17-year-old hacker penetrated DND network

[InfoSec News <isn () c4i org>]

http://www.nationalpost.com/news/national/story.html?f=/stories/20020119/1180544.html

Gary Dimmock
Ottawa Citizen
January 19, 2002

DALLAS, TEX. - The leader of an international hacker group that
penetrated over a Department of National Defence computer system in
1999 was a 17-year-old high school student who gained access to the
security network in 10 minutes from his mother's kitchen table.

Russell Sanford, now 19 and serving two years in a Texas prison,
designed complex software that exploited one of Canada's military
networks via its Website intermittently for three days.

"I wanted to show everyone how easy it was. I was thrilled to find
such a high-profile site with such a common security weakness," said
Sanford, whose story has gone untold until now.

"We wanted people to know how weak they actually were. Government
security is like a poker bluff. You think they are pretty secure, but
when you come down to it, they're not," he said.

A military computer-intrusion unit could not immediately identify how
the teenager breached its system. It took days to repair the system's
vulnerabilities.

Sanford, known as " egodeath" on the Internet, did not access or
intercept any classified data. Instead, he left instructions on how
DND could better protect its network.

" I didn't do anything malicious although I could have," he said.

"Once I broke in, it was as if I was sitting at their keyboard."

He was not doing it for money, but for the thrill. "Once you find a
vulnerability and squeeze through the hole, it gives you personal
satisfaction that is hard to describe. For me, it's better than sex
and the feeling certainly lasts longer."

It took U.S. investigators a year to build their case against the him.  
He always hacked into a dozen or more shell computers before launching
his attacks, making him nearly impossible to track. And he used
different aliases, or digital alter-egos to claim responsibility.

"The DND site was an easy target. It was pretty weak. At the time,
there were all kinds of patches they could have downloaded for free to
fix the problem, but they never did."

In a three-month period ending in January, 2000, "egodeath" hacked
into about 80 computer networks, including the United States Postal
Service.

"We were going for a record and we were on a rampage."

Most of his " accomplishments" were recorded at attrition.org, a
non-profit Website that tracks hacker activity, and his late-night
game sparked an intense investigation by U.S. authorities.

It was his partner, a less experienced, easy-to-track hacker, who got
caught. The 15-year-old boy was spared prosecution for turning
evidence against Sanford.

Months later, U.S. law enforcement agents raided Sanford's home in
Irving, Tex., a Dallas suburb, seizing his computers and rousing him
from sleep for questioning.

On Dec. 6, 2000, Judge Karen Greene spared him jail time, sentencing
him to five years' probation on condition that he keep the peace, stay
offline, submit to random polygraph tests for proof and pay US$45,000
in restitution -- the value prosecutors said he caused in damage,
although none of the hacked sites denied service to the public.

In January, 2001, Sanford violated his probation by selling LSD. The
judge revoked his probation and sentenced him to two years in Hutchins
State Jail. Though he believes he has lost two years of his life to
state prison, he says his time behind bars has turned his life around.

"If I can stay off drugs in here, I'll be able to do it once I'm out,"  
he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.