[ISN] Curador's Victims Included 'Bill J. Clinton'

From: InfoSec News (isnat_private)
Date: Tue Apr 24 2001 - 13:40:55 PDT

  • Next message: InfoSec News: "[ISN] CERT defends vulnerability info restrictions"

    http://www.internetnews.com/wd-news/article/0,,10_751441,00.html
    
    By Brian McWilliams
    April 24, 2001
    
    Raphael Gray, the Welsh computer attacker who is awaiting sentencing
    for a string of online shopping site break-ins, counts Bill Gates
    among his victims. But an investigation by InternetNews has revealed
    that Microsoft's chairman is not the only high-profile name among the
    thousands of credit card records Gray stole during a hacking spree
    last year.
    
    Former US President William "Bill" J. Clinton and political
    commentator and reformed party candidate Patrick "Pat" J. Buchanan
    were also among the names of victims listed in a customer database
    Gray lifted from Salesgate.com, a Buffalo, NY-based ecommerce
    provider.
    
    But then again, so too were "Test Test" and "Beavis Butt" among the
    6,000 Salesgate customer records Gray reposted at his own web site and
    sent to InternetNews on February 18, 2000.
    
    "Those were tests ... when we first tested the order process, we chose
    names that would obviously not be the real people so that we would
    know they were tests. And so Bill Clinton was one of the names we
    chose," said Chris Keller, the manager of Salesgate.com, which went
    out of business in April 2000, one month after Gray was arrested by
    Welsh police and the FBI at his home in Clynderwen, Wales.
    
    Similarly, Tim Ward, the operator of another site Gray hit, said that
    bogus names sometimes turn up in the customer order records of online
    merchants.
    
    "From time to time we have had jokes where somebody puts in a funny
    name like Ben Dover, or something like that. It happens, but we just
    ignore it," said Ward, the owner of Feelgoodfalls.com, an online
    pharmacy Gray pilfered on February 21, 2000.
    
    These admissions raise new doubts about the accuracy of recent reports
    by several media outlets, including the London Times, The Sun, and
    Wired News, that Gray had not only obtained Gates' credit card number
    from one of his victim sites but also had ordered "a course of Viagra
    to be sent to the tycoon," as the Times put it.
    
    Gray has not revealed the name of the site from which he obtained the
    Microsoft leader's card number. Spokesperson Jim Desler told
    InternetNews Tuesday that the reports about Gates' credit card and
    Viagra were "bogus."
    
    "We have absolutely no knowledge of any incident and have not been
    contacted by any law enforcement about this matter. We checked that
    number and it's just not a number that Gates has. The number just
    doesn't check out," said Desler.
    
    But Rob Rosenberger, operator of the VirusMyths.com site, says many
    people will be more inclined to trust the claims of hackers than the
    denials of public relations officials.
    
    "But I'm telling you, I'll believe the PR guy because hackers
    reflexively lie. Stories like this get legs because we can see
    plausibility, but this is how Internet legends get started," said
    Rosenberger, who notes that programmers often use the names of famous
    people or characters from movies or literature as dummy data when they
    are testing software.
    
    A visit to a mirror of the site where Gray made his original boast
    reveals that the credit card number he claimed was Gates' is missing
    digits and does not follow any algorithm used by credit card
    companies. The source of the Viagra story appears to have come from an
    offhand comment Gray made at another site, a copy of which is archived
    here.
    
    Gray's boasts about Gate's credit card were first reported as fact
    last March by the UK's Telegraph, a story that was later picked up by
    Reuters, which provides news feeds to media outlets around the world,
    such as ZDnet.
    
    Gray was to be sentenced on six counts of unauthorized computer access
    last Friday, but the judge postponed sentencing pending medical tests,
    which are expected to take several weeks. Gray is free on bail in the
    meantime. Under Britain's Computer Misuse Act of 1990, he faces up to
    one year in prison for the intrusions, which the FBI estimated caused
    damages of $3 million.
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 01:13:19 PDT