Canadian law enforcement officials contend that the hacker who last week admitted responsibility for one of the most notorious attacks ever on commercial computer networks was no more than a youth with a tool and the instructions to use it. Details of the story of the 16-year-old Montreal youth known as “Mafiaboy” that have come out in the wake of his plea, though, have renewed controversy over how easy it is to create havoc on the Internet.
Mafiaboy was not scripting code or devising his own hacker exploits, law enforcement officials contend. Nearly a year after Mafiaboy’s attack, observers in the computer security community agree that, yes, it still is not that hard to conduct a denial of service (DoS) attack and locate some sort of vulnerability in a network.
Mafiaboy’s lawyer disagrees, however, and suggests that if it were that easy, the Internet would have seen other crippling attacks on commercial networks since his client’s admitted exploits in February 2000. He also suggests his client is much brighter than authorities suggest.
“If he used all his powers, he could have done unimaginable damage,”said Yan Romanowski, the boy’s attorney in Montreal.
Mafiaboy never spoke with authorities directly about his online exploits attacking 11 corporate giant’s networks. Information gathered in the case and the plea entered through his lawyer, however, offer concrete evidence that his keystrokes caused major problems for the likes of Amazon.com Inc., eBay Inc. and Yahoo Inc. for various periods of time between Feb. 6 and Feb. 14, 2000.
The scope of Mafiaboy’s doings prompted U.S. and Canadian authorities to seek out the origin of the hacker attacks, which would lead to an early morning raid on his family’s home in Montreal. The capture of the boy, who now just wants to go on with his life, was caused by straightforward police work and his bragging about his hacker capabilities.
“So good the police would never catch him”
On Feb. 14, 2000, Cpl. Marc Gosselin with the Royal Canadian Mounted Police (RCMP) in Montreal was notified by U.S. Federal Bureau of Investigation (FBI) investigators that the trail to a hacker possibly responsible for several DoS attacks during the previous eight days led over the Canadian border. FBI investigators had learned that a hacker was bragging about the attacks in online chat rooms and on a Web page.
The FBI had seen that a hacker named Mafiaboy was boasting about attacks on Dell Computer Corp.’s Dell.com site, and appeared to be the only hacker familiar with the attack. In addition, FBI investigators were able to associate IP (Internet Protocol) addresses with the DoS attacks — and one of the addresses was for the hacker Mafiaboy’s Web page, said Gosselin, the RCMP’s lead investigator on the case.
The IP addresses came from the ISPs (Internet Service Providers) TotalNet Inc. and DSupernet in Montreal. Gosselin and his colleagues proceeded to obtain a warrant to review the hacker’s accounts.
“That was a good lead,” Gosselin said. “I was able to make a link with the phone numbers” belonging to Mafiaboy’s family’s home.
Police then obtained a warrant to utilize technology that would show all the incoming and outgoing traffic from the residential phone line. Soon it was established that the TotalNet account used in the attacks was registered to the hacker’s father.
Eleven days into their investigation, Canadian authorities were given a warrant for a wire tap. Investigators soon learned definitively who ‘Mafiaboy’ was, Gosselin said.
“He was talking to friends, bragging about his skills,” Gosselin said. “He said he was so good that the police would never catch him,” he recalled.
“It was more of a challenge”
Attorney Romanowski had never worked on a case about hacking in his law career. In fact, he suggests no one in the Canadian province of Quebec had worked on a computer hacking case of the magnitude that he was given on April 15 after the RCMP raided the home of the hacker at 2:30 in the morning. Romanowski was chosen because the boy’s father had hired him before for legal counsel, he said.
During approximately two months of off-and-on legal work, Romanowski would learn about his young client and learn about technology.
“He is not the nerd type,” Romanowski said. “He is not the guy who will only talk about computers. He used to attend school, play basketball.”
The boy’s computer interests started young with Nintendo of America Inc. and later games on the computer, he said. His parents separated more than 10 years ago and for much of that time he lived with his mother, Romanowski said. For the past two years, however, he has been living with his 46-year-old father.
Romanowski said his clients’ interest in hacking was fueled not by the interest in causing damage.
“He is not part of a group that intentionally has the objective of creating damage or sending a political message,” he said. “There is an aspect of challenge amongst hackers. There is challenge amongst them to do what — to gain a prestige of what you can do. When you are in that, it is one thing to show them a certain knowledge and know how, but not that everything is permissible.”
“The Impact to Sites”
The challenge Mafiaboy got out of the hacking, however, created headaches for network administrators
On Feb. 8, network administrators for Time Warner Company’s CNN.com started to notice that their site was slowing down around 7 p.m., said company spokesman Paul Schur. The night was otherwise not a heavy traffic night as there was no major breaking news to report, he said.
The DoS attack never shut down the news providers site, but it did slow it down.
“Our site was never taken down,” Schur said. “We continued to serve content throughout the attacks. Our content was never compromised. Since we are used to breaking news, we are used to having large spikes in use. Although it was slow, content was served throughout.”
The attack began at 7 p.m. and by 8:30 p.m. CNN’s service providers had successfully protected CNN’s site from the attack. CNN has a significant amount of bandwidth to deal with traffic for breaking news and Schur said the slowdown demonstrates how serious the attack was.
Buy.com Inc. also was hit with a DoS attack on the morning of Feb.8, which caused its Web site to become virtually inaccessible. At the time, the company’s chief executive released a statement indicating the magnitude of the attack.
“We had 800M bits per second hit our site, which equals eight times our capacity,” said Greg Hawkins, Buy.com’s chief executive officer.
A day later, online brokerage firm ETrade Group Inc. reported that customers had difficulty gaining access to its site, but that its site remained functional throughout the DoS attack.
In total, 11 sites were attacked and investigators suggest that it cost some US$1.7 billion in damage, from network downtime, to lost sales and lost stock trades. Romanowski disputes the figure.
“He is not a very good hacker”
RCMP investigators learned Mafiaboy gained illegal access to 75 computers in 52 different networks, Gosselin said. Forty-eight of 52 networks were at universities. He used networks in Canada, Korea, Denmark and the U.S.
Once he hacked into the networks Mafiaboy planted a DoS tool on them — a tool he got from a hacker named Sinkhole, Gosselin said. Sinkhole told Mafiaboy not to use the tool for malicious purposes once Mafiaboy registered it under his own name, Gosselin said. But the same tool, in fact, was used on the February DoS attacks on CNN.com and other sites. The software used was what is known as an IMP tool, according to Gosselin and Jean Pierre Roy, staff sergeant in charge of the RCMP’s Computer Investigation and Support Unit in Montreal.
A copy of the tool was located on networks at the University of California Santa Barbara and the University of Alberta, Gosselin said. The copy found on the University of California Santa Barbara was registered to Mafiaboy and to Short, another one of the boy’s handles, he said.
Mafiaboy used a distributed denial of service attack (DDoS) on the network victims, law enforcement officials say. In a DDoS attack, phony requests are made to networks from various other networks or computers on the Internet. In a traditional DoS, the requests would come from only one computer.
Romanowski would not discuss his client’s hacking methods. He did confirm that his client disposed of his hard drive, which is believed to have had hacking evidence on it.The RCMP did not have its facts straight on how Mafiaboy waged the DoS attacks, he says.
“Had we gone to trial, we are convinced we could have brought (about) a reasonable doubt in four to eight months,” he said.
Getting ahold of a DDoS or a DoS tool is not that difficult, said Richard Smith, an Internet security consultant based in Brookline, Massachusetts.
“They are just in Web sites in search engines,” he said. They often are in news releases from security groups, he said.
In general, the tools are installed on someone else’s computer and the command controls are held on the hacker’s base computer. The attack software allows a flood of messages to be sent to the desired victim. Routers connecting the victim sites to the rest of the Internet become inundated with so much traffic that they eventually can not cope.
Mafiaboy was using a tool that could send an estimated 10,700 phony information requests in 10 seconds, Gosselin said.
“You can dictate how much you want to flood,” he said. “It is fairly easy to use if you read the instructions … He is not a very good hacker. We never saw him trying to write anything. He learned a bit about the Net and TCP/IP (Transmission Control Protocol/Internet Protocol).”
Mafiaboy’s attorney Romanowski disagrees with the RCMP’s assessment.
“It wasn’t that simple,” he said. “(The tool) had to be modified, adjusted, changed…He got a copy and it could do certain things and then he modified it and it could do terrible results and it is still possible today.”
This type of attack is not difficult to administer, in general, said Mark Rasch, vice president for cyberlaw at Predictive Systems Inc. in Reston, Virginia, and the former head of the Computer Crime Unit at the U.S. Department of Justice.
“It is not to say everyone can do it, but if a hacker is willing to put the time and in to it, it can be done, he said.
Mafiaboy still dreams of a future in computers
Mafiaboy admitted his part in the DoS attacks before the Youth Court of Quebec in Montreal on Jan. 18. He pleaded guilty to five counts of mischief, 51 counts of illegal access to a computer and one count of breach of bail conditions. He will be sentenced on April 17 and 18.
Judge Gills Ouellet will have broad discretion on a sentencing, ranging from a fine to detention.
The boy has dropped out of school and works as a steakhouse busboy. He is no longer using a computer but reading about them, Romanowski said. At the time of his arrest he had three computers in his room. He now wants to go back to school and eventually study computers.
“He is anxious to get back using computers,” Romanowski said.
His client also feels regret for the damage he has caused, despite police claims that he hacked with the intention of causing trouble.
“If today, if placed in the same position, he would have contacted the companies and told them there was a major flaw in their security,” Romanowski said. ” At the time, it was the last thing on his mind. It was more of a challenge. It was not to willfully to cause damage…He had difficulty believing that such companies as Yahoo had not put in place security measures to stop him. He got results.”