[ISN] Teenage hacker faces jail over Bill Gates stunt

From: InfoSec News (isnat_private)
Date: Sat Apr 21 2001 - 00:26:23 PDT

  • Next message: vuln-newsletter-adminsat_private: "[ISN] Linux Advisory Watch - April 20th 2001"

    SATURDAY APRIL 21 2001
    A TEENAGE computer hacker whose victims included Bill Gates was told
    yesterday that he faces jail for security breaches that are estimated
    to have cost 2 million.
    Raphael Gray, a student aged 19, hacked into American corporate
    databases from his bedroom at his familys cottage in a small Welsh
    village. He said he wanted to demonstrate that Internet shopping sites
    were so vulnerable to intruders that you could teach your grandmother
    to do it.
    Calling himself the Saint of e-commerce, he stole details of 23,000
    credit cards and posted them on his website. One card belonged to Mr
    Gates, founder of Microsoft and the worlds richest man. Gray ordered a
    course of Viagra to be sent to the tycoon.
    Gray was caught at the keyboard of his 800 computer when FBI agents
    and police raided his familys home in in Clynderwen, near Narberth,
    Pembrokeshire. The FBI had spent a month tracking his activities, and
    an agent was present yesterday in court in Merthyr Tydfil.
    The court was told that the teenager had been going through a
    rebellious phase after his personality was changed by a bang on the
    head in a school playground at the age of 14. His counsel, Colin
    Nicholls, QC, said: The fall left him depressed and rebellious. He was
    obsessed by his crusade. He is a highly strung man going through an
    abnormal phase in his life.
    However, Judge Gareth Davies told Gray: This case very definitely
    crosses the custody threshold.
    Gray had said that he was merely drawing attention to lax security by
    on-line retailers, and that there had been no warning that access was
    prohibited. Leighton Davies, for the prosecution, compared this to a
    burglar who claimed that he was not guilty because the householder had
    left his window open.
    The criminal crusade perpetuated by the defendant was wholly
    unnecessary and extreme, he said. As a result of Grays activities, one
    company folded, another stopped trading and Visa International
    incurred costs of 250,000 installing new security. The FBI estimates
    that he cost the dot-com industry a total of 2 million.
    Mr Davies said: Gray somewhat romantically styled himself as the Saint
    of e-commerce that was the name of one of his websites he ran through
    his home PC. Gray was on a criminal crusade to publicise the dangers
    of shopping on the Internet.
    He plundered names, addresses and credit card details of thousands of
    customers. He found the details on databases held by a variety of
    Internet retailers in Britain and abroad.
    He targeted e-commerce sites whose computer systems were run by a
    Microsoft programme which suffered a security weakness. This allowed
    hackers to access information stored on the databases without
    The investigation into Grays activities involved law enforcement
    agencies in the US, Canada, the Far East and Great Britain. On one of
    his websites, he boasted: Law enforcement officials could not hack
    their way out of a paper bag. They are people who get paid to do
    nothing. They never actually catch anybody.
    But he was wrong. The FBI and the Royal Canadian Mounted Police
    discovered that he had made an error in the programme he used to
    extract customer details. The programme was intended to crash the site
    after Gray had obtained the information, thus destroying evidence, but
    it failed to do so. Using clues in the programme, the investigators
    traced its origin to the cottage where he lived with his mother and
    two young sisters.
    Sentencing was adjourned for medical reports. Gray had previously
    admitted ten offences of unlawfully accessing corporate websites under
    the 1990 Computer Misuse Act. Yesterday he pleaded guilty to two
    further charges of deception and admitted posing as a Microsoft
    software programmer to obtain a 1,400 Sony laptop computer. He also
    admitted fraudulently used a Debenhams store card to buy clothes worth
    After the hearing, Gray said: It was just click, click, click and I
    was downloading thousands of credit card numbers. You could teach your
    grandmother to do it. I did the honest thing and told the sites that I
    was able to access this sensitive information but I was ignored. Thats
    why I posted the information on the Internet. At the end of the day I
    was left with no choice. People take all sorts of security precautions
    about their homes and belongings. The same sort of security should
    apply to ecommerce but it doesnt.
    Gray said he knew that he was being arrested by an FBI agent. He spoke
    with an American accent and was wearing a trench coat. It was a bit
    heavy-handed there were eight local police officers in a riot van so
    it was an unusual sight in our village at 8am.
    He said that he was about to give up his studies to work in computer
    security. His case is also due to feature in a cybercrime exhibition
    at the Science Museum in London.
    Mike Vatis, director of the FBIs national infrastructure protection
    centre, said: He committed a federal crime, whether the state of
    security is good or poor. The case has shown that cybercriminals
    cannot hide behind international boundaries.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 02:00:26 PDT