http://www.wired.com/news/technology/0,71358-0.html By Kevin Poulsen July 11, 2006 A federal appeals court upheld a nine-year prison term Monday for a hacker who tried and failed to steal customer credit-card numbers from the Lowe's chain of home improvement stores. Brian Salcedo, now 23, has been in custody since 2003, when an FBI stakeout caught him and a partner breaking into several Lowe's networks over an unsecured Wi-Fi connection at a suburban Detroit store. Under Monday's ruling, Salcedo will not be eligible for release until May 2011. Assistant U.S. attorney Matthew Martens, who prosecuted the case, said the sentence is long, but appropriate. "I hope it achieves, not only justice in this case, but deterrence to other people thinking about doing something similar," Martens said. Salcedo's partner in the abortive caper, 22-year-old Adam Botbyl, has less than two months left on a sentence of 26 months for his role in the plot. After serving most of that time in custody, Botbyl is now in a halfway house in Detroit. According to court records, Botbyl stumbled across the unsecured wireless network at the Southfield, Michigan, Lowe's in the spring of 2003, while he and a roommate were wardriving the area in search of Wi-Fi hot spots. He returned six months later with Salcedo, who was on the last month of a three-year probation term from a juvenile computer crime conviction. Together, the pair discovered they could jump from the Southfield Lowe's to the company's central data center in North Carolina, and from there to the local networks at stores around the country. Lowe's detected the intrusions and called in the FBI, who staked out the store parking lot. The agents eventually spotted Botbyl's Pontiac Grand Prix, bristling with antennas and occupied by two young men typing on laptops. The agents watched them work for 20 minutes, then trailed them to a Little Ceasar's pizza restaurant and a local multiplex, while Lowe's security team worked to figure out what the hackers had done. They discovered that at two of the stores -- in Long Beach, California, and Gainseville, Florida -- the pair had modified a proprietary piece of software called "tcpcredit" that Lowe's used to handle credit-card transactions, changing the program so it would stash customer's credit-card numbers where the hackers could retrieve them later. The program had collected only six credit-card numbers when it was discovered. The FBI arrested Salcedo, Botbyl and -- apparently mistakenly -- Botbyl's roommate, Paul Timmins, who later pleaded guilty to a misdemeanor for using the Wi-Fi network to check his e-mail. Salcedo and Botbyl pleaded guilty to conspiracy and computer fraud in plea agreements with prosecutors. Though there's no evidence either man saw a single stolen credit-card number, and despite cooperating to help Lowe's boost its security after his arrest, Salcedo was sentenced to what the government described at the time as the longest U.S. prison term for a hacker in history. The sentence was largely based on the amount of harm that would have resulted had the plan succeeded. On appeal Salcedo's lawyer argued that the hacker's sentence should have been commensurate with the actual damage he caused, but on Monday a three-judge panel of the U.S. 4th Circuit Court of Appeals disagreed. "We find that the district court did not err in using Salcedo's admitted intentions to harm 250 or more victims and to traffic the stolen information to enhance his sentence," the decision reads. The prison term far outstrips the sentences handed down for more successful online thieves. For example, last month 24-year-old Andrew Mantovani, one of the leaders of the Shadowcrew fraud ring, was sentenced to 32 months in prison after admitting to using phishing and spamming techniques to steal credit-card numbers, which he used to make online purchases. Salcedo's attorney did not return a phone call Monday. Reached by phone, Timmins said Salcedo's and Botbyl's ultimate plan was to install the hacked tcpcredit code at all the Lowe's outlets, tapping into a torrent of credit-card data. "It was serious," he said. But he still wasn't expecting the sentence to survive appeal. "I'm just kind of surprised that they upheld it," he said. "That's an incredibly long time." _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jul 11 2006 - 22:52:15 PDT