[ISN] Confessions of a hacker

From: InfoSec News (isn@private)
Date: Sun Oct 05 2003 - 23:25:19 PDT

  • Next message: InfoSec News: "[ISN] Game Biz Mystified by Code Theft"

    http://www.startribune.com/stories/789/4135449.html
    
    Eric Wieffering
    Star Tribune
    October 5, 2003
    
    By the age of 20, Benjamin Breuninger's life was a mess. Estranged
    from his mother and stepfather, a dropout with no job and months
    behind on his rent, he often went a day or more without eating.
    
    Online, he had a different life. There, he was Konceptor, a skilled
    hacker who broke into computer networks, defaced Web sites and
    strutted in online newsgroups such as alt.2600, where he closed his
    frequent postings with this warning: "The Keystroke is mightier than
    the Pen. And this is My GAME."
    
    In 2 1/2 years in the late 1990s, Breuninger hacked into dozens of
    computer systems. He peeked at the payroll of a nearby Taco Bell, left
    messages supporting Jesse Ventura on the St. Paul Public Library and
    KSTP radio Web sites and stole thousands of Internet e-mail accounts
    and passwords.
    
    Breuninger's online exploits ended when the FBI arrested him at his
    Bloomington apartment Sept. 11, 2000, for hacking into and downloading
    files from the Lawrence Livermore National Laboratory in California.
    
    Because his crime involved one computer system instead of thousands,
    Breuninger's arrest didn't generate the attention that greeted the
    August arrest of Jeffrey Parson, the Hopkins High School student
    accused of infecting 7,000 computers with a version of the Blaster
    computer worm. But security experts say Breuninger's hacking is more
    typical of the kind that is occurring daily.
    
    Often undetected or unreported, it originates in the bed rooms of
    teenage boys armed with sophisticated automated programs that can scan
    the Internet around the clock, probing for soft spots.
    
    An annual survey of 500 business, government and academic
    organizations by the FBI and the Computer Security Institute found
    that 56 percent of the respondents experienced unauthorized access to
    their computer networks this year, with estimated losses of $200
    million.
    
    Virus attacks are also surging. In 1996, one in 100 computers
    experienced a virus attack. By 2002, the figure was 10.5 per 100
    computers had been attacked, an increase of 950 percent.
    
    The most serious computer crimes -- extortion, theft of money or
    confidential trade secrets -- remain for the most part the work of
    disgruntled current and former employees and organized crime.  
    Breuninger, who began hacking at 18 and claims he never intentionally
    damaged a system he entered, didn't even bother to read the documents
    he downloaded from Lawrence Livermore.
    
    "The challenge was getting in and then letting them know I'd been
    there," he said.
    
    But others in his age bracket had more on their minds than just
    showing they could break in somewhere.
    
    Thomas Pae, 20, of Los Angeles, who was sentenced to 33 months in
    prison in August for hacking and fraud, cooked up his scheme while
    still in high school. "Mafia Boy," whose attacks on eBay, Amazon.com
    and other Web sites cost an estimated $1.7 billion in 1999, was a
    16-year-old Canadian high school student.
    
    The server that Breuninger and other Twin Cities hackers used --
    hellfire.damnation.net -- was operated by an Eden Prairie high school
    student.
    
    "For the current generation of kids, hacking into other people's
    computers is the video game of this decade," said Alan Paller,
    research director of the SANS Institute, a Maryland organization that
    studies computer security issues and provides training. "It's those
    attacks that companies spend most of their time and money protecting
    themselves against."
    
    Arrests for computer attacks are rare and convictions rarer still. The
    authors of the Code Red, Nimda and Slammer worms, which caused an
    estimated $5 billion in damage in the past two years, have never been
    caught.
    
    The FBI estimates that only 30 percent of computer crime victims even
    bother to report security breaches.
    
    The term hacker first appeared in the late 1950s and early 1960s to
    describe skilled computer programmers or engineers who tested the
    outer limits of software to make it better. Those who still adhere to
    that philosophy look down at the younger generation of "script
    kiddies," hackers who use automated programs to break into systems and
    virus writers who set out to damage computer systems.
    
    "They have a whole different attitude," said Todd, a 28-year-old Ham
    Lake resident who spoke on the condition of anonymity because he runs
    the Minnesota chapter of Defcon, a hackers group. "They don't want to
    learn how to write code. They want to find a quick way in."
    
    >From the beginning, the hacker culture, with its underground,
    anti-authority ethos and its celebration of technical mastery over
    education, has appealed to teenagers and young men.
    
    "For people who are no longer kids but not quite adults, hacking is an
    empowering concept," said Mark Rasch, former head of the Justice
    Department's computer crime unit and now a senior executive with
    Solutionary Inc., a Virginia computer security firm. "Imagine what it
    must feel like to say, 'I can take down the Department of Defense from
    my living room in Minneapolis.' "
    
    Most teenagers don't try to profit from their exploits, Rasch said,
    and get caught only because their immaturity leads to recklessness.
    
    Breuninger said he never tried to steal credit card numbers or poach
    Social Security numbers, though he had plenty of opportunity. On
    hacker newsgroups. he blasted "lamers" looking for easy ways to steal
    financial or personal information.
    
    "A true hacker plays the game to exploit systems," he wrote in one
    posting. "Sometimes the knowledge he gains can be severely damaging to
    the company, agency, etc. that he hacked. Would he give you, the
    lamer, the key to cripple the users of the computer system? I think
    not."
    
    A common bond
    
    No one groomed Breuninger to be a cyberpunk. He didn't even own a
    computer until 1997.
    
    In an interview, he describes an unhappy childhood on a farm in
    Cambridge, where his stepfather made him clean horse barns, dig
    fence-post holes and pull tree stumps. His closest companion in high
    school? His horse, Joey.
    
    Breuninger's first job was welding heavy machinery. He didn't get a
    computer until he enrolled in a computer-aided design program at
    Dunwoody Institute in Minneapolis.
    
    Within a year, Breuninger dropped out of Dunwoody, taught himself
    programming and immersed himself in Minnesota's hacking scene. At one
    point, he hacked into U.S. Internet Group, a Twin Cities Internet
    service provider, and stole 25,000 account user names and passwords.
    
    "That provided all the Internet access I needed," he said.
    
    An executive with U.S. Internet disputes the number of accounts but
    acknowledged that the company didn't learn about the breach until
    after Breuninger was arrested.
    
    As Konceptor, Breuninger rarely set out to hack a particular site. His
    greatest exploit, and the one that landed him a felony conviction, was
    chosen at random.
    
    A program he designed scanned the Internet for unprotected computers,
    and one at Lawrence Livermore popped up. Once in, Breuninger
    understood the gravity of hacking a government site, he said. But that
    didn't stop him from guessing the password of a system administrator's
    account, establishing an account for himself and leaving software on
    the system that ensured continued access.
    
    Breuninger was a regular at the Mall of America meetings of the hacker
    group 2600, where up to a dozen people between the ages of 14 and 30
    would gather monthly to swap stories and tips. He joined in late-night
    dumpster dives outside computer stores and office buildings in search
    of discarded parts. In the summer of 1999, he hitchhiked to and from
    Las Vegas for the annual Defcon hacker convention.
    
    "A lot of us wanted to belong to something," Breuninger said. "Our
    common bond was technology."
    
    Konceptor's postings got the attention of Paller, who invited
    Breuninger via an e-mail to that screen name to attend a computer
    security conference in Florida in October 1998. There, Breuninger
    played the "black hat" in a demonstration between a hacker and a
    computer security expert.
    
    Attendees remember a nice kid, more naive than malicious in describing
    his hacking.
    
    "What I remember most about him is that it was his [Breuninger's]
    first trip on an airplane, and he was clearly in awe of the
    experience," said Rob Kolstad, a systems administrator based in
    Colorado Springs who attended the conference and was introduced to
    Breuninger.
    
    By his 20th birthday in April 1999, Breuninger's hacking had become
    all-consuming. It was the height of the technology boom and companies
    were paying exorbitant salaries to people with his technical skills.  
    Breuninger had no clue and worked a series of temp jobs because they
    allowed him time to hack.
    
    When his father showed up at his apartment one day late in the summer
    of 1999, he was shocked by the sight of his son.
    
    "He was filthy, looked skinny, looked like he hadn't slept in days and
    was confused," Mark Breuninger wrote in a letter to the court after
    his son's arrest. "He had nowhere to go, no job, no car. His only
    thing was to be online."
    
    Mark Breuninger took his son to the Hennepin County Medical Center. He
    was put on medication for depression and began seeing a psychologist
    to treat what was described as an addiction to hacking and the
    Internet. He moved in with his father, who set strict limits on his
    computer time.
    
    Slowly, Breuninger began to rebuild his life. By February 2000 he had
    a new apartment, a new full-time job with Digi International in
    Minnetonka and his first girlfriend. He had stopped attending meetings
    of 2600 and no longer posted on newsgroups.
    
    "I dropped out completely," he said.
    
    By that time an employee at Conference Plus Inc. near Chicago had
    alerted the FBI that documents from Lawrence Livermore had been stored
    on its computer. During the summer of 2000, federal agents raided the
    house of the high school student who hosted hellfire.damnation.net.  
    Breuninger knew he was the real target. He called the FBI and, in a
    meeting a few days later, confessed.
    
    After his arrest, a member of 2600 tried to start a Konceptor legal
    fund. Breuninger begged him to quit.
    
    "I knew that what I was doing was illegal," he said.
    
    'Get a job'
    
    The black electronic bracelet on his right ankle is the only clue that
    Breuninger, now 24 and living in Mound, is a felon.
    
    "He struck me as a very intelligent, pleasant young man," said John
    Reichmuth, an assistant federal public defender in Oakland. "There are
    malignant hackers and benign hackers. This is not a person who was
    trying to do any harm to any of the systems that he worked with."
    
    Breuninger was sentenced to six months of home detention and four
    years' probation, and he was ordered to pay $20,000 in restitution.  
    His computer use is monitored, but he says going online no longer has
    any appeal.
    
    Breuninger lost his job at Digi a year after he was arrested and now
    installs and repairs computers and networks, getting paid by the job.
    
    Most people never see the monitoring device he wears, which is about
    as big as a chronograph watch and usually obscured by his trousers.  
    Still, Breuninger finds himself counting the days until Oct. 7, when
    the bracelet, and restrictions on his movement, come off.
    
    He'll probably have a beer, his first in more than six months. He may
    go rock climbing in California.
    
    He's not sure how to prevent others from repeating his mistakes, but
    he can offer a retrospective self-prescription.
    
    "I wish someone had made me get a job, get a girlfriend and get out of
    the house. If they had, I might not have gotten into trouble."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Oct 06 2003 - 02:14:52 PDT