Hacker Wannabe’s Buying Soap-on-a-Rope
A group of young men stole and falsified credentials to break into a Law Enforcement database last year, and they are going to trial this month. They had unauthorized access to over 310,000 people’s personal information such as banking records, home addresses and social security numbers, including many famous celebrities.
They even used the information to download the photos from Paris Hilton’s cell phone. They also swapped info on Laurence Fishburn, Governor Swarzenegger and Demi Moore.
From the Register here:
Accused hackers deny ID theft
US investigators have arrested five men on suspicion of involvement of hacking into the database of LexisNexis Group in a crime linked by prosecutors to a breach that led to the disclosure of the personal details of more than 310,000 people last year.
Some of the quintet are further suspected of swiping photos and data from an account tied to the mobile phone of heiress Paris Hilton. The suspects used “stolen or illegally created accounts at LexisNexis subsidiaries to look up Social Security numbers and other personal information on dozens of other Hollywood celebrities,” the Washington Post reports, adding that the five are likely to be charged with aggravated identity theft as conspiracy and computer hacking offences.
The accused have been named as: Jason Daniel Hawks, 24, of Winston Salem, North Carolina; Zachary Wiley Mann, 19, of Maple Grove, Minnesota; Timothy C. McKeage, 21, of Woonsocket, Rhode Island; Justin A. Perras, 19, of New Bedford, Massachusetts; and Jeffrey Robert Weinberg, 21, of Laguna Beach, California.
According to prosecutors, McKeage (AKA Krazed) broke in a computer run by police in Port Orange, Florida and used stolen credentials from this systems to access Accurint, a law enforcement database service, maintained by Seisint, a local subsidiary of LexisNexis.
The Accurint login credentials allowed the group to look up police records and other data on various high-profile celebrities. Among those targeted were California Governor Arnold Schwarzenegger and actors Laurence Fishburne and Demi Moore as well as Paris Hilton.
Mann (AKA Majy) admitted accessing personal data on Laurence Fishburne and other celebrities but denied accusations that he and his cohorts did anything wrong. “I don’t think what we did was that bad. We never used anyone’s identity. Besides, don’t you think it’s wrong that a company like that has all this information that’s available to anyone who’s willing to pay for it?”
Ol’ Zach Mann is whining about how wrong it is to broker security information in a law enforcement database? Is he intending to use that old “information just wants to be free” gimmick as his defense at his trial? So the ends justifies his means because the “database was the one that was bad.” Riiiggght. Good luck at your trial, stupid.
While doing research on this story, I went to the original article published by the Washington Post here. The Washington Post tracks everyone who links to the article. Another member of the hacking crew, Justin Perras, has posted his whinings on his MySpace Page, and linked his page to the article. Another brilliant move by another dope who thinks he knows better than everyone else.
On his blog, Justin writes:
That story upsets me a little bit. I didn’t tell the secret service anything was true, not to mention he twisted everyone’s words around. I am not comfortable with what he wrote. So much for utilizing ‘defensive journalisim’ to shape public opinion to workin our favor. Instead, his editor chopped the story up to portray us all as a group of hackers trying to compromise the identities of multiple celebrities.
Contrariwise, Kevin Poulsen from wired.com might also be publishing a story for wired. Hopefully, his will portray things a little differently. As far as my thoughts concerning the case and consequences, I don’t think about that. It makes me suicidal.
So the hacker team is hoping that they can get a favorable news article written that will diminish the extent of their crime? Good luck. Messing around in law enforcement databases is considered an attack on national critical infrastructure. It may not be cyber-terrorism, but the government takes this sort of thing very seriously.
The group is charged with aggravated identity theft, which has a minimum of two years. Justin and Zach- make sure you get soap on a rope. And don’t forget your shower slippers. Here is another list of tips for you and your friends.
Effing A! Stop trying to steal my identity!!!!!! These stories make me think that society is indeed attempting to implode and we will destroy our societal structure within the next 10 years. I’m guessing we’ll use DNA samples instead of SSNs in the not too distant future.
Yeah, but biometrics for identification also freak me out for some reason. If people would just take the proper precautions to protect their data, we wouldnt have to worry about giving DNA samples to get a credit card!
Hey man, don’t talk bad about me in your blog. You don’t even know me. Thanks alot!
any questions/complaints feel free to mail me.
otherwise, don’t anger the internet gods. next time i won’t be able to fend them off of your website. ๐
-justin-
Justin,
Only idiots use the defense “You don’t know me” to attempt to suppress criticism of their behavior. Perhaps you should see this story here:
http://www.belch.com/~blog/2006/03/14/brilliant-lawyer-employs-you-dont-know-me-defense/
As far as angering gods? Are you threatening me? Are you threatening to launch a DDoS attack against my site? Im pretty sure that violates terms of your bond agreement.
Angering gods???
No one needs to launch a DDOS….all they have to do is post this on digg.com to take a site out. i am pretty sure that digg is not against the law… at least not yet
Userjan,
Welcome to the blog!
No, posting stuff on Digg and Slashdot is not against the law. I post my own blog entries on Digg on occaision, and it does not cause outages. One of the largest traffic hits came from my discussion about the Blue Frog Security debacle.
And I saw that you submitted the same story and were wondering yourself at the harshness of “aggravated identity theft.”
While I do not know all of the details of the case and how the prosecutors chose this particular charge, I can only guess that this is more serious because a trusted law enforcement database was utilized to get into the accounts of the victims.
Its more of a breach of trust thing. Like impersonating a police officer. I think the charge would have been less severe had this just been a leaky database.
Pat,
breach of trust…
1. Mantovani, shadowcrew founder got 32 months, more than 4mill in damages.
2. Jacobsen, first hacker of P.H. and hacked into a secret service agents email…sentence is secret.
3. Worker just recently hacked into FBI database…age34, gets 5 mos home confinement.
4. Kenneth Flury, (age 41) gets 32 months, identity theft totally over $384k
Just a few examples. The charges these “kids” face are off the charts…they are being made examples of.
Again, I don’t think that either of us know the whole extent of what this particular crew did with the access they had.
But the people investigating the crime are top notch forensics experts. They probably know what these guys did, moreso than what has been leaked to the press. Im going to guess that it was pretty bad.
Regarding your examples- Remember, these guys are facing only 24 months mandatory. Less than your examples, except for the FBI consultant that tried to run john the ripper against Muller’s password file. That guy was genuinely trusted by the FBI, and he screwed up bad.
Also, you have to take into consideration that our “team” of which is the subject of this blog, have not publically demonstrated much in the way of remorse. In fact, most of them appear to be kinda defiant. Prosecutors dont like that attitude. And it would be ironic that if these guys are “made an example of” it would be because they blabbed to the press about how the charges are bogus and that information really wants to be free.
And they dont appear to have good lawyers that would tell them to keep their mouths shut or to show any type of contrition. And they are not exactly kids, either. In fact, the reason the prosecution has such a good case is that one of the guys rolled over on the others in exchange for a lighter sentence. This means that the others all tried to lie to stick to a common story, and the prosecutors dont like that either.
I agree that all things being equal, this crime is probably no more severe than many others. But its this crew’s lack of contrition and coverup of the crime that is getting them a harsher sentence.
And it would be ironic that if these guys are ?made an example of? it would be because they blabbed to the press about how the charges are bogus and that information really wants to be free.
Totally disagreeing with you on this one…
How many hackers have locked sentences, you dont know what they received…most get 6 mos (home confinement) then get hired by the govt. i guess just 5 of these people were stupid, the rest (or one other) were brilliant (and spilling their guts) and hired by the govt. I am just suggesting that aggravated identity theft is way extreme considering other’s crimes and resulting sentences.
And how do you know they showed no remorse? Maybe they dont want to show it to press, blogs, etc, but they may show it towards familia, who are affected by it.You don’t know them.
pat,
Also, if you are saying the crew is “defiant”…isnt that a descriptive adjective that a reporter trying to describe a hot story might have, may he have not also changed words, made up words, trying to make his story more “national enquirer-like”?
reporters are writers, and have discretion as to what they are writing..your defiance is my sullen contriteness…
btw, you work for the dept of homeland security and are allowed to have such a blog? i thought govt workers could not have opinions, or if allowed, had to keep them hidden ..
oh ! Also, the lexisnexis database had been invaded starting in 2003 or 2004, the charges against these suspects happened in a very short time (like 02/05–05/05) so what happened to the original hackers? have they been taking information that the public didnt know that this agency had, for several years?!?!? and none of this came to light until an heiress had her slutty pics hacked…great priorities, america
Userjan,
What would you rather happen to these criminals? Let them go? Or just reduce their sentence? Bear in mind that they havent been sentenced yet, but are only facing charges that have a minimum mandatory.
They can still plea bargain for a lighter sentence.
As far as members showing no remorse, I refer to information posted publicly by the perptrators in public blogs and in emails that have been made public.
As far as other criminals illegally accessing the Lexis Nexis database, it has little or no bearing on this case. That is the same argument as “everyone is doing it” to justify bad behavior. Its an invalid argument. You are implying that no one should be punished for crime until all of the criminals are caught first.
Finally, you must only be glancing around on this blog. I am a former employee at DHS. In fact, I have been highly critical of DHS and its cyber policies, and specifically, how they fail to implement what is a good plan to keep the national critical infrastructure (including law enforcement databases) secure. Do a search for DHS and you will see my stances on those topics.
And LOTS of government workers have blogs, and they are allowed to have opinions. And they have all of the other constitutional rights that non government employees have.
Pat,
I don’t think most of them deserve even the minimum (for aggrevated id theft)..if you read the computer crime laws, id theft is using a false id to commit a felony or terrorism. but if you think about it…the kids using the false id’s to look up the lexisnexis, if true, was someone falsely using someone elses’s login to do something LEGAL. its totally legal for someone paying for lexis to receive info the american public doesnt know they have…
Userjan,
I know what you mean. Im familiar with the database too, not because I have access to it, but I know people who do…
One of them is a dirtbag bail bondsman who walks such a fine line between law and lawlessness I wonder how he maintains any sort of relationship with the courts. The guy likes to get drunk in bars and ask people their socials so he can do background checks on the fly using a radio to his home base. Hes a scummy person.
But he has paid his access fees and has had the necessary background checks performed on him. And with that access comes some hefty terms of service, along with a big responsibility as a person in a “position of trust” to protect his login credentials from being abused by those without authorization.
These men (not kids as you keep calling them) obtained a login which they were not authorized to use. This clearly violates 18 USC section 1030 here: http://www.usdoj.gov/criminal/cybercrime/1030_new.html
And Im sure that they knew they were not supposed to use those credentials, but they did it anyways. And then they did something totally outrageous and stupid to get caught. Then they tried to stifle the investigation by not cooperating with the agents. Then they bragged about it to the press and on personal blogs and complained at the unfairness of it all. And their lawyer seems inept too to allow a prosecutor to bring such charges without already plea bargaining.
Maybe if they got into a shootout with the agents it could have gone worse for them. But they are way guilty according to the definition of the law. The maximum they face is ten years. I would wager they get 14 months with good behavior.
I would hope they would get home detention…6 mos like Joseph Colon, 29, a government consultant, who accessed fbi passwords, and caused the agency to “shut down its network temporarily and commit thousands of hours and millions of dollars to ensure no sensitive information was lost or misused.”
“He said he hoped to impress superiors and become an FBI agent.”
those charged in this fiasco are kids compared to him….several are 19, so its been at least a year since it happened..i dont know about you, but i consider teenagers “kids”
“Prosecutors said Colon asked for additional clearances and was denied. They say he also used access to the system for “curiosity hacks” that were not related to his job.”
Hmmm…kinda sounds like the lexisnexis thing, curiosity hacks..
Yet they face much more time, and the media is not really reporting this, the washington post did, and i found another posting from about a week ago that’s very interesting…
http://www.washtimes.com/metro/20060705-103243-9760r.htm
what’s intersting is what his attorney says:
“Mr. Colon’s attorney sought leniency, saying “the public would never know about this prosecution,” court records showed. ”
Mr. Carlin said in a sentencing memo last month that some prison time is necessary to send a message to the public that “curiosity hacks into sites containing national security information is a matter of grave concern and criminal import.”
Mr. Winelander said in a memo to Judge Leon that the judge need not concern himself with the issue of deterrence in meting out a sentence to Mr. Colon because “the fact of the matter is the public will never know about this prosecution.”
I guess if the lexis nexis “curiosity hackers” had instead invaded a government agency focused on national security, then they would just get home detention. most records are sealed if you screw with the govt.
again, if much time is served by these “kids” it will simply be to make an example of them
“So the hacker team is hoping that they can get a favorable news article written that will diminish the extent of their crime? Good luck. Messing around in law enforcement databases is considered an attack on national critical infrastructure. It may not be cyber-terrorism, but the government takes this sort of thing very seriously. ”
Sound familiar? Then how come an FBI consultant can hack and obtain info on witness protection involvees, agents, etc and get 6 mos home detention?
And how come this story is being buried?? Not many online sites have it, wash post did first. None of the other major news outlets are posting it.
Also, nowadays, how many “trusted law enforcement databases” have been breached?
I guess its ok if you “hack” a government database..then they just want the story to go away…if you breach a “trusted law enforcement database” , then you are in trouble.
And, this Joseph Colon was an adult, 29. Two of the 5 indicted are age 19. This happened over a year ago…i consider teenagers “kids”
Don’t believe all you have heard about him using the passwords to facilitate his job and speed up the fbi computer whatsis…
quote:” Prosecutors said Colon asked for additional clearances and was denied. They say he also used access to the system for “curiosity hacks” that were not related to his job.”
The most troubling information is what happened a week before, when his attorney ” Mr. Winelander said in a memo to Judge Leon that the judge need not concern himself with the issue of deterrence in meting out a sentence to Mr. Colon because “the fact of the matter is the public will never know about this prosecution.”
BTW, he also mentioned that he wanted to impress superiors and obtain an FBI job.
Have you heard of any fraud from the small window the indicted accessed the lexisnexis account? Did they comprimise national security? Is this aggrevated ID theft? I think not
You cant compare Colon’s case to the Lexis Nexis case. Colon was a trusted employee who cooperated with the investigation. The Lexis crew refused to believe that a crime was committed and fought the investigation all the way, including lying to investigators and prosecutors.
And Colon had a good attorney too. Heard any word from the Lexis crew’s attorneys? nope.
There is an excellent article written here that details much of the crime behind the Lexis crew.
http://www.wired.com/news/business/0,67629-0.html?tw=wn_story_page_prev2
For each of these offenses, the criminals involved could get a jail sentence. And this is only what has been made public.
Trojanized a Policeman’s computer.
Stole the Account information for Accurint.
Used the access to scan for weak accounts.
Social engineered a password reset.
Used unauthorized access to create additional accounts.
Gave additional accounts to other hackers, knowing they would abuse that access.
hacked into a gay website.
Previously hacked into AOL.
Destroyed evidence when the police got close, throwing computer into ocean.
Other hackers that they granted access commited ID theft- money used from the ID theft went to make meth.
So userjan, as you can see, these guys are not curiosity seekers. Nor are they the equivalent of an FBI contractor with no criminal history exceeding his trust and then cooperating with an investigation.
I have been saying all along that they have lousy lawyers. Two of the criminals have court appointed attorneys. Its the prosecutors’ job to put these criminals behind bars for a very long time. Its the defense attorney’s job to keep them out.
Stop trying to make moral equivalences between these criminals and other cases and look at this case for what it is.
If you want to blame anyone for these criminals going to jail for a long time, you can blame the criminals for commiting these crimes. Blame the parents for not providing better guidance growing up. Blame the defense lawyers for not giving the extra effort for his clients.
But don’t blame the government for creating laws that protect its citizens. And dont blame the law enforcement for doing their job in investigating crime. Don’t blame Nexis for its business practices or its weak security.
How do you know that these suspected individuals granted access to meth addicts/makers? If you read the wired story, it sounds like a totally separate investigation.
“He suggested, however, that the California arrests might involve a separate investigation of LexisNexis breaches, since the scope of the problem was so great.
“You start looking at an account that’s been logged into 500 times and generated 9,000 reports, for example, that’s a lot of information (to examine),” Sibley said. “I’m just saying it’s not one group that’s compromised LexisNexis. Their security is really bad. This isn’t a situation where you’re talking about needing an ?berhacker to compromise (the system). Their passwords weren’t as secure as your average porn site. I think it didn’t take a genius to break them. Although I think the way the hackers did it was creative. We’ll give them style points.” ”
And i am not blaming law enforcement….but i do think the others have something to fess up to.
How do you know “The Lexis crew refused to believe that a crime was committed and fought the investigation all the way, including lying to investigators and prosecutors.”?
I would think if i were 18–23 that i would totally cooperate and spill info. Have you ever had FBI, Secret service etc raiding your home?
And how do you know who they have as attorneys? They were just indicted, according to reports.
pat, as a follow up to here, pat yourself on the back….at least one of the alleged lexisnexis involvees might be a common criminal. probably most arent, we havent seen any stories anyways
Apparently lexisnexis has been invaded again…we received a letter and phoned as to whether this related to the original breach or a new one….. the contact on the phone ensured us that this was a new breach and encouraged us to sign up for their security service.