Friday, August 06, 2004

Romanian Hacker and Friends Indicted

A friend and former Foundstone colleague informed me of the indictment of a Romanian (Calin Mateias, 24, of Bucharest) and five Americans for conspiring to steal more than $10 million US in computer equipment from Ingram Micro of Santa Ana, California. I worked this case two years ago as a Foundstone consultant and helped detect and remove the intruder's X-based back doors from Ingram Micro systems.

I commend Ingram Micro for publicly pursuing these intruders in court. This is one of the best ways to encourage other companies to go forward with prosecution, which is a form of deterrence. This CRN article says Ingram Micro is trying to reassure its value added resellers that its systems are secure. While I worked there, Ingram Micro was outsourcing its IT services to ACS, but security remained a "core competency" handled by Ingram Micro employees. As far as I am concerned, Ingram Micro handled the intrusions properly. I was very impressed by the way their CIO decided to take essentially whatever actions were necessary to remove the intruder from his network. This is one of the few times I've seen a CIO "get it."

Looking at IM's stock chart, the company seems to have taken a slight hit these past few days. The whole market has done poorly recently, so I don't attribute IM's performance to the hacker stories.

This case has appeared at, so the public will be able to track its progress. At least one of the case studies in my The Tao of Network Security Monitoring: Beyond Intrusion Detection is based on my experience responding to this intrusion.

This InternetNews article says:

"According to officials at the Department of Justice (DoJ), the case was handled by the FBI cyber crimes squad, the Romanian National Police, 14 FBI field offices and the FBI's legal attache office in Bucharest.

Brian Hoffstadt, assistant U.S. Attorney at the DoJ, said authorities are working with the Romanian government to decide whether Mateias will be tried in Romanian or extradited to the United States to face charges.

'It's just a decision that hasn't been made yet -- which justice system is going to prosecute him,' he said.

Hoffstadt said there is still work to be done regarding the sentencing and fines that will be assessed against the defendants if they should lose their case. Mateias, if charged in a U.S. court, could get up to 90 years in prison and fined to repay Ingram Micro as well as other damages. The five Americans could face between five and 35 year prison sentences if convicted. More information will become available at the arraignment later this month."

During the incident response, I was asked when Ingram Micro would be "secure." I said they would be secure when the threat was eliminated. This could only be done via an arrest, prosecution, and conviction. Too many security professionals focus on the vulnerability side of the "risk = threat X vulnerability X asset value" equation. Sure, vulnerability is the one factor that administrators hope to control, but they can decrease the threat by supporting legal action against intruders. Ingram Micro understood this and I'm glad they worked with the authorities to arrest these perpetrators.

No comments: