The History of Hacking Part 2
So, we are at the second part of the history of hacking. If you missed the first part, you can find the article right here on Cybersecurity Magazine. Last time we looked at the Legion of Doom (LoD) and we’ll stick with them here at the start, because in the early nineties what became known as the hacker wars were raging! These wars were fought between members of the LoD and members of the Masters of Deception (MoD). This time it is about the story from the ’90s until 2010.
Among the members of the MoD, Phiber Optik from New York is probably the best known. Phiber Optik’s real name is Mark Abene. In his hacker career, he received several convictions for breaking into computers and fiddling with the telephone system. In the beginning, Phiber was in Lod, but due to disputes with another Lod’er Eric Bloodaxe, Phiber was kicked out. He formed his own group MoD as a reaction to that. This group was in open war with LoD for two years. The war was largely fought by jamming phone lines, breaking into computers, monitoring phone calls and generally being a nuisance to each other and users of the fledgling Internet. It all comes to an end in July 1992 when Phiber Optik, along with 4 others, is arrested for a series of break-ins into computers of such well-known entities as AT&T, Bank of America and the NSA. Phiber Optik has been put behind bars several times since, mainly because his situational awareness leaves something to be desired. One time he was caught at a security conference where there were participants from the authorities in the form of prosecutors and police personnel. Specifically, he was caught getting access to free telephony in front of the assistant prosecutor from Arizona while wearing a sweater with a Secret Service logo.
We jump forward to 1995, and we move east. Vladimir Levin is the name, and he is becoming famous because the hack he is behind is the first public example of international bank robbery over a network.
Originally trained as a biochemist, Levin finds that computers are much more interesting and the potential for making money is much greater. Levin sits with a laptop in London and gains access to Citibank’s network, from which he downloads customer data and passwords. According to Citibank, he has logged into the system 18 times over a period of several weeks. During that period, he transfers the equivalent of 3.8 million dollars to accounts that he and his group control in the United States, Finland, Germany, and Israel. When Citibank became aware of the transfers, they contacted the authorities who tracked him down and arrested him at the London airport in March 1995. Citibank managed to return almost all the money, except for $400,000 that could not be found and returned. Levin was fighting for almost three years against being extradited to the United States for prosecution. However, he eventually gives up and is sentenced to three years in prison and to pay 240,000 dollars to Citibank.
Also in 1995, but this time in the USA, something happens for the first time. It concerns the hacker Dark Dante alias Kevin Poulsen. Kevin is the first definite espionage case from the hacker underground. Kevin’s primary targets for hacking were military and government systems, and he proved more than adept at penetrating these systems. Before he was arrested, he worked for the defence industry in the United States as a security consultant with the sole purpose of testing security in the Pentagon. So, during the day he hacked to protect state secrets and at night he switched to the criminal hacker.
He fled in 1989 from 19 charges ranging from being part of a conspiracy, fraud, wiretapping and money laundering. His most talked about hack is from 1990 where he takes control of a radio station’s 25 telephone lines and in that way ensures that he is number 102 who calls in to a competition and therefore secures a Porsche worth 50,000 dollars…
He is, of course, caught in the end, and in April 1995 is sentenced to 51 months in prison, a VERY lenient sentence considering that during his travels in the military systems he has encounters, among other things, drawings of spy satellites. Kevin Poulsen reinvents himself as a journalist and is currently a contributing writer for, amongst others, Wired.
Now we again must jump forward a few years, not because nothing happens in the intervening years, but because we are limited by what there is room for in this series. We jump forward to 1998, which is probably best remembered by most people because it was the year that the backdoor program Back Orifice (BO) was released by the group Cult of the Dead Cow at the conference Def Con. BO was used to remotely control computers over the network and had the peculiarity of not being able to see that BO was running on the computer. With BO you could get very detailed information about the computer, such as who was logged on, Windows version, memory usage and cached passwords. In addition to this, it had the capability to fiddle with the registration database and control the start-up and shutdown of processes on the system. There was an outcry over most of the world when it was released, because now anyone and any hacker wannabe could suddenly gain access to computers where they had nothing to do. The reason why there was so much fuss about the matter was probably mostly that it was now possible to do all this via a graphical user interface, which had not been the case before. BO only worked with Windows 98, but Back Orifice 2000 was released in 1999, which made it work on all Windows versions, but it is still only in Windows 9X. Many other things happen in ’98. Israel Ehud Tenebaum called ‘The Analyzer’ is arrested for having broken into several military computer systems in both Israel and the USA during the month of February of that year. The Assistant Secretary of Defense in the US calls it ‘The most organized and systematic attack’ on US military systems to date. In addition to Ehud, two American teenagers are also arrested in that case, but Ehud is the one considered to be the leader of the group. The systems they penetrate are Solaris systems, and they use a known vulnerability in these systems for which there had been a patch for several months.
In the month of May 1999, the inevitable happens, when the Chinese embassy in the former Yugoslavia is bombed by mistake. It is this event that sets in motion what can be called a ‘cyber war’ against NATO. Hackers from all over the world, especially China starts pinging NATO’s web servers in Brussels, obviously with the aim of bringing them to their knees. After the bombing of the Chinese Embassy, they become somewhat more aggressive. As these attacks increase in strength, the US Department of Defence becomes more and more concerned, and eventually turns to the FBI where they say that there have been several attempts to penetrate systems at the Pentagon. One of the agents put on the case is Charles Neal, head of the FBI’s department in Los Angeles. He is the one who led the case against the, at the time notorious, Kevin Mitnick the year before. At the time, the FBI has several sources in the hacker underground who give them information. The problem is to find out how reliable these sources are. One of them was a hacker in the USA who has family in Kosovo, the other a hacker who was resident in Kosovo during the American air bombardments. At the end of ’99, the FBI has thus collected information about a great many hackers, not only via their informants, but also with the help of the regular police and the military intelligence services.
In early 2000, the FBI had some agents who, in order to penetrate deeper into the underground, actually sat and hacked websites. To be accepted in the underground, it’s not enough to just talk the talk about hacking, you have to do it! One of the agents who did it was Bill Swallow, a 40-year-old FBI agent who would never in his life pass for being a hacker if they were to meet face-to-face, but online they could be anyone, even a teenager. The websites they hacked were government websites that were ‘donated’ to the cause, some private companies also donated their sites so that the agents could be accepted as real hackers. With the help of these agents and the two informers, several traps were set up for the underground, and quite a few arrests also resulted. Most of them were teenagers who were just fiddling with some hacking, but some of them were what we can call ‘real’ hackers who really knew something about what they were doing. Hackers are not like the tough criminals, they could all be ‘persuaded’ to become informants for the FBI, some of them also became trainers at the FBI.
On 7 January 2000, the biggest attack on web servers at the time happened. Yahoo and several e-commerce sites are being taken down using what is now known as a DDoS attack. At one point, Yahoo’s routers were receiving up to 1 Gbit of traffic per second, so for administrators to begin troubleshooting, Yahoo eventually shut down all traffic into the network. At the time, no one was aware of what was wrong, but it was found that the system had been brought down by ICMP packets. There could only be one reason for that, the systems were under attack.
A few days later, Bill Swallow sits in one of the IRC chat rooms where he is the operator, i.e. one of the people controlling who has access to the chat room and who has what rights. Of course, he hopes that he can track down the hacker behind this gigantic attack on the Internet. One of those in the room that night is Mafiaboy, a rather large bragging type who stubbornly claims that he is the man(boy) behind the attacks. No one in the room believes that, but Mafiaboy blurts out and asks the group what they think he should hit next. One of them suggests ccn.com and a few minutes later CNN’s website starts coughing and gasping for air. There was no doubt, therefore, that the person to be found was the one hiding behind the handle Mafiaboy. The number of machines behind these attacks was only 75, today we see attacks with millions of machines. They all turned out to be running Red Hat Linux 6.1. The tool that Mafiaboy had used was Stacheldraht, which is a variant of the TFN tool. TFN stands for Tribal Flood Network and is coded by a German hacker who calls himself Mixter. Mafiaboy did not code these tools himself, he just uses them. He is what is called a script kiddie and probably has no idea what is hidden under the hood of these programs.
In the following weeks, it poured in with log files and other data from the affected companies. Among the victims of the attacks were such prominent names as DELL and Amazon.
During February, the FBI slowly realizes that Mafiaboy must be coming from the other side of the border in Canada. It has taken a long time to figure this out, because after the attacks on the Internet everyone wants to take the credit. Therefore, there are quite a few who call themselves Mafiaboy in the days after the attacks and it requires a lot of resources to sort out the wannabes in the investigation. The FBI is now turning to the Canadian Police and asking for help in catching this Mafiaboy who they believe is in Montreal. During a search at one of the Internet providers, they find three email addresses that are used by someone who calls himself Mafiaboy, and slowly but steadily, they begin to piece together phone numbers, IP addresses and time stamps into something that can be used to put a stop to Mafiaboy. At the end of February, a sniffer is placed on the phone line which is believed to belong to the house in which he lives, and the Internet provider allocates several IP addresses that are exclusively used for the account that Mafiaboy uses. In this way, it becomes possible for the Canadian Police and the FBI to follow everything Mafiaboy does and says on the Internet. During this wiretapping, the agents also learn that Mafiaboy’s father may be a little rough around the edges, as he hires someone to raid one of his business connections due to some disagreement over a 1.5 Million dollar deal. In the middle of May, the police storm Mafiaboy’s home, Mafiaboy himself is not there because he is spending the night with a friend. When the police arrive at the friend’s home, Mafiaboy is already outside waiting.
Mafiaboy pleads guilty to most charges, and in September 2000 is sentenced to eight months in a youth prison. This story can be read in its entirety in the book by Dan Verton called ‘The Hacker Diaries’.
It is in the beginning of the 2000’s that the, up till then, strictly amateur scene slowly begins to become more ‘professional’, e.g., taken over by professional criminals, or the hackers themselves find out that they can make money from their hobby. The various amateurs are still there, but they are slowly becoming less of a threat to companies and governments. This is exemplified by the first Worldwide Carders Conference in 2002. A carder in this context, is a hacker specialized in the stealing and selling of credit cards, and Ukraine is the unofficial center of the world for this activity in the beginning of the 2000’s.
The conference takes place in Odessa in June 2002, with attendees from around the world. The attendees represent areas like Canada, Persian Gulf, and western Europe, demonstrating the international interest in the burgeoning professionalization and monetization of hacking. There we even invitations sent to potential participants form Australia and South-East Asia. One of the hackers on the Ukrainian scene was Dimitry Golubov, known as Script in the hacker environment, was one of the first hackers to realize the potential benefits of having websites dedicated to the trade in credit cards. This was how the infamous website Carder Planet came into being in 2001. Those of us with more than 20+ years in cybersecurity behind us probably remembers Carder Planet. It was a thorn in the side of law enforcement around the world for the four years the site existed.
Carder Planet’s primary role while it was in operation, was to act as a kind of Bazaar in the trade of stolen credit cards and data surrounding these cards, like PINs, account numbers and passwords. Many later sites copied this recipe and moved these sites to the underground economy on the deep web, using Tor services for instance, after the authorities learned how to penetrate and identify the people behind the various hacker handles that was used on Carder Planet.
The professionalization we saw back in the early 2000’s has only increased, since much of our economy has moved online. And since that is where the money is, the criminals has moved online as well.
The early 2000’s is also the time when the site 4chan is founded, home of, the now famous, hacker group Anonymous. 4chan was initially aimed at fans of Japanese Anime shows. You could post a picture and a comment, without giving your real name, anonymously. Hence, the name Anonymous. In the early years of anonymous, they mostly did trolling of sites like Habbo Hotel and Second Life. That is, until they found a common ground in going after a neo-Nazi radio station online, where they succeeded in bringing the host to his knees and robbing him of the option of paying for his radio station. This is going on around 2007.
The year 2008 comes by and Anonymous has consolidated into a kind of hacktivist group, with strong political opinions on things like the freedom of speech. An internal training video from Scientology gets leaked on the Internet, featuring a rambling Tom Cruise telling how Scientology is the be-all end-all of religions. Scientology has always been aggressive in the legal challenges to critics and their training material. As the video with Tom Cruise rapidly spreads around the Internet, Scientology is sending DCMAs, claiming ownership of the video. It gets many of the sites hosting this video to remove it, until Gawker –an online gossip website– pushes back against Scientology.
Anonymous has been a driving force behind the spread of the video takes this as a validation of their freedom of speech politics and goes on the attack against Scientology, in the same way they did with the neo-Nazi earlier: DoS-ing their websites repeatedly, calling their hotlines, and sending faxes in all black to the official fax number around the world. This fight between Anonymous and Scientology ended up in a global demonstration, where people that identified with Anonymous, or just frequented the 4chan website, showed up in front of Scientology buildings around the world, in number that shocked even Anonymous itself at the time. Anonymous is still active today, although for now their heydays was from mid 2000’s until 2010.
Before finishing this Part 2 of the History of Hacking, I would like to point to a secret experiment done back in March 2007. The experiment consisted of a 27-ton generator running in Idaho National Laboratory, brought in from an oil field in Alaska. The experiment was to see if a hacker could access and destroy this generator remotely, something that the experiment showed spectacularly, when the generator was brought to its knees within minutes of the remote hacker accessing the generator, showing conclusively that a remote hack could have a destructive effect on physical equipment. The experiment was secret at the time, but details was revealed in later years. Why have I brought this story, to a history of hacking? In the third and last part of this history of hacking, I will be covering part of the story behind the Stuxnet hack, destroying centrifuges in the Iranian nuclear project, and making hacking a force on the geopolitical arena.
I am sure that there are areas of the history so far that you are frustrated that I have not been covering. I will provide a summary at the end of the third and final article in this series, where you can find resources going into much more detail and covering a far wider range of topics on hacking history. Stay tuned!
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.