http://www.thetimes.co.uk/article/0,,2-117895,00.html BY SIMON DE BRUXELLES SATURDAY APRIL 21 2001 A TEENAGE computer hacker whose victims included Bill Gates was told yesterday that he faces jail for security breaches that are estimated to have cost 2 million. Raphael Gray, a student aged 19, hacked into American corporate databases from his bedroom at his familys cottage in a small Welsh village. He said he wanted to demonstrate that Internet shopping sites were so vulnerable to intruders that you could teach your grandmother to do it. Calling himself the Saint of e-commerce, he stole details of 23,000 credit cards and posted them on his website. One card belonged to Mr Gates, founder of Microsoft and the worlds richest man. Gray ordered a course of Viagra to be sent to the tycoon. Gray was caught at the keyboard of his 800 computer when FBI agents and police raided his familys home in in Clynderwen, near Narberth, Pembrokeshire. The FBI had spent a month tracking his activities, and an agent was present yesterday in court in Merthyr Tydfil. The court was told that the teenager had been going through a rebellious phase after his personality was changed by a bang on the head in a school playground at the age of 14. His counsel, Colin Nicholls, QC, said: The fall left him depressed and rebellious. He was obsessed by his crusade. He is a highly strung man going through an abnormal phase in his life. However, Judge Gareth Davies told Gray: This case very definitely crosses the custody threshold. Gray had said that he was merely drawing attention to lax security by on-line retailers, and that there had been no warning that access was prohibited. Leighton Davies, for the prosecution, compared this to a burglar who claimed that he was not guilty because the householder had left his window open. The criminal crusade perpetuated by the defendant was wholly unnecessary and extreme, he said. As a result of Grays activities, one company folded, another stopped trading and Visa International incurred costs of 250,000 installing new security. The FBI estimates that he cost the dot-com industry a total of 2 million. Mr Davies said: Gray somewhat romantically styled himself as the Saint of e-commerce that was the name of one of his websites he ran through his home PC. Gray was on a criminal crusade to publicise the dangers of shopping on the Internet. He plundered names, addresses and credit card details of thousands of customers. He found the details on databases held by a variety of Internet retailers in Britain and abroad. He targeted e-commerce sites whose computer systems were run by a Microsoft programme which suffered a security weakness. This allowed hackers to access information stored on the databases without authorisation. The investigation into Grays activities involved law enforcement agencies in the US, Canada, the Far East and Great Britain. On one of his websites, he boasted: Law enforcement officials could not hack their way out of a paper bag. They are people who get paid to do nothing. They never actually catch anybody. But he was wrong. The FBI and the Royal Canadian Mounted Police discovered that he had made an error in the programme he used to extract customer details. The programme was intended to crash the site after Gray had obtained the information, thus destroying evidence, but it failed to do so. Using clues in the programme, the investigators traced its origin to the cottage where he lived with his mother and two young sisters. Sentencing was adjourned for medical reports. Gray had previously admitted ten offences of unlawfully accessing corporate websites under the 1990 Computer Misuse Act. Yesterday he pleaded guilty to two further charges of deception and admitted posing as a Microsoft software programmer to obtain a 1,400 Sony laptop computer. He also admitted fraudulently used a Debenhams store card to buy clothes worth 419. After the hearing, Gray said: It was just click, click, click and I was downloading thousands of credit card numbers. You could teach your grandmother to do it. I did the honest thing and told the sites that I was able to access this sensitive information but I was ignored. Thats why I posted the information on the Internet. At the end of the day I was left with no choice. People take all sorts of security precautions about their homes and belongings. The same sort of security should apply to ecommerce but it doesnt. Gray said he knew that he was being arrested by an FBI agent. He spoke with an American accent and was wearing a trench coat. It was a bit heavy-handed there were eight local police officers in a riot van so it was an unusual sight in our village at 8am. He said that he was about to give up his studies to work in computer security. His case is also due to feature in a cybercrime exhibition at the Science Museum in London. Mike Vatis, director of the FBIs national infrastructure protection centre, said: He committed a federal crime, whether the state of security is good or poor. The case has shown that cybercriminals cannot hide behind international boundaries. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERVat_private with a message body of "SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 02:00:26 PDT