Sunday, September 07, 2008

Is The Analyzer Really Back? (The return of Ehud Tenenbaum)

The hacker behind one of the most famous hacks in history, "Solar Sunrise", was
arrested yesterday along with three Canadians, on charges of breaking into a Calgary based financial services company and withdrawing nearly $2 Million in Canadian dollars. (Calgary TV has a Video story with details of the new case.)

Tenenbaum's own mother is now confirming this is the same Ehud Tenenbaum . . . who she says has been "framed by the FBI". The charges are that they conducted their fraud by altering a database in a financial services company so their debit cards had a higher face value then they really contained, and using these altered cards to obtain funds. According to CTV, the target company offered "prepaid debit cards" that could be used like cash. Sergeant Gordon Bull, interviewed in the video above, described the seven month investigation and thanked the US Secret Service for their help in the investigation.

Today we'll review that earlier attack by Ehud Tenenbaum, The Analyzer, and how news of the attack reshaped the Cyber Posture of the United States Government.

In February of 1998 the US Pentagon experienced a series of attacks which came to be called "Solar Sunrise". The hacks were big news at the time, and some, including L0pht hackers, tried to use them to raise awareness, such as in this Jim Lehrer NewsHour segment on PBS. Then Deputy Secretary of Defense John Hamre said of the attacks they were "widespread, systematic, and showed a pattern that indicated they might be the preparation for a coordinated attack on the Defense Information Structure", in testimony to Congress on February 23, 1999. That same month, Ehud Tenebaum, who used the hacker handle "The Analyzer" was arrested in Israel for the attacks, while in the US a California teenager who used the handle "Makaveli" was also arrested.

He boasted at the time of his arrest that he knew ways to break into more than four hundred US Defense Department computer systems.

Even post-9/11, Hamre still talked about the importance of this hack, as well as the Penetration Test/Cyber Exercise "Eligible Receiver", and another hack, "Moonlight Maze", as part of the wake-up call that caused the US government to change the way they thought about cyber security.

What was the motivation of Ehud? "Chaos, I think it is a nice idea", he told the press after being arrested. He did it "because I hate organizations".

Most of us followed the original story as it was unfolding by watching In a series of articles called "The Pentagon Hacker", John Vranesevich (JP), gave us the facts we needed to know, and helped the media of the time understand what was going on with articles like "Confused About What IRC Really Is? Find Out More Here" and "Description Of Some Common Hacker Jargon", along with his interviews with the various players.

AntiOnline's JP also interviewed Makaveli by telephone, the day the FBI raided his home.

Mak describes:

They came into my house, took me in the living room, and starting taking all
of the computer equipment from my room. They didn't even leave the phone line
leading from the wall to the modem." he began. "They took all of my cd's music
cd's, data cd's, my printer, speakers, everything..."

But Makaveli revealed that what they really wanted was one file on his computer revealing over 200 servers that he had hacked into, including one at Lawrence Livermore National Laboratories.

Mak confirmed that "TooShort" was the handle of the other American hacker they
sought, but that his mentor in the Middle East was who the FBI was really after.
(That would be Analyzer, as we all later learned.)

(Picture from original at, March 1998)

Gadi Shimshon did a face to face interview with Analyzer, discussing his informal
hacking organization, the IIU or Israeli Internet Underground. The IIU had recently defaced the homepage of the Knesset, ironically, to show their love for the new Israeli President, Ezer Weizman, who had just been elected. The page they defaced still had information about the previous president. He also told how he met the two Americans who helped with the DOD break-ins.

Analyzer met his two students in a multinational group that hangs out
in chat channels on the web, known as the "Enforces". The main goal and
ideal of the Enforces, he said, is to fight pedophilic and racist sites
on the web. Analyzer said that he once altered,
a center for skinhead and neo-nazi cyber activity.

Despite his patriotic and policing activities, Analyzer boasted of having "system manager access" to more than 1,000 internet servers, where he had created more than 12,000 accounts. He gave Pentagon userid and password lists to JP at Anti-Online with instructions to share them with the FBI after his arrest. The accounts were confirmed to be live.

JP asked Analyzer at the time "I don't understand how hacking into Lawrence National Labs or JPL.NASA helps fight racism or pedophilia?"

Analyzer replied:

well, let me explain ... from there I had lots of power as Denial of Service attack power and threat power. I could lots of stuff from those servers.

JP asked him to clarify: "So you used the processing power of government servers to do denial of service attacks?"

Analyzer replied: "in part of it...also for lots of uses like fake email and also to scare them.."

But he confessed there were lots of "unjustifiable" attacks as well. He liked having very strong boxes, and claimed "i have ALL big universities", listing among his victims, Yale, Harvard, Cal Tech, Berkeley, Stanford, and MIT. He even claimed to control the DNS servers at Harvard, naming one computer he controlled "".

James Glave of WIRED magazine broke the news of Analyzers ultimate arrest, March 18, 1998. Glave contacted several members of the Enforcers, who confirmed that most of the IIU had been taken into "house arrest". Hackers such as "paralyse", "FallLine", "KuRuPTioN", "mindphasr", and others described to Glave what they knew of the arrests, but confirmed Analyzer's guilt, and his fear that he would be killed for his activities.

It would not be until January 2001 that Tenebaum would stand trial in Tel Aviv and plead guilty to these crimes, as described by Kevin Poulson in this article in The Register.

Update: (From The Calgary Herald (thanks for the link, Spamhaus!):
The charges and names of those arrested in Montreal and charged in Calgary are:

Tenenbaum, who has been charged with six counts of fraudulent use of credit card data and one count of fraud over $5,000, is the only one who remains in custody.

Priscilla Mastrangelo, 30, of Montreal, has been charged with 23 counts of fraudulent use of credit-card data and one count of fraud over $5,000.

Jean Francois Ralph, also known as Ralph Jean-Francois, 28, of Montreal, has been charged with four counts of fraudulent use of credit-card data and two counts of fraud over $5,000.

Spyros Xenoulis, 33, of Montreal, has been charged with one count of fraudulent use of credit-card data and one count of fraud under $5,000.

A question mark remains as to how the headline reporting a $1.8 Million loss coincides with the dollars charged against each of the above. Mastrangelo is charged with taking $32,082, Jean-Francois with $6,585, and Xenoulis of $1,001.

Direct Cash Management was named as the vitim company in this story in the Calgary Herald. Sergeant Gordon Bull confirms that while Tenenbaum did the hack, the others withdrew the money.

Gary Warner
Director of Research
UAB Computer Forensics

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.