The playground bullies are learning how to type.
(Computer hacker crime wave.)
William G. Flanagan
Dec 21 1992, v150, n14, p184(6)
COPYRIGHT Forbes Inc. 1992
Leonard Rose, a 33-year-old computer consultant and father of two, is also a felon. He recently completed 81/2 months in a federal prison camp in North Carolina, plus 2 months in a halfway house. His crime? Passing along by computer some software code filched from Bell Labs by an AT&T employee. Rose, who now lives in California, says he is still dazed by the harsh punishment he received. “The Secret Service,” he says, “made an example of me.”
Maybe so. But if so, why are the cops suddenly cracking down on the hackers? Answer: because serious computer crime is beginning to reach epidemic proportions. The authorities are struggling to contain the crimes, or at least slow their rapid growth.
Rose agrees the hacker world is rapidly changing for the worse. “You’re getting a different sort of person now,” he says of the hacker community. “You’re seeing more and more criminals using computers.”
One well-known veteran hacker, who goes by the name Cheshire Catalyst, puts it more bluntly: “The playground bullies are coming indoors and learning how to type.”
Rose and the Cheshire Catalyst are talking about a new breed of computer hackers. These aren’t just thrill-seeking, boastful kids, but serious (if boastful) cybercrooks. They use computers and telecommunications links partly for stunt hacking–itself a potentially dangerous and costly game–but also to steal valuable information, software, phone service, credit card numbers and cash. And they pass along and even sell their services and techniques to others–including organized crime.
Hacker hoods often exaggerate their escapades, but there is no doubt that their crimes are extensive and becoming more so at an alarming rate. Says Bruce Sterling, a noted cyberpunk novelist and author of the nonfiction The Hacker Crackdown (Bantam Books, 1992, $23): “Computer intrusion, as a nonprofit act of intellectual exploration and mastery, is in slow decline, at least in the United States; but electronic fraud, especially telecommunications crime, is growing by leaps and bounds.”
Who are these hacker hoods and what do they do for a living? Take the 19-year-old kid who calls himself Kimble–he is a very real person, but for reasons that will become clear, he asks us to mask his identity.
Based in Germany, Kimble is the leader of an international hacker group called Dope. He is also one of the most celebrated hackers in his country. He has appeared on German Tv (in disguise) and is featured in the December issue of the German magazine Capital.
From his computer terminal, Kimble spends part of each day cracking PBX systems in the U.S., a lucrative form of computer crime. PBXs are the phone systems businesses own or lease. Hackers break into them to steal access numbers, which they then resell to other hackers and, increasingly, to criminals who use the numbers to transact their business. These are hardly victimless crimes; businesses that rightfully own the numbers are expected to pay the billions of dollars of bogus phone bills charged on their stolen numbers each year (Forbes, Aug. 3).
Kimble, using a special program he has written, claims he can swipe six access codes a day. He says he escapes prosecution in Germany because the antihacking laws there are more lax than in the U.S. “Every PBX iS an open door for me,” he brags, claiming he now has a total of 500 valid PBX codes. At Kimble’s going price of $200 a number, that’s quite an inventory, especially since numbers can be sold to more than one customer.
Kimble works the legal side of the street, too. For example, he sometimes works for German banks, helping them secure their systems against invasions. This might not be such a hot idea for the banks. “Would you hire a former burglar to install your burglar alarm? ” asks Robert Kane, president of Intrusion Detection, a New York-based computer security consulting firm.
Kimble has also devised an encrypted telephone that he says cannot be tapped. In just three months he says he has sold 100.
Other hacker hoods Forbes Spoke to in Europe say they steal access numbers and resell them for up to $500 to the Turkish mafia. A solid market. Like all organized crime groups, they need a constant supply of fresh, untraceable and untappable telephone numbers to conduct drug and other illicit businesses.
Some crooked hackers will do a lot worse for hire. For example, one is reported to have stolen an East German Stasi secret bomb recipe in 1989 and sold it to the Turkish mafia. Another boasted to Forbes that he broke into a London police computer and, for $50,000 in deutsche marks, delivered its access codes to a young English criminal.
According to one knowledgeable source, another hacker brags that he recently found a way to get into Citibank’s computers. For three months he says he quietly skimmed off a penny or so from each account. Once he had $200,000, he quit. Citibank says it has no evidence of this incident and we cannot confirm the hacker’s story. But, says computer crime expert Donn Parker of consultants sri International: “Such a ‘salami attack’ is definitely possible, especially for an insider.”
The tales get wilder. According to another hacker hood who insists on anonymity, during the Gulf war an oil company hired one of his friends to invade a Pentagon computer and retrieve information from a spy satellite. How much was he paid? “Millions,” he says.
Is the story true? The scary thing is, it might well be.
No one knows for sure just how much computer crime costs individuals, corporations and the government. When burned, most victims, especially businesses, stay mum for fear of looking stupid or inviting copycats. According to Law and Order magazine, only an estimated 11% of all computer crimes are reported.
Still, the FBI estimates annual losses from computer-related crime range from $500 million to $5 billion.
The FBI is getting more and more evidence that the computer crime wave is building every day. Computer network intrusions–one way of measuring attempted criminal cracking of computer systems–have risen rapidly. According to USA Research, which specializes in analyzing technology companies, hacker attacks on U.S. workplace computers increased from 339,000 in 1989 to 684,000 in 1991. It’s estimated that by 1993, 60% of the personal computers in the U.S. will be networked, and therefore vulnerable to intrusion.
While companies dislike talking about being ripped off by hackers, details sometimes leak out. In 1988, for instance, seven men were indicted in U.S. federal court in Chicago for using phony computer- generated transactions to steal $70 million from the accounts of Merrill Lynch, United Airlines and Brown-Forman at First National Bank of Chicago. Two pled guilty; the other five were tried and convicted on all counts.
According to generally reliable press reports, here are some other ways computer criminals ply their trade: * In 1987 Volkswagen said it had been hit with computer-based foreign-exchange fraud that could cost nearly $260 million. * A scheme to electronically transfer $54 million in Swiss francs out of the London branch of the Union Bank of Switzerland without authorization was reported in 1988. It was foiled when a chance system failure prompted a manual check of payment instructions. * Also in 1988, over a three-day period, nearly $350,000 was stolen from customer accounts at Security Pacific National Bank, possibly by automated teller machine thieves armed with a pass key card. * In 1989 irs agents arrested a Boston bookkeeper for electronically filing $325,000 worth of phony claims for tax refunds. * In 1990 it was reported that a Malaysian bank executive cracked his employer’s security system and allegedly looted customer accounts of $1.5 million. * Last year members of a ring of travel agents in California got two to four years in prison for using a computer reservation terminal to cheat American Airlines of $1.3 million worth of frequent flier tickets.
U.S. prosecutors say that members of a New York hacker group called MOD, sometimes known as Masters of Deception, took money for showing 21 -year-old Morton Rosenfeld how to get into the computers of TRW Information Services and Trans Union Corp. Caught with 176 credit reports, Rosenfeld admitted selling them to private investigators and others. In October he was sentenced to eight months in prison.
The newest form of cybercrime is extortion by computer–give me money or I’ll crash your system. “There’s no doubt in my mind that things like that are happening,” says Chuck Owens, chief of the FBI’s economic crime unit. But Owens won’t talk about ongoing cases.
Many hackers are young, white, male computer jocks. They include genuinely curious kids who resent being denied access to the knowledge- rich computer networks that ring the globe, just because they can’t afford the telephone access charges. (To satisfy their needs in a legitimate way, two smart New York young hackers, Bruce Fancher and Patrick Kroupa, this year started a widely praised new bulletin board called MindVox — modem: 212-988-5030. It’s cheap and allows computer users to chat, as well as gain access to several international computer networks, among other things.)
Then there are the stunt hackers. Basically these are small-time hoods who crash and occasionally trash supposedly secure computer networks for the sheer fun of it. They swap and sell stolen software over pirate bulletin boards. One of these hackers sent Forbes an unsolicited copy Of MS-DOS 6.0–Microsoft Corp.’s new operating system, which isn’t even scheduled to be on the market until next year. It worked fine. (We first had it tested for viruses with Cyberlock Data Intelligence, Inc. in Philadelphia, an electronic data security firm with a sophisticated new hardware-based system that’s used to detect viruses.)
The more malicious stunt hackers like to invade company voice mail systems and fool around with so-called Trojan horses, which can steal passwords and cause other mischief, as well as viruses and other computer-generated smoke bombs, just to raise hell.
This kind of hacking around can wreak tremendous damage. Remember. Robert Tappan Morris. In 1988 Morris, then a 22-year-old Cornell University grad student, designed a worm computer program that could travel all over computer networks and reproduce itself indefinitely. Morris says he meant no harm. But in November 1988 Morris released the worm on the giant Internet computer network and jammed an estimated 6,000 computers tied into Internet, including those of several universities, NASA and the Air Force, before it was stopped. Damages were estimated as high as $185 million.
That event was something of a watershed for the law enforcement people. In 1990 Morris was one of the first hackers to be convicted of violating the Computer Fraud and Abuse Act of 1986. He could have been sentenced to five years in prison and a $250,000 fine. Instead, Morris got just three years’ probation, a $10,000 fine, 400 hours of community service and had to pay his probation costs. Today he’d probably be thrown in the slammer.
After the curious kids and the stunt hackers, a third element in the hacker underworld is made up of members of organized crime, hard-core cybercrooks, extortionists, shady private investigators, credit card cheats, disgruntled ex-employees of banks, telephone and other companies, and various computer-savvy miscreants. These are computer thugs who hack for serious dollars, or who buy other crooked hackers’ services and wares.
One of the peculiarities of hackers is that many cannot keep their mouths shut about their illegal exploits. They boast on their underground bulletin boards and in their publications about all the nasty things they can, and occasionally do, pull off. They brag to the press and even to the authorities. Witness Germany’s Kimble and the many other hacker hoods who talked to Forbes for this article.
Over their own underground bulletin boards, hackers have brazenly broadcast all kinds of gossip, software and trophy files brought back like scalps from intrusions into other people’s computers. The most infamous example is the 911 file purloined from BellSouth, which prosecutors said had key information about the vital 911 emergency telephone network. The file turned out to be far less valuable than alleged. Nonetheless, its theft and, later, its mere possession got a whole raft of hackers–including a group called the Legion of Doom–in big trouble. Over the past three years, several of them have been busted and their computer equipment seized. A few drew stiff jail terms.
The hackers even have their own above-ground magazines. One, 2600, the Hacker Quarterly, is sold on newsstands. In the current issue, there is an article on how to crack COCOTS, customer-owned, coin-operated telephones, and get free long distance service. While the publisher of 2600 advises readers not to try such schemes, the easy-to-follow instructions are right there, in black and white.
The publisher of 2600, Eric Corley (alias Emmanuel Goldstein), claims that he is protected by the First Amendment. But readers who follow some of the instructions printed in 2600 magazine may find themselves in deep trouble with law enforcement. Notes senior investigator Donald Delaney, a well-known hacker tracker with the New York State Police: “He hands copies out free of charge to kids. Then they get arrested.”
An even bolder magazine, Hack-Tic, is published by Rop Gonggrijp in Amsterdam, a hacking hotbed thanks in part to liberal Dutch laws. Hack- Tic is something like 2600, but with even more do-it-yourself hacking information. The hacker hoods stage their own well-publicized meetings and conventions, which are closely watched by the authorities.
On the first Friday of every month, for example, at six cities in the U.S., 2600 magazine convenes meetings where hackers can, in the words of the magazine itself, “Come by, drop off articles, ask questions, find the undercover agents.” Forbes dropped by 2600’s Nov. 6 meeting in New York. It was held in the lobby of the Citicorp Center on Lexington Avenue, a sort of mini urban mall, with lots of pay phones–phones are to hackers what blood vessels are to Dracula.
On this particular Friday the two or three dozen attendees consist mainly of teenage boys and young men wearing jeans and T shirts and zip- up jackets. Most are white, though there are some blacks and Asians. Most of these young people pretty much resemble the kids next door–or the kids under your own roof. A few look furtive, almost desperate.
Moving easily among the kids are a few veteran hackers–and, watching them, some well-known hacker trackers, sometimes even New York State Police’s Don Delaney. He might lurk on one of the upper levels of the Citicorp Center or stroll past the pay phones looking for a suspect wanted in New York. Don’t the suspects stay away? Not necessarily. At one meeting Delaney walked right past three young men he had arrested, and not one of them even noticed him. “They’re in their own world,” he explains.
On the edge of the crowd stands a slight, intense young man wearing an earring and a neatly folded blue bandana around his head. Twenty-year- old Phiber Optik, as he calls himself, is currently under federal indictment in New York, charged with sundry computer crimes. According to federal authorities, he and other members of the hacker group called MOD sold access to credit reporting services and destroyed via computer a televesion station’s educational service, among other things. Phiber Optik claims that he’s innocent.
As the group grows, 2600 publisher Corle makes a dramatic entrance. He looks as if he’s in his mid-30s and wears 1960s-style long black hair. A baby-faced assistant stands at his side, selling T shirts and back issues of 2600 magazine.
Now and then Corley darts to the pay phones to take phone calls from other hacker meetings around the world. After takin one call he turns around with a worried look. He has just heard that the 2600 meeting at a mall in Arlington, Va. was busted by mall security and the Secret Service. Authorities there demanded the names of the two dozen or so attendees, confiscated their bags containing printouts and computer books, and booted them out of the mall.
The group in Arlington was lucky compared with what happened to some hackers attending “PumpCon,” a hacker convention held at the Courtyard by Marriott in Greenburgh, N.Y., over the recent Halloween weekend. Responding to a noise complaint, the police arrived, then got a search warrant and raided the hackers’ rooms. The cops confiscated computer equipment and arrested four conventioneers for computer crimes. Three were held in lieu of $1,000 bail. No bail was set for the fourth, a 22- year-old wanted for computer fraud and probation violation in Arizona.
Around the country, computer users of every stripe are growing concerned that law enforcement officials, in their zeal to nail bigtime cybercrooks and computer terrorists, may be abusing the rights of other computer users. In some cases, users have been raided, had their equipment confiscated, yet years later still have not been charged with any wrongdoing–nor had their equipment returned.
In 1990 Lotus Development founder Mitchell Kapor and Grateful Dead lyricist John Perry Barlow, with help from Apple Computer cofounder Stephen Wozniak and John Gilmore, formerly of Sun Microsystems, started a nonprofit group called the Electronic Frontier Foundation (EFF). Its aim is to defend the constitutional rights of all computer users.
But if you know someone who likes to hack around, pass along this advice to her or him: While it is a common myth among hackers that the authorities will let them go if they reveal how they accomplished their mischief, the days of such benign treatment have disappeared as the computer crime wave has built.
“If it’s a crime, it’s a crime,” warns the New York State Police’s Don Delaney. “The laws are there for a good reason. For the most part, law enforcement is just reacting to complaints from victims.”