Data Breach , Data Loss , Fraud

'Guccifer' Hacker Sentenced to 52 Months

Romanian Demonstrated Vulnerability of Web-Based Accounts
'Guccifer' Hacker Sentenced to 52 Months

A 44-year-old former Romanian taxi driver with few hacking skills but a knack for guessing his way into the email and social media accounts of celebrities and politicians has been sentenced to serve 52 months in U.S. federal prison.

See Also: How to Scale Your Vendor Risk Management Program

Marcel Lehel Lazar, who went by the online nickname "Guccifer," pleaded guilty May 25 in U.S. District Court for the Eastern District of Virginia to aggravated identity theft and unauthorized access to a computer.

Lazar's escapades drew attention to the vulnerability of web-based email accounts through low-tech attack methods. He targeted Gmail, Yahoo, Facebook and AOL accounts used by nearly 100 prominent people, gaining access through weak passwords and then accessing their correspondence.

At Lazar's Sept. 1 sentencing, U.S. District Judge James C. Cacheris said a tough penalty was merited to serve as a deterrent as the U.S. grapples with ongoing cyberattacks, according to the The Washington Post (see The Myth of Cybercrime Deterrence).

Among the victims were former Secretary of State Colin Powell and the sister of former President George W. Bush. Lehel released emails and sensitive information from accounts, and in the case of Bush, photographs of self-portraits he'd painted, including one of himself in the bathtub.

Lazar also revealed that Democratic presidential nominee Hillary Clinton used a private email address while secretary of state, fueling a continuing email scandal that plagues her campaign.

Repeat Offender

U.S. prosecutors indicted Lazar in June 2014 just after he was sentenced to four years in Romania for similar offenses. His targets in that country included the former director of Romania's intelligence service, George Cristian Maior.

He was released early to face the U.S. charges and was extradited in April of this year. The U.S. indictment covers Lazar's activity between October 2012 and January 2014. Lazar released information from compromised accounts, including medical and financial information, prosecutors say.

Lazar caused a stir when he spoke to NBC News from a maximum security prison in Bucharest prior to his extradition. In the interview, broadcast in May following his extradition, he made an unsubstantiated claim that he accessed Clinton's private email server and downloaded some material.

Lazar told the broadcaster: "It was like an open orchid on the internet, as many such servers are. There were hundreds of folders with boring stuff, political boring stuff. It was not what I was looking for." The claim was called into question because, unlike other accounts he breached, Lazar didn't release material from Clinton's server.

He said he discovered Clinton's private email address, hdr22@clintonemail.com, after compromising the email account of Sidney Blumenthal, a longtime adviser to the Clinton family. Lazar, who denied working for a foreign government, passed emails to the Smoking Gun website and Russian state-sponsored broadcaster RT.

Lazar, whose nickname is a portmanteau of Gucci and Lucifer, said during the interview he executed the compromises with a cheap computer and a mobile phone. His intrusions, he said, were intended to expose the Illuminati.

Even if his claim of downloading Clinton material was a fib, it caused even more trouble for the U.S. presidential candidate as she defended the use of a private email server for government business.

Followed by Guccifer 2.0

Guccifer's notoriety prompted another hacker to borrow his moniker this year. In June, someone going by the nickname "Guccifer 2.0" claimed to be the sole hacker who breached the Democratic National Committee's systems. Like the original Guccifer, the successor also released sensitive documents (see Lone Hacker Claims to Have Breached DNC).

Guccifer 2.0 claimed to be Romanian, but the person didn't speak Romanian that well, according to the news site Motherboard. The U.S. government and private security companies suspect Russian intelligence may be behind the Democratic Party hacks, but the country has denied involvement (see Report: Russia's 'Best' Hackers Access DNC's Trump Research).

Password Management Lessons Learned

Although the authentication weaknesses of web-based systems are well known within computer security circles, Lazar's demonstrations from rural Romania brought those faults widespread attention.

It would be nearly impossible these days to be a digital citizen without using web-based servers that authenticate through logins and passwords. The usual mitigation advice continues to apply: Use a strong, unique password and implement two-factor authentication, preferably not over SMS.

Some web services, such as Dropbox and Facebook, can send alerts of a successful login from a never-seen-before device. Sometimes those alerts aren't on by default, though, and need to be activated.

It's also helpful to use a password manager, which makes it feasible to set a unique strong password for many web accounts without having to remember many of them. Most of those applications have password generators, which makes creating strong ones painless.

Of course, that advice applies not just to celebrities and politicians who may be targeted by future Guccifers, but to any internet user.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network