Lessons Learned from the Lowe’s Hacker Brian Salcedo

Filed under Hacking

<%image(20080513-BrianSalcedo.jpg|180|216|Brian Salcedo)%>

Brain Salcedo was convicted back in 2004 of hacking the Lowe’s (a national home improvement retail chain) computer network through an unsecured wireless network. Brian and his partner found the unsecured wireless network while Wardriving. Brian’s plan was to eventually tap in and siphon off millions of credit card’s through a backdoor installed in a proprietary Lowe’s program called “tcpcredit” that Brian and his partner had modified.

Brian is currently serving out a nine year prison term even though there is no evidence that he even saw one credit card number (note that the longest federal sentence for a hacking offense was the 68 months imposed on Kevin Mitnick). During the investigation only six credit card numbers were found in the file that was created from the modified “tcpcredit” program. Ironically enough Brian seems to blame lack of fame and notoriety as to why he did what he did (he mentions the felony he was on probation for before the Lowe’s hack):

“It took awhile to work out the dilemma then consuming my head. Why did those around me get acclaim for exposing security flaws? They got hired, I was convicted of a felony. What was I doing wrong? After what seemed like a lifetime absence from computers, I decided to renege on my commitment to stay away from it and I simply relapsed into this all-out cracking binge.”

Two years later enter TJX …

Back in November of 2006 TJX disclosed that there was about 17 months of unauthorized network access resulting in the compromise of 46 million credit card accounts. To date this is the largest single breach of personal data in history. How did the TJX breach happen? Almost the same way Lowe’s got hacked…lack of wireless security. In this case TJX was using WEP which is known to be extremely vulnerable to attack. Of course there were other vulnerabilities that had to be exploited on the internal TJX LAN but the wireless network was the start. As we all know, it only takes one vulnerability to potentially bring down a network.

Two more years later enter Dave & Buster’s and Hannaford…

Just today, it was announced that Dave and Buster’s was victim to a data breach that resulted in bank losses of up to $600,000. This time apparently the attackers used “social engineering” to install packet sniffers to obtain credit card information. That’s right…social engineering. Ironically, one of the accused was apparently involved in the TJX breach (I could only find one source on this). Hopefully we find out more details in coming days about how this social engineering attack took place.

The Hannaford Supermarket breach resulted in 4.2 million credit card numbers being compromised just this year. The attackers had apparently planted malware on the servers at each of the 294 affected stores. This malware apparently sent the compromised data overseas.

While details about all of these intrusions are still coming out, one can start to see the similarities with Lowe’s, TJX, Dave & Busters and Hannaford.

Lessons Learned:

– Wireless is dangerous for retail if not properly secured. Now that WPA2 is widely available there is no reason that a retailer should not use WPA2. Interesting to note that I have reliable sources tell me that other major retailers are still using WEP to secure their wireless networks…and it’s 2008!

– Stealing data in transit within an internal company network is the new hotness! Most of this information is unencrypted until it gets to the database. In many cases it’s rather trivial to get this level of access (administrator rights on a workstation or server) to install a packet sniffer once you are on the internal network.

– Social engineering is on the rise! I wouldn’t be surprised if all it took was a simple phone call from “the IT guy” asking a store manager to install a new piece of software in the case of Dave & Busters (or Hannaford, you never know).

– If you are a criminal thinking about doing the same thing…it’s only a matter of time, you will most likely be caught and if you are a US citizen prepare to get the book thrown at you like what happened to Brian Salcedo.

– Finally, as a company don’t put all your eggs in the PCI basket! Just because you are certified PCI compliant (Hannaford) doesn’t mean you are secure!


  1. Matt says:

    A couple of years ago Paul Timmins, another defendant in the Lowe’s case, gave a presentation at Notacon called "How to Survive a Federal Investigation." I found the presentation very interesting because he discussed the case and investigation from the defendants point of view. Before this I had only heard about the case from the media and law enforcements point of view.

    The video for this presentation is online at http://www.notaconmedia.com

    I found it to be an interesting and entertaining presentation that added some depth to the Lowe’s case.


  2. Tom says:

    Just saw a WSJ blog post today talking about how TJX profits are surprisingly up considering the massive security breach of their systems.

    Basically, it seems that consumers don’t care about security breaches and only the banks that issued the credit cards are the ones tasting the pain and cleaning up the mess.

    Interesting post to say the least…


Post a Comment

Your email is never published nor shared. Required fields are marked *