Hacker Case Arrest Belies Real Challenge, Experts Say

Two months into their hunt for the hackers behind February’s crippling attacks on leading Internet sites, authorities’ announcement Wednesday that they had arrested a 15-year-old in Montreal appears to resolve only part of an immense and intricate case.

And perhaps only the easiest part.

The teenager, known online as “Mafiaboy,” has so far been connected to only one of more than half a dozen attacks. He appears to have made a number of clumsy mistakes that made investigators’ work easier. And many security experts believe that law enforcement is now left with the more daunting task of chasing other hackers who were probably far more careful to cover their tracks.

Mafiaboy, whose real name was not released because he is a minor, was charged with orchestrating a “denial of service” attack that shut down the CNN Web site for more than four hours Feb. 8.

The arrest followed two months of intense investigation by dozens of FBI agents and officers with the Royal Canadian Mounted Police. U.S. Atty. Gen. Janet Reno described the arrest as a major breakthrough that “demonstrates our capacity to track down cyber-criminals wherever they may be.”

But even as authorities filed their first charges in a case that some believed might never be solved, there are indications that investigators’ hardest work lies ahead of them.

For starters, many security experts say Mafiaboy was easy prey. By most accounts, he appears to have been a copycat hacker who used clumsy techniques and called attention to himself in a number of online postings at the time of the attacks.

And while authorities say it’s possible he will face additional charges, there is no indication so far that he had anything to do with the initial assaults on the sites of Yahoo, EBay, Amazon.com and others.

Unless authorities can establish a connection between Mafiaboy and those attacks, many security experts believe, investigators will be hard pressed to unmask hackers who so far seem to have avoided making any obvious blunders.

“Mafiaboy’s level of sophistication is nil,” said John Vranesevich, who operates Antionline, a computer security company and Web site. Vranesevich said Mafiaboy appears to have failed to take a number of basic steps to insulate himself from investigators, such as using a stolen credit card and phony ID to establish his Internet account, and routing his attack through multiple servers on separate continents.

UC Santa Barbara Network Played Role

Law enforcement officials refused to reveal whether they have substantial clues that could lead them to other hackers behind the attacks, but they acknowledged that they took advantage of a series of stumbles by Mafiaboy to trace his activities from the CNN site he is accused of victimizing, through computer systems at UC Santa Barbara back to his home in Montreal.

“We cannot categorize him as a genius,” said Inspector Yves Roussel of the Royal Canadian Mounted Police, which handled the arrest. “He has a good knowledge of computers, but what he did is not creative or sophisticated.”

The suspect was charged with two counts of “mischief to computers” and faces punishment of up to two years in a youth detention center, Roussel said. He is in his parents’ custody but is not allowed to use computers except for schoolwork, and then only under direct supervision, authorities said.

U.S. Justice Department officials acknowledge that there is a great deal of investigative work left to do, but they disagree with the notion that tracking down Mafiaboy was light duty.

Site Bombarded With Phony Data Requests

“Even though it was done expeditiously, it wasn’t an easy matter,” said Chris Painter, deputy chief of the computer crimes unit at the agency. “Yes, there are more sophisticated methods that he could have used. But it’s not like he was just out there waving a flag saying, ‘Come get me.’ ”

The teenager is accused of orchestrating an attack that shut down CNN’s site by bombarding it with millions of phony data requests, rendering it inaccessible to legitimate users. The attack was one of half a dozen similar “denial of service” assaults launched that week against some of the Internet’s most popular sites.

The siege was more disruptive than destructive, with most sites recovering within a few days. But it affected millions of Internet users, and was seen as a troubling example of the frailty of security on the Net.

Mafiaboy is accused of using hacking programs that are readily available on the Internet to take control of computers at universities and other institutions across North America, and then directing those zombie-like machines to flood CNN’s site with data.

Security experts and hackers who have written denial-of-service programs say it is possible to launch such attacks without leaving any incriminating evidence. But the CNN hacker, like many who get caught, appears to have been tripped up by his own hubris.

Authorities allege that within days of the attack on CNN, they came across chat room postings in which Mafiaboy took credit for several attacks, and even solicited orders on which site to target next. One posting referred to CNN shortly before it was hit.

In fact, by Feb. 15, Canadian investigators responding to a request for assistance from the FBI say they had pinpointed Mafiaboy’s residence, presumably after tracing his online postings to his Internet service account.

But it was more than two months before Mafiaboy was arrested, officials said, because they needed to gather evidence that he wasn’t merely one of dozens of Internet users making bogus claims about their role in the attacks.

FBI investigators relied on a combination of computer-age detective work and a few fortunate breaks. One of the agency’s first leads came from UC Santa Barbara, where a network programmer found an obscure personal computer in the physics department that had been bombarding CNN’s Web site with millions of messages.

Kevin Schmidt, who is responsible for monitoring the university’s network, first noticed the unusual activity when he ran a routine check of the network at about 11:30 p.m. Feb. 8. The next morning, he noticed that all the outgoing messages contained fake return addresses, stating they had originated from computers that he knew did not exist.

The computer had become what network administrators call a “zombie”--a machine that will do whatever it is told when it receives a command from a “master” computer. “Our machine was just one of these lobotomized slaves waiting to be told what to do,” Schmidt said.

Logs Pointed to Canada as Origin

A closer look at the network’s logs for several days prior to the attacks showed that the zombie computer had communicated with several computers outside the university, including some in Canada, Oregon and Georgia.

The logs, he said, seemed to indicate that some of the incoming messages to the physics computer originated from a computer in Canada. Schmidt handed over the computer’s hard drive to the FBI, along with all the available logs of the computer network, showing messages that came in and were sent from the university.

“It was a relatively boneheaded attack,” Schmidt said. “The exploit was floating around. It wasn’t something that required a lot of brain cells to do.”

FBI agents pored over those logs to construct the data trail that would eventually lead them to Montreal.

After the data trail confirmed their initial suspicions aroused by Mafiaboy’s chat room postings, the Royal Canadian Mounted Police raided the teen’s home at 3 a.m. Saturday. Investigators seized computers and other materials at the home, placed Mafiaboy under arrest, and filed charges against him Monday.