Wednesday, April 15, 2015

The DDoS Attack, the Credit Card Data and Employer Notification

In 2010, police officers discovered David Rezendes
sitting behind the wheel of a parked car in Larimer County, Colorado. Rezendes admitted he had been drinking and he was charged with driving while ability impaired. Although Rezendes entered a guilty plea, he believed the County had acted unfairly in prosecuting him because he was not actually operating the vehicle. On July 10, 2010, Rezendes was sentenced to one year probation.
U.S. v. Rezendes, 2015 WL 1475306 (U.S. Court of Appeals for the 10th Circuit 2015).
A few months later, on September 22, 20105, Rezendes
initiated a computer attack, known as a distributed denial of service attack, against the Larimer County website. During the attack, a number of computers directed packets of data containing vulgar and derogatory messages toward the county's servers. The volume of these data packets was such that it overwhelmed the servers, disrupting county operations. County employees were unable to access email, court records, and other internet-enabled functions. In addition, the public was unable to access the Larimer County website for a period of time due to the attack.

Authorities traced the attack to computers owned by Rezendes and obtained a search warrant for his residence. During the search, officers seized several computers, flash drives, and recordable discs. The subsequent examination of these computers and memory devices revealed that computers owned by Rezendes had remotely controlled other vulnerable computers and directed them to perpetrate the attack. Authorities determined that Rezones’ computers also scanned these vulnerable computers for credit card information and login credentials.
U.S. v. Rezendes, supra.  You can read more about the DDoS attack in the press release you can find here. You can read more about how Rezendes was identified as the person responsible for the attack in this story.
The authorities’ search of Rezendes’ computer
uncovered text files containing credit card data pertaining to 137 accounts. Rezendes also possessed images and schematics of gas station credit card readers and a device designed to capture credit card information at gas pumps. And authorities discovered images of federal and state identification documents, a tutorial on how to create false identification documents, and an identification card printer during the search.
U.S. v. Rezendes, supra. 
He eventually pled guilty to
one count of intentionally damaging protected computer equipment in violation of 18 U.S. Code § 1030(a)(5)(A), (c)(4)(B) and one count of possessing unauthorized access devices in violation of 18 U.S. Code § 1029(a)(3), (c)(1)(A)(i). He was sentenced to eighteen months' imprisonment, to be followed by three years' supervised release.

The court imposed both standard and special conditions on Rezones’ supervised release. Relevant to this appeal, standard condition 13 required Rezendes to `notify third parties of risks that may be occasioned by [his] criminal record or personal history or characteristics’ and also authorized the parole officer to make such notifications.
U.S. v. Rezendes, supra. 
Once he began serving his
term of supervised release in February 2014, Rezendes moved to modify and clarify several of the conditions imposed by the district court, including Condition 13. In particular, Rezendes objected to his probation officer's interpretation of Condition 13 as requiring Rezendes to notify prospective employers of the nature of his conviction.

Rezendes asked the court to clarify that it had not intended Condition 13 to require employer notification. As support for his interpretation of Condition 13, Rezendes noted that the district court had not entered the express findings that would have been required if it had intended to impose an occupational restriction.
U.S. v. Rezendes, supra. 
The prosecution argued, in response to Rezendes’ contentions, that
employer notification was necessary and proposed that Condition 13 be modified accordingly. But the Government agreed with Rezendes that a condition of employer notification is an occupational restriction that must be supported by particularized findings as described in section 5F1.5 of the U.S. Sentencing Guidelines (Guidelines).

It therefore asked the court to make the required findings and to modify Condition 13 to state expressly that Rezendes must `notify 3rd parties (including employers) of risks involving computers and credit card information that may be occasioned by the defendant's criminal record.’
U.S. v. Rezendes, supra. 
The District Court Judge who had the case held a hearing on the modification issue and
agreed to modify the condition, but declined to adopt the Government's proposed language. The court concluded the term `3rd parties’ in the Government's proposal made little sense when the condition was aimed at employers. It also determined the term `risks’ as used in the Government's proposal was too vague. Accordingly, the court modified Condition 13 to read:

`[F]or two years after this date, the defendant shall notify employers of his conviction and the nature of his conviction involving computers and credit card information that may be occasioned by the defendant's criminal record or personal history or characteristics and shall permit the probation officer to make such notifications and to confirm the defendant's compliance with such notification requirement.’
U.S. v. Rezendes, supra. 
Rezendes appealed, arguing that “the district court's findings at the modification hearing do not satisfy the requirements of U.S.S.G. § 5F1.5.” U.S. v. Rezendes, supra. The Court of Appeals began its analysis of Rezendes’ argument on appeal by explaining that
[i]f a defendant objects to a condition of supervised release at the time it is imposed, we review for abuse of discretionU.S. v. Mike, 632 F.3d 686 (U.S. Court of Appeals for the 10th Circuit 2011). But if the defendant fails to object, we review only for plain error.  U.S. v. Mike, supra. In this case, Rezendes raised no objection to the district court's findings during the modification hearing.
U.S. v. Rezendes, supra.  The Court of Appeals therefore applied the plain error standard of review.  U.S. v. Rezendes, supra. 
It began its analysis of Rezendes’ argument by noting that “plain error” occurs      
`when there is (1) error, (2) that is plain, which (3) affects the defendant's substantial rights, and which (4) seriously affects the fairness, integrity, or public reputation of judicial proceedings.’ U.S. v. Mendoza–Lopez, 669 F.3d 1148 (U.S. Court of Appeals for the 10th Circuit 2012). As explained below, even assuming the district court erred, any such presumed error was not plain. . . .
U.S. v. Rezendes, supra. 
The Court of Appeals went on to point out that U.S. District Court Judges have
broad discretion to impose conditions of supervised release, but this discretion must be exercised in accordance with 18 U.S. Code §§ 3583(d) and 3563(b), as well as applicable provisions of the [U.S. Sentencing] Guidelines. U.S. v. Wittig, 528 F.3d 1280 (U.S. Court of Appeals for the 10th Circuit 2008). 

Section 3583(d) authorizes the court to impose `any condition set forth as a discretionary condition of probation in section 3563(b).’ In turn, § 3563(d)(5) allows the court to order that the defendant `refrain . . . from engaging in a specified occupation, business, or profession bearing a reasonably direct relationship to the conduct constituting the offense, or engage in such a specified occupation, business, or profession only to a stated degree or under stated circumstances.’ Section 5F1.5 of the Guidelines implements these statutory provisions. . . .
U.S. v. Rezendes, supra. 
The Court of Appeals goes on to explain that Section 5F1.5 of the Guidelines
permits the imposition of occupational restrictions only if the court determines that:
(1) a reasonably direct relationship existed between the defendant's occupation, business, or profession and the conduct relevant to the offense of conviction; and(2) imposition of such a restriction is reasonably necessary to protect the public because there is reason to believe that, absent such restriction, the defendant will continue to engage in unlawful conduct similar to that for which the defendant was convicted.
U.S.S.G. § 5F1.5(a).  Section 5F1.5 further requires that `the court shall impose the [occupational restriction] for the minimum time and to the minimum extent necessary to protect the public.’ Section 5F1.5(b).`Thus, an occupational restriction, such as an employer notification requirement, may only be imposed if the district court finds that all three of these criteria are met.’ U.S. v. Souser, 405 F.3d 1162 (U.S. Court of Appeals for the 10th Circuit 2005).
U.S. v. Rezendes, supra. 
It goes on to explain that “[i]n response” to the prosecution’s request at the 
modification hearing for specific findings related to the § 5F1.5 factors, the district court stated, with our emphasis,
`What the facts in this case demonstrate to this Court, of particular relevance now, are two things: first, that Mr. Rezendes is a very skilled and resourceful computer literate, technical type person who can do things with and through computers that the average person cannot do. He's perfectly capable of hacking into a computer or computer system and has demonstrated that he can do that.’ `And secondly, the case demonstrated that he was ready, willing, and able to use that skill to accomplish harm to a third party, in that case Larimer County.’ `The responsibility of the Court extends to the protection of the community, and that would include employers. The fact that Mr. Rezendes has not used his skills nefariously vis-à-vis an employer does not give me confidence that he cannot or will not do that if, for example, the employer rubs him the wrong way. I hope that that is not his intent, but it is a concern that the probation office had, it is a concern that the Court had and has, and a concern that the Court feels a responsibility to act upon.’
U.S. v. Rezendes, supra (emphasis in the opinion).
The Court of Appeals noted that Rezendes argued that the findings above “are plainly inadequate under § 5F1.5”, but it was “not convinced.”  U.S. v. Rezendes, supra.  The court went on to explain that
Rezendes argues the findings do not indicate the district court had a reason to believe he would re-offend, absent the restriction; instead, they merely reflect the court's concern he might re-offend. According to Rezendes, this is insufficient to meet the requirements of § 5F1.5. 
U.S. v. Rezendes, supra (emphasis in the opinion).
The Court of Appeals then pointed out that the modification hearing transcript
does not support Rezones’ claim that any presumed deficiency in the findings was plain. The court first invoked its responsibility to protect the public, including employers, and then indicated it did not have confidence Rezendes would refrain from a cyber attack on his employer if angered. The court went on to state that this risk of another cyber attack `is a concern that the Court had and has, and a concern that the Court feels a responsibility to act upon.’

Specifically, the district court stated, `The fact that Rezendes has not used his skills nefariously vis-à-vis an employer does not give me confidence that he cannot or will not do that if, for example, the employer rubs him the wrong way.’ Although the district court could have stated its finding more clearly, they can be reasonably interpreted to express a belief that if angered, Rezendes will reoffend. And Rezendes has pointed us to nothing in our precedent which should have made it obvious to the district court that its findings were plainly erroneous.
U.S. v. Rezendes, supra. 
Finally, the Court of Appeals went on to explain that the District Court Judge
acknowledged that Rezones’ offense was not against an employer. But the court went on to explain that, because Rezendes committed his crime in retaliation for treatment he perceived to be unfair, the court was concerned Rezendes would commit similar acts against an employer if he perceived that the employer had treated him unfairly. The court observed that its duty to protect the public, including employers, justified the requirement that Rezendes notify future employers of the nature of his conviction. . . .

[T]he district court found that it was not convinced that Rezendes `cannot or will not’ use his computer skills nefariously against an employer. . . . Accordingly, the district court did not plainly err in imposing the occupational restriction at issue.
U.S. v. Rezendes, supra.  The Court of Appeals therefore affirmed the District Court Judge’s imposition of the occupational restriction.  U.S. v. Rezendes, supra.  

1 comment:

Bob Dos said...

Very informative blog... thanks for sharing. I want to recommend Ddoscube who deals with anti-DDoS attack products .. please visit at http://ddoscube.com/