College student refutes charges he is high-level hacker

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/docs/news/tech/078319.htm

Milwaukee Journal Sentinel 
Monday, Dec. 3, 2001 

On Dec. 8, 1999, a network administrator for Qualcomm Inc. called the
University of Wisconsin-Madison to report that he had traced a
break-in of his company's computer system back to the school.

Someone had obtained the highest level of access at Qualcomm, Scott
Kennedy told school officials. The intruder had stolen user names and
passwords and could sort through confidential company information.

By 3 o'clock the next morning, school police and a university
cybersleuth had cornered Jerome Heckenkamp in the stairwell of his
dormitory and asked for the password for his personal computer.

Court records say Heckenkamp chuckled when he gave it up.

``Hackme,'' he told them.

In two separate cases, government prosecutors accused Heckenkamp of
breaking into Qualcomm and other corporate computer systems while he
was a student. Heckenkamp, who they say called himself ``MagicFX,''
was also accused of tampering with an unidentified witness.

All told, prosecutors claim he caused more than $1 million damage, but
they have not detailed exactly what he did.

The first of his trials is set to begin Dec. 11 in San Diego. A second
will be held in San Jose. If convicted on all counts, Heckenkamp could
serve 120 years in prison and pay $5.75 million in fines.

Through his attorney, Heckenkamp, now 22, declined to be interviewed
for this story, but has said he is innocent and told university police
and students who lived in his dorm that someone -- he didn't know who
-- used his PC to break into other computers.

His case illustrates how investigators track down hackers and how
seriously corporations and the government take the prospect of illegal
entry into computer systems. It also raises contentious privacy issues
over how much control a college can have over a student's private
computer.

There also is Heckenkamp's own story.

A home-schooled prodigy from the Town of Lisbon, Wis., Heckenkamp
first went to college when he was 14 and worked at the Los Alamos
National Laboratory at the time of his arrest. He taught himself
algebra during his grade school years and spent only a year in public
school before going to University of Wisconsin-Waukesha.

At 16, he enrolled at UW-Madison, double-majored in math and computer
science, and finished a master's (degree) in computer science at 19.

But there were also signs well before his arrest that computers were
becoming a problem for Heckenkamp.

The Waukesha County Sheriff's Department visited the Heckenkamp home
four times in 1996 and 1999, records show. Three of the visits came
after disputes between Heckenkamp and his father over his use of the
computer.

The Qualcomm story begins in the fall of 1999 when the company's
security personnel noticed someone was breaking into their system. The
government charged that Heckenkamp first cracked into a computer at
the San Diego-based company on Oct. 12 and made a series of hacks on
Dec. 2 and Dec. 3.

According to court records, the hacker gained access to seven
different computers at the Fortune 500 company, stashed stolen user
names and passwords in encrypted files and left software on each
machine so he could come and go as he pleased.

The intruder obtained what is known as ``root'' authority -- the
highest level of control of a computer. That authority allowed the
person to modify files at will.

In a key misstep, the hacker left electronic footprints that allowed
Kennedy to track him across three computer networks to a cluster of
UW-Madison computers that handles e-mail for 60,000 people.

Kennedy called the school.

On Dec. 8, 1999, the university's network staff began combing through
its e-mail server, and just like at Qualcomm, found that someone had
grabbed user names and passwords and stored them in a file in the
school's computer.

``It was very worrisome,'' Jeffrey Savoy told the court in San Diego
during a hearing in July when the school network investigator
discovered someone had broken in and obtained root authority.

``You are allowed to do anything on that machine you want.''

As Savoy rummaged through the file of stolen user names and passwords,
he recognized the pilfered identities of several university employees
-- including his own.

PCs tied to the school's network have their own unique address, and in
a second mistake, the hacker failed to hide his own address, according
to the government. Savoy, who said under cross-examination that he is
sometimes called ``007 dotcom,'' was able to trace the address to
Heckenkamp.

Savoy was familiar with Heckenkamp because in 1997 university
officials had disciplined the student after an unauthorized break-in
of a Philadelphia Internet service provider. Savoy also knew that
Heckenkamp was close to finishing his master's (degree) in computer
science.

Savoy put a block on Heckenkamp's account so he could not get onto the
Internet.

With finals approaching, Savoy said he was alarmed that the hacker
could damage a key part of the school infrastructure.

When he got home that night, Savoy logged on again and discovered that
whomever was using Heckenkamp's account -- he thought it was
Heckenkamp -- had switched to another university account -- and was
back online.

``I felt a heightened alert (that UW-Madison's computers) could be
compromised,'' Savoy testified.

``If the intruder at this point knows that he's being investigated,
based on my past experiences, they could burn bridges and that could
entail destroying whole machines to cover their tracks.''

This is when Savoy used his security clearance to peer into the files
of the computer now in use under the switched account. He found hacker
tools. Savoy was almost certain he was dealing with Heckenkamp.

The FBI's office in San Diego, meanwhile, was talking to the FBI in
Madison, and Savoy and the UW-Madison police also were phoning back
and forth. Savoy and the police decided to go to Heckenkamp's dorm to
find out whose computer was involved.

Using housing records, they first went to the room assigned to the
account that had been switched. They woke up the students, examined
the contents of the computer and concluded it was not involved.

Then they went to Heckenkamp's room. The door was partially open.
Savoy could see that Heckenkamp's computer was connected to the school
network. According to court records, Savoy walked in and disconnected
it from the network.

As they left the room, Heckenkamp walked up. After giving up his
password, Savoy asked to copy the contents of his hard drive, which
would tell authorities everything that was on the computer.

Here the testimony differs widely.

Heckenkamp said he did not give permission, but Savoy and several
police officers testified that he did.

Savoy found the same hacker tools that he had seen previously. Later
that day, the FBI obtained a search warrant and removed Heckenkamp's
Compaq Presario and other items, including the book, ``The Hacker
Crackdown.''

Jennifer Granick, Heckenkamp's attorney and clinical director at the
Center for Internet and Society at Stanford University, has frequently
assailed the government's overzealous prosecution of hacker cases.

In this case, she believes that UW-Madison and its police invaded
Heckenkamp's privacy.

Granick charges that Savoy improperly tapped Heckenkamp's private dorm
computer from a remote computer and looked through his files.

``The officers could have simply disconnected the computer from the
wall, walked out, closed the dorm room and waited for a warrant to
arrive,'' she said in court documents.

UW-Madison officials have defended Savoy's actions, and Federal Judge
Napoleon A. Jones Jr., who is presiding over the San Diego case, has
sided with the government by ruling that the school's searches were
proper and the evidence against Heckenkamp could be used in the trial.

But the privacy issue is not dead because the judge in San Jose has
agreed to take it up again.

The government has not publicly detailed Heckenkamp's alleged exploits
as MagicFX beyond charging that he hacked into a half dozen other
companies, including eBay Inc. and E(ASTERISK)Trade Inc., over a
nine-month period.

Kevin Pursglove, a spokesman for eBay, said the company reported a
March 1999 hack into the company's network by someone purporting to be
MagicFX.

In 1999, a hacker identifying himself as MagicFX detailed to Forbes
magazine how he broke into eBay on March 13, 1999 -- Heckenkamp would
have been 19 -- and briefly took down the company's home page and
replaced it with a message that read, in part:

``Proof by MagicFX that you can't always trust people.''

MagicFX told Forbes he hacked eBay because he said he wanted to see
how large electronic commerce sites work. He also bragged that he had
broken into other sites, including monicalewinsky.com because he was
``anti-Clinton.''

Another curious aspect of Heckenkamp's case is that he was hired at
Los Alamos while under investigation by the FBI. The federal research
lab in New Mexico is where atomic weapons were developed and tested
during World War II.

Heckenkamp was hired in June 2000, about seven months after his dorm
room was searched. In July, the FBI told Los Alamos officials that
their new employee was a suspect in a spate of computer hacks.

Heckenkamp was arrested in January of this year in New Mexico while he
was working at Los Alamos. His job: Find vulnerabilities in the lab's
computer network.

``He was good at what he did, obviously,'' spokesman James D.
Danneskiold said.

While the lab was aware of an FBI investigation, ``an investigation
does not imply that someone is guilty of any crime,'' Danneskiold
said.

Heckenkamp was fired after his arrest.

``Heckenkamp's managers were very careful to make sure he had no
access to classified data whatsoever,'' Danneskiold said.

Although some of Heckenkamp's supporters say the government has tried
to settle the case, both the government and his lawyers declined to
comment on whether a plea bargain was discussed.

Only six hackers are currently serving time in federal prisons,
according to Kevin Poulsen, a convicted hacker turned journalist who
reports on computer security issues.

``It is almost unheard of for a hacker case to go to trial,'' Poulsen
said.

``This case, there is no confession. Normally hackers will talk about
it.''

Heckenkamp grew up in a part of the Town of Lisbon, where farm fields
mingle with subdivisions.

One of his closest friends is his cousin, Joel Heckenkamp, a student
at UW-Whitewater, who lived nearby.

Joel Heckenkamp said that his cousin does not fit the model of the
stereotypical hacker. While not a social gadfly, he did not seem
overly interested in computers, and he had other interests.

``We skateboarded and we built our own ramps,'' said Joel Heckenkamp,
now a college wrestler. ``We camped a lot and would go out into the
woods near Jerome's house.''

But even before his arrest, computers had gotten Heckenkamp into
trouble.

Heckenkamp was disciplined by UW-Madison in 1997 -- he would have been
about 16 -- for an unauthorized break-in to the Philadelphia ISP.
UW-Madison officials declined to elaborate on the matter.

As a teenager, there were disputes in 1996 and 1999 at home involving
his computer use -- prompting the visits from the Waukesha County
Sheriff's Department, records show.

In the last incident, on March 10, 1999 when he was 19, Jerome turned
over a chair in the living room and knocked a flashlight out of his
father's hand after Thomas Heckenkamp told his son he did not want him
to go on the Internet.

Charges of disorderly conduct against Jerome later were dropped.

``I don't think that it was so much about computers as it was the time
of the day he was using them,'' said Thomas Heckenkamp, a steadfast
defender of his son's innocence against the hacker charges.

Jerome Heckenkamp is free on $50,000 bond and now lives in San Jose so
he can help prepare for his trial. As a condition of his bond,
Heckenkamp can not use the Internet.

He is doing computer work for a wealthy Californian who put up his
bail and is teaching at a private school founded by the businessman's
family. Joel Bumb's family business interests include Bay 101, a San
Jose gaming club and the San Jose Flea Market. The flea market is
reputed to be the largest venue of its kind in the country.

Bumb has read many of the documents in the case and is ``completely
convinced'' of Heckenkamp's innocence, he said in a fax to the
Milwaukee Journal Sentinel. He said his family and the Heckenkamp
family were introduced by a mutual friend.

``After meeting Jerome and becoming acquainted with him, I was taken
by his unassuming nature.'' Bumb said. ``Jerome mixes youthful
innocence with a mature view of the situation.''

Now, with his college days behind him, and the specter of to criminal
trials before him, that ``youthful innocence'' will be put to the
test.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.