Approaching Zero - Paul Mungo (books to read to increase intelligence .txt) 📗
- Author: Paul Mungo
- Performer: -
Book online «Approaching Zero - Paul Mungo (books to read to increase intelligence .txt) 📗». Author Paul Mungo
take over a box or, better, a series of boxes. Security is often lax on
voicemail computers, with box numbers and passwords ridiculously easy to guess
by an experienced hacker. One of the methods has become known as finger
hacking: punching away on the telephone keypad trying groups of numbers until a
box and the appropriate password are found. Ideally, hackers look for unused
boxes. That way they can assign their own passwords and are less likely to be
detected. Failing that, though, they will simply annex an assigned box,
changing the password to lock out the real user.
VM boxes are more secure than hacker boards: the police, for a start, can’t
routinely monitor voicemail systems as they can boards, while hackers can
quickly move to new systems if they suspect the authorities of monitoring one
they are using. The messaging technology of voicemail systems lends itself to
passing on lists of codes. The code line is often the greeting message of the
hacker-controlled mailbox; in other words, instead of hearing the standard
“Hello, Mr. Smith is not in the office. Please leave a message,” hackers
calling in will hear the current list of stolen code numbers. In this manner,
only the hacker leaving the codes need know the box password. The other
hackers, those picking up the codes or leaving a message, only need to know the
box number.
It was ultimately a voicemail computer that led the authorities to
Doucette. On February 9, 1989, the president of a real estate company in
Rolling Meadow, Illinois, contacted the U.S. Secret Service office in Chicago.
His voicemail computer, he complained, had been overrun by hackers.
The harassed real estate man became known as Source 1. On February 1 5th, two
Secret Service agents—William “Fred” Moore and Bill Tebbe—drove from Chicago
to the realtor’s office to interview him. They found a man beset by unwanted
intruders.
The company had installed its voicemail system in the autumn of 1988. The box
numbers and passwords were personally assigned by the company president.
While the 1-800 number to access the system was published, he insisted that
the passwords were known only to himself and to the individual box users.
In November 1988, during an ordinary review of the traffic on the system, he
had been startled to discover a number of unexplained messages. He had no idea
what they were about or who they were for; he thought they could have been
left in error.
However, the number of “errors” had grown throughout November and December. By
January 1989 the “errors” had become so frequent that they overwhelmed the
system, taking over almost all of the voicemail computer’s memory and wiping
out messages for the company’s business.
The Secret Service recorded the messages over a period from late February to
March. Listening to the tapes, they realized they were dealing with a code
line.
The law on access devices prohibits the unauthorized possession of fifteen or
more of such codes, or the swapping or sale of the codes “with an intent to
defraud.” (Fraud is defined as a $1,000 loss to the victim or profit to the
violator.) On the tapes, the agents could identify 130 devices that were
trafficked by the various unknown callers. They also heard the voice of a woman
who identified herself alternatively as “Kyrie” or “long-distance information.”
It seemed as if she was running the code line, so they decided to focus the
investigation on her.
In March security officials from MCI, the long-distance telephone company, told
the Secret Service that Canadian Bell believed “Kyrie” to be an alias of Leslie
Lynne Doucette, a Canadian citizen who had been hacking for six or seven years.
In March 1987 Doucette had been convicted of telecommunications fraud in Canada
and sentenced to ninety days’ imprisonment with two years’ probation. She had
been charged with running a code line and trafficking stolen access codes.
Subsequently, the Canadians reported, Doucette had left the country with her
two children.
Later that month an MCI operative, Tom Schutz, told Moore that an informant had
passed on the word that a well-known hacker named Kyrie had just moved from the
West Coast to the Chicago area. The informant, Schutz said, had overheard the
information on a hacker “bridge” (a conference call). At the beginning of April
an MCI security officer, Sue Walsh, received information from another informant
that Kyrie had a Chicago telephone number.
By mid-month, Moore was able to get court authorization to attach a
dialed-number recorder (DNR), to Doucette’s phone. A DNR monitors outgoing
calls, recording the number accessed and any codes used. From the surveillance,
agents were able to detect a large volume of calls to various voicemail
systems and PBX networks.
The authorities traced the other compromised voicemail systems to Long Beach,
California, and Mobile, Alabama. They discovered that Kyrie was operating code
lines on both networks. It’s not unusual for hackers to work more than one
system; sometimes Hacker A will leave codes for Hacker B on a voicemail
computer in, say, Florida, while Hacker B might leave his messages for Hacker A
on a system in New York. By rotating through voicemail computers in different
states, hackers ensure that local law enforcement officials who stumble upon
their activities see only part of the picture.
The agents also realized that Kyrie was running a gang. From other sources they
heard tapes on which she gave tutorials to neophyte hackers on the techniques
of credit card fraud. Over the period of the investigation they identified 152
separate contacts from all over the country, all used as sources for stolen
codes. Of the gang, the agents noted seven in particular, whom they identified
as “major hackers” within the ring: Little Silence in Los Angeles; the
ironically named FBI Agent in Michigan; Outsider, also in Michigan; Stingray
from Massachusetts; EG in Columbus, Ohio; Navoronne, also from Columbus; and
Game Warden in Georgia.4 DNRs were also attached to their telephones.
The agents assigned to the case described the group, imaginatively, as “a
high-tech street gang.” By then the Secret Service had turned the enquiry into
a nationwide investigation involving the FBI, the Illinois State Police, the
Arizona Attorney General’s Office, the Chicago Police Department, the Columbus
(Ohio) Police Department, the Cobb County (Georgia) Sherifrs Office, the Royal
Canadian Mounted Police, and the Ontario Provincial Police. Security agents
from MCI, Sprint, AT&T, and nine Bell phone companies provided technical
assistance.
On May 24th the Secret Service asked local authorities in six cities for
assistance to mount raids on Doucette’s Chicago apartment and the addresses of
the five other major hackers in the ring. Prior to the raids the authorities
compiled a list of equipment that was to be seized: telephones and
speed-dialing devices; computers and peripherals; diskettes; cassette tapes;
videotapes; records and documents; computer or data-processing literature;
bills, letters invoices, or any other material relating to occupancy; information pertaining to access device codes; and “degaussing” equipment.
The raid on Doucette’s Chicago apartment produced a lode of access codes. Moore
found a book listing the numbers for 171 AT&T, ITT, and other telephone cards,
as well as authorization codes for 39 PBXs. In addition, the agents found
numbers for 118 Visa cards, 150 MasterCards, and 2 American Express cards.
Doucette admitted that she was Kyrie. Later in the Secret Service offices, she
confessed to operating code lines, trafficking stolen numbers, and receiving
unauthorized Western Union money orders. She was held in custody without bond
and indicted on seventeen counts of violating rederal computer, access device,
and telecom fraud laws between January 1988 and May 1989.
Estimates of the costs of Doucette’s activities varied. On the day of her
arrest, she was accused of causing “$200,000 in losses … by corporations
and telephone service providers.” Later it was announced that “substantially
more than $1.6 million in losses were suffered” by credit card companies and
telephone carriers.
Doucette’s was a high-profile arrest, the first federal prosecution for hacking
voicemail systems and trafficking in access devices. The prosecution was
determined that she would be made an example of; her case, the authorities
said, would reflect “a new reality for hackers” in the 1990s—the certainty of
“meaningful punishment.” If convicted of all charges, Doucette faced eightynine
years’ imprisonment, a $69,000 fine, and $1.6 million in restitution charges.
The case was plea-bargained. Doucette admitted to one count; the other charges
were dismissed. On August 17, 1990, Doucette, then aged thirty-six, was
sentenced to twentyseven months in prison. It was one of the most severe
sentences ever given to a computer hacker in the United States.
Willie Sutton, a U.S. gangster, was once asked why he robbed banks. “Because
that’s where the money is,” he replied.
Little has changed; banks still have the money. Only the means of robbing them
have become more numerous. Modern banks are dependent on computer technology,
creating new opportunities for fraud and high-tech bank robbery.
Probably the best-known story about modern-day bank fraud involves the
computation of “rounded-off” interest payments. A bank employee noticed that
the quarterly interest payments on the millions of savings accounts held by the
bank were worked out to four decimal points, then rounded up or down. Anything
above .0075 of a dollar was rounded up to the next penny and paid to the
customer; anything below that was rounded down and kept by the bank. In other
words, anything up to three quarters of a cent in earned interest on millions
of accounts was going back into the bank’s coffers.
Interest earned by bank customers was calculated and credited by computer. So
it would be a simple matter for an employee to write a program amending the
process: instead of the roundeddown interest going back to the bank, it could
all be amalgamated in one account, to which the employee alone had access. Over
the two or three years that such a scam was said to have been operational, an
employee was supposed to have grossed millions, even billions, of dollars.
The story is an urban legend that has been told for years and accepted by many,
but there has not been a single documented case. However, it certainly could be
true: banks’ dependence on computers has made fraud easier to commit and harder
to detect. Computers are impersonal, their procedures faster and more anonymous
than paper-based transactions. They can move
money around the world in microseconds, and accounts can effortlessly be
created and hidden from a computer keyboard.
Like any corporate fraud, most bank fraud is committed by insiders, employees
with access to codes and procedures who can create a “paper trail” justifying a
transaction. In such cases the fraud is not really different from illegal
transactions carried out in the quill-pen era: the use of a computer has simply
mechanized such fraud and made it more difficult to track.
The new threat to banks comes from hackers. In addition to the familiar duo of
the bank robber and the criminal employee—the one bashing through the front
door with a shotgun, the other sitting in the back room quietly cooking the
books—banks now face a third security risk: the adolescent hacker with a PC, a
modem, and the ability to access the bank’s computers from a remote site.
Unlike traditional bank robbers, hackers don’t come through the front door:
they sneak in through the bank’s own computer access ports, then roam unseen
through the systems, looking for vulnerable areas. Unlike crooked employees,
hackers aren’t a physical presence: they remain unseen and undetected until
it’s too late.
Though banks spend millions protecting their computer systems from intruders,
they aren’t necessarily that secure. Bank employees, particularly those who
work in dealing rooms, are notorious for using the most obvious passwords,
generally those that reflect their own ambitions: Porsche
Comments (0)