http://www.thetimes.co.uk/article/0,,2-117895,00.html
BY SIMON DE BRUXELLES
SATURDAY APRIL 21 2001
A TEENAGE computer hacker whose victims included Bill Gates was told
yesterday that he faces jail for security breaches that are estimated
to have cost 2 million.
Raphael Gray, a student aged 19, hacked into American corporate
databases from his bedroom at his familys cottage in a small Welsh
village. He said he wanted to demonstrate that Internet shopping sites
were so vulnerable to intruders that you could teach your grandmother
to do it.
Calling himself the Saint of e-commerce, he stole details of 23,000
credit cards and posted them on his website. One card belonged to Mr
Gates, founder of Microsoft and the worlds richest man. Gray ordered a
course of Viagra to be sent to the tycoon.
Gray was caught at the keyboard of his 800 computer when FBI agents
and police raided his familys home in in Clynderwen, near Narberth,
Pembrokeshire. The FBI had spent a month tracking his activities, and
an agent was present yesterday in court in Merthyr Tydfil.
The court was told that the teenager had been going through a
rebellious phase after his personality was changed by a bang on the
head in a school playground at the age of 14. His counsel, Colin
Nicholls, QC, said: The fall left him depressed and rebellious. He was
obsessed by his crusade. He is a highly strung man going through an
abnormal phase in his life.
However, Judge Gareth Davies told Gray: This case very definitely
crosses the custody threshold.
Gray had said that he was merely drawing attention to lax security by
on-line retailers, and that there had been no warning that access was
prohibited. Leighton Davies, for the prosecution, compared this to a
burglar who claimed that he was not guilty because the householder had
left his window open.
The criminal crusade perpetuated by the defendant was wholly
unnecessary and extreme, he said. As a result of Grays activities, one
company folded, another stopped trading and Visa International
incurred costs of 250,000 installing new security. The FBI estimates
that he cost the dot-com industry a total of 2 million.
Mr Davies said: Gray somewhat romantically styled himself as the Saint
of e-commerce that was the name of one of his websites he ran through
his home PC. Gray was on a criminal crusade to publicise the dangers
of shopping on the Internet.
He plundered names, addresses and credit card details of thousands of
customers. He found the details on databases held by a variety of
Internet retailers in Britain and abroad.
He targeted e-commerce sites whose computer systems were run by a
Microsoft programme which suffered a security weakness. This allowed
hackers to access information stored on the databases without
authorisation.
The investigation into Grays activities involved law enforcement
agencies in the US, Canada, the Far East and Great Britain. On one of
his websites, he boasted: Law enforcement officials could not hack
their way out of a paper bag. They are people who get paid to do
nothing. They never actually catch anybody.
But he was wrong. The FBI and the Royal Canadian Mounted Police
discovered that he had made an error in the programme he used to
extract customer details. The programme was intended to crash the site
after Gray had obtained the information, thus destroying evidence, but
it failed to do so. Using clues in the programme, the investigators
traced its origin to the cottage where he lived with his mother and
two young sisters.
Sentencing was adjourned for medical reports. Gray had previously
admitted ten offences of unlawfully accessing corporate websites under
the 1990 Computer Misuse Act. Yesterday he pleaded guilty to two
further charges of deception and admitted posing as a Microsoft
software programmer to obtain a 1,400 Sony laptop computer. He also
admitted fraudulently used a Debenhams store card to buy clothes worth
419.
After the hearing, Gray said: It was just click, click, click and I
was downloading thousands of credit card numbers. You could teach your
grandmother to do it. I did the honest thing and told the sites that I
was able to access this sensitive information but I was ignored. Thats
why I posted the information on the Internet. At the end of the day I
was left with no choice. People take all sorts of security precautions
about their homes and belongings. The same sort of security should
apply to ecommerce but it doesnt.
Gray said he knew that he was being arrested by an FBI agent. He spoke
with an American accent and was wearing a trench coat. It was a bit
heavy-handed there were eight local police officers in a riot van so
it was an unusual sight in our village at 8am.
He said that he was about to give up his studies to work in computer
security. His case is also due to feature in a cybercrime exhibition
at the Science Museum in London.
Mike Vatis, director of the FBIs national infrastructure protection
centre, said: He committed a federal crime, whether the state of
security is good or poor. The case has shown that cybercriminals
cannot hide behind international boundaries.
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Sun Apr 22 15:44 CDT 2001