[118578] in Cypherpunks
IP: Unplugged! The biggest hack in history
daemon@ATHENA.MIT.EDU (Robert Hettinga)
Sun Oct 3 08:31:17 1999
Mime-Version: 1.0
Message-Id: <v04210107b41cf645c9b5@[207.244.110.174]>
Date: Sun, 3 Oct 1999 08:02:18 -0400
To: cypherpunks@cyberpass.net
From: Robert Hettinga <rah@shipwright.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Reply-To: Robert Hettinga <rah@shipwright.com>
--- begin forwarded text
From: "Dan S" <ds1999@subdimension.com>
To: "IP" <ignition-point@precision-d.com>
Subject: IP: Unplugged! The biggest hack in history
Date: Sat, 2 Oct 1999 16:53:27 -0400
Sender: owner-ignition-point@precision-d.com
Reply-To: "Dan S" <ds1999@subdimension.com>
>From ZDNet,
http://www.zdnet.com/zdnn/stories/news/0,4586,2345639,00.html?chkpt=hpqsnews
test
-
Unplugged! The biggest hack in history
The 'Phonemasters' tapped into the nation's power grid, obtained private
White House numbers and rooted around credit-reporting agencies. Here's how
accountant-turned-sleuth Michael Morris cracked the case.
By John Simons, WSJ Interactive Edition
October 1, 1999 8:54 AM PT
DALLAS -- In a federal courtroom here, Calvin Cantrell stands silently,
broad shoulders slouched. His lawyer reads from a short letter he has
written:
"My parents taught me good ethics, but I have departed from some of these,
lost my way sometimes," the letter states. "I was 25 and living at home. No
job, and no future... . All I ever really wanted was to work with
computers."
Cantrell certainly did work with computers -- both his own, and,
surreptitiously, those of some of the largest companies in the world. He was
part of a ring of hackers that pleaded guilty here to the most extensive
illegal breach of the nation's telecommunications infrastructure in
high-tech history.
And sitting behind him in court as he was sentenced two weeks ago was the
accountant-turned-detective who caught him: Michael Morris. A decade
earlier, Morris, bored with accounting work, left a $96,000 job at Price
Waterhouse and enrolled in the FBI academy, at $24,500 a year. Cantrell's
sentencing was the final act in a five-year drama for Morris, and secured
his reputation as the FBI's leading computer gumshoe.
The tale of Morris and Cantrell is among the first cops-and-robber stories
of the New Economy, involving, among other things, the first-ever use of an
FBI "data tap." It illustrates how the nation's law-enforcement agencies are
scrambling to reinvent their profession in a frantic effort to keep pace
with brilliant and restless young hackers.
Unlimited potential for harm
The story also shows that hacking's potential harm is far more ominous than
theft of telephone credit-card numbers. Cantrell was part of an
eleven-member group dubbed "The Phonemasters" by the FBI. They were all
technically adept twentysomethings expert at manipulating computers that
route telephone calls.
The hackers had gained access to telephone networks of companies including
AT&T Corp., British Telecommunications Inc., GTE Corp., MCI WorldCom (then
MCI Communications Corp.), Southwestern Bell, and Sprint Corp. They broke
into credit-reporting databases belonging to Equifax Inc. and TRW Inc. They
entered Nexis/Lexis databases and systems of Dun & Bradstreet, court records
show.
The breadth of their monkey-wrenching was staggering; at various times, they
could eavesdrop on phone calls, compromise secure databases, and redirect
communications at will. They had access to portions of the national power
grid, air-traffic-control systems and had hacked their way into a digital
cache of unpublished telephone numbers at the White House. The FBI alleges,
in evidence filed in U.S. District Court for the Northern District of Texas,
that the Phonemasters had even conspired to break into the FBI's own
National Crime Information Center.
Unlike less-polished hackers, they often worked in stealth, and avoided
bragging about their exploits. Their ultimate goal was not just fun, but
profit. Some of the young men, says the FBI, were in the business of selling
the credit reports, criminal records, and other data they pilfered from
databases. Their customers included private investigators, so-called
information brokers and -- by way of middlemen -- the Sicilian Mafia.
According to FBI estimates, the gang accounted for about $1.85 million in
business losses.
"They could have -- temporarily at least -- crippled the national phone
network. What scares me the most is that these guys, if they had had a
handler, whether criminal or state-sponsored, could have done a lot of
damage," says Morris. "They must have felt like cyber gods."
Some may be still at large
With the exception of Cantrell, none of the defendants in the Phonemasters
case would comment on the matter. Others are thought to remain at large.
This is the story of Cantrell and two accomplices largely put together from
federal district court records and FBI interviews. Morris first learned of
the group in August 1994, when he got a phone call from a Dallas private
investigator, saying Cantrell had offered to sell him personal data on
anyone he wished. He even offered a price list: Personal credit reports were
$75; state motor-vehicle records, $25; records from the FBI's Crime
Information Center, $100. On the menu for $500: the address or phone number
of any "celebrity/important person."
Morris immediately opened an investigation. Only 33-years-old at the time,
he had taken an annual pay cut to join the FBI just five years earlier. He
had been a tax consultant at Price Waterhouse, and despised the work. "I was
young and making the big bucks, but every morning I would think 'God, I
don't want to go to work.' "
Tall, square-jawed and mustachioed, Morris began working on white-collar
crimes when he arrived at the Dallas FBI field office. He took on a few
hacker cases and realized he liked the challenge. "These guys are not the
kind who'll rob the convenience store then stare right into the security
camera," he says. "Trying to be the Sherlock Holmes of the Internet is hard
when the fingerprints on the window can be so easily erased."
Morris convinced the private investigator to meet with Cantrell while
wearing an audio taping device. After reviewing the tapes, he was certain
that he was onto something big. He applied for and received court authority
to place a digital number recorder on Cantrell's phone lines, which would
log numbers of all outgoing calls. It showed that Cantrell frequently dialed
corporate telephone numbers for AT&T, GTE, MCI, Southwestern Bell and
Sprint. Cantrell had also placed calls to two unlisted numbers at the White
House, which further piqued Morris's interest.
So, late that summer, Morris took an unprecedented step. He began writing a
40-page letter to the FBI's Washington headquarters, the Department of
Justice and the federal district court in Dallas. Recording Cantrell -- now
his central suspect -- while on the phone wasn't sufficient for the job that
faced him, he believed. Instead, he needed new federal powers. He asked for
Washington's permission to intercept the impulses that traveled along
Cantrell's phone line as he was using his computer and modem.
"It's one of the hardest techniques to get approved, partly because it's so
intrusive," says Morris, who spent the next month or so consulting with
federal authorities. "The public citizen in me appreciates that," he says.
Still, the long wait was frustrating. "It took a lot of educating federal
attorneys," he says.
Once authorities said yes, Morris faced another obstacle: The equipment he
needed didn't exist within the FBI. Federal investigators had experimented
with a so-called data-intercept device only once before in a New York hacker
case a year earlier. It had failed miserably.
Morris and technicians at the FBI's engineering lab in Quantico, Va., worked
together to draft the specifications for the device Morris wanted. It would
need to do the reverse of what a computer's modem does. A modem takes
digital data from a computer and translates it to analog signals that can be
sent via phone lines. Morris's device would intercept the analog signals on
Cantrell's phone line and convert those impulses back to digital signals so
the FBI's computers could capture and record each of a suspect's keystrokes.
Alerting the victims
While waiting for the FBI to fit him with the proper gear, Morris contacted
several of the telephone companies to alert them that they had been
victimized. The reception he got wasn't always warm. "It's kind of sad. Some
of the companies, when you told them they'd had an intrusion, would actually
argue with you," he said.
GTE was an exception. Morris discovered that Bill Oswald, a GTE corporate
investigator, had opened his own Phonemasters probe. Oswald and Morris began
working together and uncovered another of Cantrell's schemes: He and some
friends had managed to get their hands on some telephone numbers for FBI
field offices. They entered the telephone system and forwarded some of those
FBI telephones to phone-sex chat lines in Germany, Moldavia and Hong Kong.
As a result of the prank, the FBI was billed for about $200,000 in illegal
calls.
Morris also learned that on Oct. 11, 1994, Cantrell hacked GTE's computer
telephone "switch" in Monticeto, Calif., created a fake telephone number and
forwarded calls for that number to a sex-chat line in Germany. The FBI isn't
sure how Cantrell convinced people to call the number, but court records
show that Cantrell received a payment of $2,200 from someone in Germany in
exchange for generating call traffic to the phone-sex service.
In early December 1994, Morris's "analog data-intercept device" finally
arrived from the FBI's engineering department. It was a $70,000 prototype
that Morris calls "the magic box."
On Dec. 20, Morris and other agents opened up their surveillance in an
unheated warehouse with a leaky roof. The location was ideal because it sat
between Cantrell's home and the nearest telephone central office. Morris and
nine other agents took turns overseeing the wiretap and data intercepts. The
agents often had to pull a tarp over their workspace to keep rain from
damaging the costly equipment.
As middle-class families go, the Cantrells seem exemplary. Calvin's father,
Roy, was a retired detective who had once been voted "Policeman of the Year"
in Grand Prairie, the suburb west of Dallas where they live. His mother,
Carol, taught Latin and English at Grand Prairie High School, where Calvin
graduated in 1987 with above-average grades.
'It's great, you know. I really love fraud. Fraud is a beautiful thing.'
-- John Bosanac, hacker
As a student, he was no recluse. He had a small circle of friends who shared
his love of martial arts, video games and spy movies. Cantrell's longtime
friend, Brandon McWhorter, says Calvin was always a fun-loving guy, but
there was one thing about which he was very serious.
"He would always talk to me about religion," McWhorter says. "He held very
strong religious beliefs."
After high school, Cantrell continued to live at home while taking classes
at the University of Texas at Arlington and a local community college.
He held a series of odd jobs and hired himself out as a deejay for weddings
and corporate parties. Cantrell balanced, school, work, family and friends
even as he began hacking more often. His parents became suspicious, but said
nothing. The family had three phones; Calvin stayed on his 15 hours a day.
"They'd go in my room and see all the notes and the phone numbers. Even
though they couldn't put it together technically, they knew something was
up," says Cantrell. "They were kind of in denial... . My parents were pretty
soft."
Mrs. Cantrell says Calvin had been so well-behaved that she never suspected
his computer activities were more than fun and games. "I wish I had known
what was going on. Unfortunately, my son was smarter than I was." (Calvin's
father passed away last year.)
The hack
At 8:45 on the night of Dec. 21, just four days before Christmas, Cantrell
went online. Using an ill-gotten password, he entered a Sprint computer,
where he raided a database, copying more than 850 calling-card access codes
and other files, court records in the case show.
The Phonemasters often got passwords and other key information on companies
in a low-tech approach called "Dumpster diving," raiding the trash bins of
area phone firms for old technical manuals, phone directories and other
company papers. This often allowed Cantrell to run one of his favorite
ruses -- passing himself off as a company insider.
"I'd call up and say, 'Hi, I'm Bill Edwards with systems administration.'
... I'd chat with them for a while, then I'd say 'We're doing some network
checkups today. Can you log off of your computer, then tell me every
character you're typing as you log back on?' A lot of people fell for that,"
Cantrell says.
'Do you know how ironic it's going to be when they play those tapes in
court. When they play that tape in court and they got you saying it was the
FBI tapping in.'
-- Corey Lindsley, hacker
After hacking into the Sprint database that evening, Cantrell talked to
another hacker, Corey Lindsley, over the phone. He'd "met" Lindsley, and
another hacker, John Bosanac, in 1993 while surfing the murky world of
hacker bulletin boards. Cantrell then sent the copied files to Lindsley, who
was a student at the University of Pennsylvania in Philadelphia.
Morris's equipment captured everything -- voice and data. It was an FBI
first. "We're sitting in this place that looked liked a bomb pit, but the
atmosphere was really exciting," says Morris. "We were ecstatic."
As the days passed, the FBI wiretap generated stacks upon stacks of
audiotapes and data transcripts. Some was just idle talk among friends, the
occasional call to finalize dinner plans, lots of workaday chatter. But the
incriminating evidence mounted. "It's great, you know. I really love fraud,"
joked Bosanac, a Californian who was musing with Cantrell about the various
technical methods of using other people's cellular telephone accounts to
place free calls. "Fraud is a beautiful thing."
Family conversations even entered the investigation. On Jan. 7, for
instance, Cantrell called his mother from a friend's house and asked her
find an MCI manual on his shelf. He then asked her to read him a set of
directions for accessing MCI's V-NET computer system. Mrs. Cantrell read the
material but asked her son whether he was supposed to have the book, citing
warnings that stated its contents were restricted to MCI employees. Cantrell
just avoided his mother's question. The FBI data-tap captured every word.
Taking a toll
Still, the process took its toll on the FBI team, especially coming during
the holidays. "It was stressful that the wiretap was going 24 hours a day,
seven days a week. I had to write up the legal documents, and it's tough
making people work through Christmas," Morris said. On top of that, he had
to keep records of his findings, and every 10 days he had to reapply to the
court to prove that his wiretap was yielding evidence.
By late January, the FBI had begun to get a clear profile of Cantrell and
his hacker friends. Lindsley, it appeared, was the group's acerbic leader,
directing much of the hacking activity. Over phone lines, the FBI heard him
bragging about how he had given a Pennsylvania police department "the pager
treatment" in retaliation for a speeding ticket he received. Lindsley had
caused the police department's telephone number to appear on thousands of
pagers across the country. The resulting flood of incoming calls, Lindsley
bragged, would surely crash the department's phone system.
They also enjoyed collecting information about film stars, musicians and
other famous people. Cantrell has admitted that he broke into President
Clinton's mother's telephone billing records in Arkansas to obtain a list of
unpublished White House numbers. The men, says the FBI, even made harassing
phone calls to rock star Courtney Love and former child actor Danny Bonaduce
using pilfered numbers.
They weren't without fear of getting caught. On the evening of Jan. 17, for
instance, there was a clicking on the phone line as Bosanac, Cantrell, and
Lindsley shared a three-way conference call. "What the hell happened?" asked
Bosanac, according to an FBI transcript of the conversation.
"That was the FBI tapping in," laughed Cantrell.
"Do you know how ironic that's gonna be when they play those tapes in
court?" Lindsley said. "When they play that tape in court and they got you
saying it was the FBI tapping in?"
On Jan. 18, the FBI overheard Cantrell, Bosanac and Lindsley on another
conference call. With the other two men giving directions, Cantrell dialed
his computer into Southwestern Bell's network and copied a database of
unlisted phone numbers. The three men then discussed plans to write a
computer program that could automatically download access codes and
calling-card numbers from various telephone systems. They also talked about
the chance that the FBI would one day track them down.
"Just remember, nobody f-- rats anybody out," said Lindsley to the others.
"No deals."
"Yeah, no deals is right," replied Bosanac.
"No deals. I'm serious. I don't care what your f-- lawyers tell you," said
Lindsley.
Cantrell said nothing.
Transferred codes to Canada
Later that morning, between 5:09 and 7:36, Cantrell entered Sprint's
computer system and downloaded about 850 Sprint calling-card codes. He then
transferred those codes to a man in Canada. The codes would allow anyone who
purchased them to place free international phone calls. Morris would later
learn that a contact in Canada paid Cantrell $2 apiece for each code, court
records show. The Phonemasters most likely did not know -- or care -- where
the codes ended up, but the FBI traced them and found some ended up in the
hands of a Sicilian Mafia operative in Switzerland.
On Jan. 23, while probing a U S West telephone database, Cantrell, Bosanac,
Lindsley and others stumbled over a list of telephone lines that were being
monitored by law enforcement. On a lark, they decided to call one of the
people -- a suspected drug dealer, says Morris -- and let him know his pager
was being traced by the police.
On Jan. 27, the group was clearly feeling paranoia about being caught,
prompting Lindsley to tell his accomplices to pull as many Sprint codes as
quickly as they could. Cantrell began to have reservations.
"What if I stopped before all of y'all?" Cantrell asked Lindsley. "Would you
applaud my efforts?"
"No," said Lindsley. "I don't think there's any reason to stop. What are you
worried about?"
"Uh, I'm not worried about anything. I'm just saying, uhm. There might ...
there might come a time here where I don't have time for this."
He added a little later: "I, you know, really like it. But, I don't know, I
just ... Eventually, I don't see myself doing a lot of illegal things."
Lindsley continued to prod Cantrell to speed up the download of stolen codes
by spending more time online and using two phones.
"I'm telling you, you run two lines around the clock," Lindsley said.
"You can't run them around the clock," said Cantrell.
"Why not?"
"Oh, come on. I think that's pushing it too hard."
"I think you just got a weak stomach there, boy."
Tension rises
By late February, things began to get tense. One of Cantrell's hacker
friends informed him that his number had shown up in a database of phone
numbers being monitored by the FBI. In all the excitement of burglarizing
databases and rerouting phone calls, the Phonemasters had neglected to check
their own phone lines for any signs that law enforcement might be listening
in.
'All the documents and tapes from this case could fill a 20-by-20 room. And
at the time, I was the only computer investigator for all of Texas.'
-- Michael Morris, FBI agent
Morris hastily arranged for an FBI raid. On Feb. 22, 1995, agents raided
Cantrell's home, Lindsley's college dorm room, and burst into Bosanac's
bedroom in San Diego.
For Morris, the climactic raid was only the start of a long battle to bring
the hackers to justice. Because of the complicated nature of his evidence
gathering, it took him more than two years to compile the most salient
portions of the wiretap transcripts and data-tap evidence. "All the
documents and tapes from this case could fill a 20-by-20 room," Morris
explains. "And at the time, I was the only computer investigator for all of
Texas."
In the meantime, as federal prosecutors slowly geared up for a trial,
Cantrell tried to get on with his life. "I spent the first few weeks after
the raid being paranoid and wondering what would happen," he says.
Occasionally, Morris and other agents would call him, asking questions about
some of the systems he had hacked. By the summer of 1995, at the urging of
his mother, Cantrell started attending church again. He scored the first in
a string of professional computing jobs, doing systems-administration work
for a company called Lee Datamail in Dallas. He neglected to tell his
employers about the FBI case. "It's been mental torture for the last four
years, not knowing," says Cantrell. "Can I go to school, move to another
state? That kind of thing messes with your head."
Over time, Cantrell says he had come to seriously regret what he had done
and the $9,000 he says he made from selling codes wasn't worth the trouble.
"Looking back, it was all crazy. It was an obsession. I wanted to see how
much I could conquer and a little power went to my head." Cantrell notes
that he has since tried to make amends, even helping the phone companies
plug their security holes and helping the FBI gather more information on
some of the group's members who haven't yet been apprehended.
The matter finally seemed near conclusion this March when Morris was able to
play "a couple of choice tapes" in separate meetings with Cantrell, Bosanac
and Lindsley. Afterward, all three agreed to plea guilty to federal charges
of one count of theft and possession of unauthorized calling-card numbers
and one count of unauthorized access to computer systems. Chief Judge Jerry
Buchmeyer ordered a presentencing investigation.
During a hearing on the matter, Lindsley's attorney tried to argue that the
FBI had wildly overstated the $1.85 million in losses that her client's
hacking had allegedly caused. But in the end, Judge Buchmeyer rejected the
argument and sentenced him to 41 months in prison. Bosanac, in the meantime,
has asked that his sentencing hearing be moved to San Diego, where he lives.
As for Cantrell, Judge Buchmeyer lauded his "acceptance of guilt." He could
have been sentenced to three years in federal prison; instead he was given
two. He reports to federal prison in January of next year.
Morris, meanwhile, has used his data-tap method in several other cases; he
also travels around the country and the world advising law-enforcement
agencies on how to conduct state-of-the-art investigations of hacker crimes
--
Dan S
**********************************************
To subscribe or unsubscribe, email:
majordomo@precision-d.com
with the message:
(un)subscribe ignition-point email@address
**********************************************
<www.telepath.com/believer>
**********************************************
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
