[ISN] Database Hackers Reveal Tactics

[InfoSec News]

http://www.wired.com/news/business/0,1367,67629,00.html

By Kim Zetter
May 25, 2005 

Three young hackers under investigation for unlawfully accessing
personal information on thousands of people in a LexisNexis database
have characterized their act as a cyberjoyride that got out of hand.

The hackers, ages 16, 19 and 20, spoke with Wired News by phone Monday
and said that in January and February they accessed LexisNexis data --
which included the Social Security number, birth date, home address
and driver's license number of numerous celebrities and hacker friends
-- to claim bragging rights, rather than to steal identities or sell
the information to identity thieves, as some published reports have
stated.

"We didn't use the info for bad reasons," said the 16-year-old from
Massachusetts, who goes by the handle "Cam0." "It was to have the info
and get kicks out of it."

Two law enforcement authorities involved in the LexisNexis
investigation told Wired News that they have found no evidence, so
far, to indicate that the three hackers used the data to steal
identities. They cautioned, however, that the investigation was still
underway.

The hackers, who asked Wired News not to disclose their real names
because they haven't been arrested or charged with any crime yet, are
suspects in a Secret Service investigation into the breach, called
Operation Boca Grande (Spanish for "big mouth"), which resulted in
raids last week on nine people in four states.

A number of the suspects are members of a hacking group called Defonic
Crew, who hang out on a forum at Digitalgangster.com where hackers
trade information and brag about exploits. Of the three suspects Wired
News spoke with, only Cam0 is a member of Defonic.


Hacking began with AOL

Cam0 is also a suspect in the recent security breach of socialite
Paris Hilton's T-Mobile account and was investigated last summer after
admitting to Wired News that he hacked America Online and stole AOL
Instant Messaging screen names, among other exploits. He has yet to be
charged for the AOL breaches but told Wired News on Monday that the
AOL activity, which he began in 1997, was the "gateway drug" that
emboldened him and other members of Defonic Crew to graduate to other
hacking projects.

"If there was a security breach (at AOL), we were all a part of
them.... That's how we all started," he said. "We all met up on AOL
breaking into their crap. If it wasn't for AOL none of this
(LexisNexis stuff) would have happened."

"Shasta," a hacker who knows Defonic Crew but isn't a suspect in the
LexisNexis breach, said the success of the AOL breaches made Defonic
Crew careless about not covering its tracks in LexisNexis.

"It made them feel invincible," he said. "And they weren't worried
about getting caught."

They naturally are circumspect in the face of possible consequences.

"I really wish that I hadn't been able to get access to (the
LexisNexis database)," said the 20-year-old, who lives in Rhode Island
and goes by the name "Krazed." "Curiosity gets you in trouble."

Last March, LexisNexis revealed that intruders gained access to a
database belonging to one of its subsidiaries and obtained the
personal data of as many as 310,000 people through numerous name
searches. The breach occurred at Seisint, a Florida-based company that
LexisNexis bought last year, which maintains databases for law
enforcement, legal professionals and others through a service called
Accurint.

According to the hackers, none of them knew about LexisNexis or
Seisint until they stumbled upon a Florida police officer's Seisint
account.

A friend of Krazed masqueraded as a 14-year-old girl online and
engaged a Florida police officer in a chat session, the hackers said.  
The friend sent the officer an attachment, which he said was a
slideshow containing naked pictures of the girl he was pretending to
be. When the officer clicked on it, a Trojan horse downloaded silently
to his computer, which gave Krazed complete access to the computer's
files.

A law enforcement agent confirmed this general account of the breach.

Hunting for celebrities

Among the data Krazed found on the computer was a password file with
information for accessing an Accurint account. Krazed said he gave the
account info to several people who searched celebrity names like Ben
Affleck, Matt Damon and Arnold Schwarzenegger to obtain Social
Security numbers and other data.

In the meantime, a 19-year-old hacker who lives near Cam0 in
Massachusetts searched for other active Accurint accounts using a Java
script. He found an account named Null, which he later learned
belonged to a Texas police department. The hacker asked to be
identified as "Null" for this story.

Posing as a LexisNexis tech administrator, he called Seisint under the
guise of running diagnostic tests on the Null account and convinced
someone at Seisint to reset the account's password to "Null." Then he
used the account to create new accounts under the auspices of the
police department.

"A whole bunch of user names were made and people were trading them
and passing them around like candy," Null said. "It was getting real
bad."

Null said he ran only a few searches himself then closed the accounts
he created when he saw things getting out of hand. In a separate
incident, he hacked into a gay website called Manhunt.net, broke into
the site's instant messaging server and got caught by the website. The
experiences convinced him he was wasting his life, he said.

Null said he had a poor education and never made it through high
school. He realized he couldn't get a job without a degree and was
researching a program that would allow him to attend college for free.  
He was hoping to study computer science and psychology.

"I just decided to stop it all. I was trying to stop being on the
internet ... and straighten out my life," he said.

He said he threw his computer, which he'd received for free, into the
ocean.

"It had a lot of things on it and I didn't want (anyone) to associate
it with me," he said.

Null said "some Russian kids" hacked into LexisNexis and erased the
records for the Null account that he'd been using so there was no
trace of it in the system.

But it was too late. In March, LexisNexis announced that intruders
breached its system and stole private data on 32,000 people -- a
figure that was later upgraded to more than 310,000 people.

On May 16, Secret Service and FBI agents conducted raids on
individuals in Minnesota, North Carolina, Massachusetts and
California, seizing computer equipment and documents. All search
warrants in the investigation have been sealed.

The experience wasn't entirely new for Cam0. A year earlier, the FBI
had raided his house for his AOL activity and seized his computer.

"I always had the feeling that with the AOL (thing) I was eventually
going to go to court," he said. But the FBI never filed charges, so
Cam0 said he got a new computer and "kept going." He said he began
hacking "away from home" so his family wouldn't know.

Null wasn't initially hit in the raids -- investigators didn't know
where he lived -- but a friend tipped him off with a phone call.  
Instead of waiting for authorities to find him, he called the Secret
Service and asked them not to raid his house. Instead, he met with
them and told them what he'd done.

"They were really nice about the whole situation," Null said. "But
it's still not looking good for me."


Multiple, independent breaches?

All three hackers say they never sold LexisNexis data to anyone,
although Null and Krazed say another hacker may have sold data to
someone. This other hacker has not yet been targeted by authorities
investigating the LexisNexis breach, according to Null and Krazed.  
Null said the other hacker first accessed the LexisNexis data while
based in California.

On May 17, California authorities near San Francisco did arrest three
individuals on drug charges -- one for possession of methamphetamine
with intent to sell and the others in connection with operating a
methamphetamine lab -- in an investigation that may be related to the
LexisNexis investigation. The search warrants have been sealed and
authorities aren't allowed to discuss them.

But a police press release said authorities discovered the drug
paraphernalia while executing a federal search warrant on a different
matter. And the group that executed the warrant was a high-tech task
force called REACT, for Rapid Enforcement Allied Computer Team,
composed of people from several law enforcement agencies who
investigate high-tech crimes. This indicates that the initial reason
for the search was computer-related.

Santa Clara County Deputy District Attorney Jim Sibley, project
director of REACT, didn't discount that the California arrests were
related to the hacker investigation, but said, "To my knowledge the
hacker situation in the news has no tie to what we're investigating
here."

He suggested, however, that the California arrests might involve a
separate investigation of LexisNexis breaches, since the scope of the
problem was so great.

"You start looking at an account that's been logged into 500 times and
generated 9,000 reports, for example, that's a lot of information (to
examine)," Sibley said. "I'm just saying it's not one group that's
compromised LexisNexis. Their security is really bad. This isn't a
situation where you're talking about needing an überhacker to
compromise (the system). Their passwords weren't as secure as your
average porn site. I think it didn't take a genius to break them.  
Although I think the way the hackers did it was creative. We'll give
them style points."

A separate source indicated that the California investigation began
separately from the hacker investigation when a California parole
officer discovered Accurint reports in a parolee's house earlier this
year. Authorities contacted LexisNexis, which led the company to
disclose the breach in March. An investigation revealed that this
particular intrusion had begun in November.

The Secret Service was already investigating the Paris Hilton T-Mobile
hack when LexisNexis contacted the agency about its breach. A source
said that when the agency discovered that one of its T-Mobile hacking
suspects also breached LexisNexis, they launched an investigation,
separate from the California investigation, which eventually led to
the hackers.

All three of the hackers Wired News interviewed face possible fines
and criminal charges in the LexisNexis case for access device fraud
and other crimes, which can carry sentences of more than 15 years.  
Cam0, as a minor, could face possible juvenile detention until the age
of 21.

When asked if he's afraid, Krazed said, "Yeah, I don't know what I'm
looking at here. It kind of just got out of hand."

Like Null, he can't afford a lawyer and will have to work with a
court-appointed attorney. "Hopefully I get lucky and get a competent
one."