A group of teen-age computer crackers allegedly used thousands of stolen Internet accounts to probe the networks of two national nuclear weapons laboratories, according to law enforcement authorities in California.
At least five crackers, ages 15 to 17, compromised accounts at 17 Internet service providers in the U.S., Romania and Australia and used the accounts to attack nine targets including the Sandia and Oak Ridge National Laboratories and Harvard University, according to Capt. Jan Hoganson of the Sacramento Valley High-Tech Crimes Task Force in California. The crackers managed to gain root access to computers at Harvard, Hoganson said, but just scanned the national lab networks to look for vulnerabilities. The intruders stole 200,000 accounts alone from San Francisco-based Pacific Bell Internet Services for use in the attack.
According to Hoganson, the stolen accounts were used to scan for open network ports at the labs, which could be used for subsequent attacks. Hoganson emphasized that the laboratory networks themselves weren't compromised. He said law enforcement authorities were notified of the scans Dec. 7, by an El Dorado Hills, Calif.-based Internet service provider called InnerCite, which had received complaints from the labs that accounts it hosted were used in the scans.
"The feds say it was an unwelcome visit, but there was no criminal action committed," said Hoganson, who likened the action to nighttime intruders rattling the doorknobs of a locked business. "Fortunately, the ISP preserved the evidence," he said.
Damian Frisby, a detective with the Sacramento Valley High-Tech Crimes Task Force, said the FBI is now contacting other service providers from which accounts were allegedly stolen. He said the young intruders, who allegedly belong to a cracking group called Global Hell, had been tracked down and contacted by authorities after they bragged of their exploits in Internet chat rooms. While no charges have yet been filed, Frisby said he expects that some of the attackers will eventually be charged with unlawful access of a computer and possibly grand theft.
"One of the first things an ISP considers is to shut these people down -- which is great for security and stops the attack, but it makes it hard for us to track them down," said Frisby. "They should contact law enforcement, but they have to make the decision whether to track them down or cut them off, and we can't tell them what to do."
Frisby noted that while some of the compromised Internet service providers had chosen to cooperate with law enforcement, one, PSINet Inc. in Herndon, Va., demanded a search warrant before taking any action. "We don't want to violate anyone's rights, but it delays the process," said Frisby. PSINet wasn't available to comment on the request.
While the investigation is ongoing, Frisby said service providers should guard against the theft of account data by taking care to update operating systems with current security patches and maintain effective firewalls. "It is a hard job to do because there are new exploits everyday," he said.
Frisby added that many of the compromised Pac Bell accounts used passwords that were easy to uncover using standard dictionary programs that search for known words. He said the attackers somehow obtained a list of 200,000 Pac Bell user accounts and were able to successfully steal the passwords for about 95,000 accounts.
Michelle Strykowski, a spokeswoman for Pacific Bell Internet Services, a subsidiary of SBC Communications Inc., based in San Antonio, disputed the number of compromised passwords. Strykowski said 63,000 passwords had been decoded, but Pac Bell was still unsure how the accounts were compromised. She said there has been no indication that the account information has been abused elsewhere and no customers have complained.
According to Strykowski, the company sent an advisory to customers Jan. 7, warning of a security breach and advising them to change their passwords to include uppercase and lowercase characters, symbols and numbers, which makes them more difficult to crack. She said Pac Bell's 330,000 California Internet customers were also advised to change their passwords every 90 days and to not use the same passwords for a number of different accounts.
"Security is a top priority for Pacific Bell, and we are working closely with the police, but these hackers have proved to the Internet as a whole that we must maintain vigilance," said Strykowski, who noted that the Global Hell cracking group had also compromised Web sites at the FBI and the White House.
"All other ISPs, like Pac Bell, have to constantly scrutinize security and make recommendations to customers to be responsible Internet users and change their passwords."