving. (Synopsis: You can look, but don't touch other people's networks.) Recently, three individuals reached separate plea bargain agreements with the federal government in connection with charges resulting from a 2003 wardriving-related event. While it's interesting to see how a simple wardriving exercise turned ugly, I think we should also wonder why the company involved was broadcasting its private data in the first place.
When idle hacking crosses the line
It started out as a simple wardriving exercise. In the spring of 2003, Paul Timmins, 23, and Adam Botbyl, now 21, were out wardriving in Southfield, Michigan. They were members of Michigan 2600, a group of local hackers who meet periodically over Coke and pizza to share new techniques and skills, but which discourages its members from accessing networks illegally or committing any crimes in general. (Remember, it's legal to wardrive, but it's illegal to access found networks.)
Whether they used a LAN-based connection or a wireless one, they would have been caught and charged just the same.
|  |
|
At some point in their wardriving experience, Timmins and Botbyl came upon a Lowe's hardware store with an open wireless network. Timmins later admitted to Kevin Poulsen of Security Focus that what he did next was technically illegal: he used the Lowe's network to check his e-mail. When he realized it was Lowe's private network, however, he says, he disconnected.
That in itself might have been the end of the story. However, Lowe's became aware of the breach and contacted the FBI, who, after its investigation, charged Timmins with one count of unauthorized computer access. And that by itself would have been a significant story: Timmins's plea has been reported as the first instance of a wardriving conviction. I think the claim is an exaggeration, however. The charge would have been the same had he used a wired connection.
And now for the real crime
But here's where the story gets interesting. Several months later, Botbyl returned to the Southfield, Michigan, Lowe's with a new friend, Brian Salcedo, now 21. Salcedo, it turned out, was in the final weeks of a three-year probation for an earlier computer crime.
Knowing the Lowe's wireless corporate network was exposed, the pair gained access on October 25, 2003. This time, they routed through the company's North Carolina headquarters, then out to the satellite stores nationwide. Log files show they connected to several stores located in California, as well as Florida, South Dakota, Kentucky, North Carolina, and Kansas.
While inside the Lowe's system, they found a custom app, Tcpcredit, which Lowe's uses to process credit card purchases. On November 5, 2003, from the parking lot of the Lowe's in Southfield, Michigan, the pair attempted to load an unspecified malicious program on several computers in a Long Beach, California, store. It might have been an early attempt to capture credit card transactions, but the app crashed several point-of-sale machines at the store.
|
Missing is the companies' responsibility to ensure that their private wireless networks are not bleeding out into parking lots and adjacent properties.
| |
|
By now, Lowe's and the FBI were aware of the pair's activities. On November 7, 2003, an FBI surveillance team observed two young men typing on laptops within a white 1991 Grand Prix modified with two suspicious antennas in the parking lot of the Southfield, Michigan, Lowe's store. After several minutes, the pair quit, having left a modified version of Tcpcredit on the system, a working version that allowed them to collect copies of the credit card numbers being processed. While the pair headed off to a local movie theater, the FBI traced the Lowe's log files through the North Carolina headquarters and discovered that the modified credit card files had been uploaded to two different stores. Fortunately, the pair captured only six credit card numbers from one Lowe's store and, according to Lowe's, they were unable to tap into the nationwide network of credit card files processed by the hardware store.
The very next night, the pair returned to the Lowe's parking lot in Southfield, Michigan, and the FBI again observed the driver and the passenger working their laptops.
Actual prosecution is often difficult
Even after obtaining the network log files and a modified copy of Tcpcredit, the FBI was unable to identify whom they were watching in that white Grand Prix. On November 10, 2003, the FBI arrested Timmins and Botbyl. However, the FBI soon learned they'd misidentified the passenger in the Grand Prix; Botbyl and Timmins reportedly both named Salcedo, clearing Timmins. Botbyl and Salcedo face 16 counts, including conspiracy, wire fraud, computer fraud, unauthorized computer access, intentional transmission of computer code, and attempted possession of unauthorized access devices (which includes the use of illegally obtained passwords).
Meanwhile, Timmins, who uses the nickname Noweb4u, continues to work as a computer security consultant and has become a minor Web celebrity. Botbyl entered a guilty plea and faces a possible sentence of 41 to 51 months. Salcedo also entered a guilty plea, but because of his former computer crime conviction, he could receive 12 to 15 years, a calculation also based on Lowe's losses, perceived to be in excess of $2.5 million. Actual time served may be reduced if those convicted have cooperated with the investigation or have helped to prosecute others.
But I'd be remiss in not mentioning Lowe's corporate responsibility in ensuring that its private wireless networks are not bleeding out into parking lots and adjacent properties. Apparently the Southfield, Michigan, network wasn't even WEP-enabled (an easy configuration change). Law enforcement officials can prosecute those who cross the line, as was the case here, but shouldn't consumers also be able to sue companies that are negligent with their personal information? Shouldn't Lowe's have locked down its wireless system after Timmins's initial spring of 2003 infraction? California, with its law SB1386, makes companies more responsible for protecting personal information, with stiff penalties for failure to report any compromises. If more had been done nationwide to protect consumer data, then maybe I wouldn't have had to tell this story.
Who's more at fault here, the individuals arrested or the company that got hacked twice? Talk back to me.
