Historic Hacks of the 2000s, Part 1
Note: This is Part 1 of 2. To read Part 2, click here.
The 1990s saw the fall of Communism, the rise of alternate media and the widespread adoption and integration of the World Wide Web. It was also the decade where cyberattacks came out of the shadows and onto the front pages of newspapers.
Hackers may have come of age in the 90s, but it was during the following decade that they really hit their stride in both notoriety and level of damage done. In this installment of our series, we'll consider five historic hacks of the new millennium.
If good things can come in small packages, then so too can terrible things ... like Michael Calce (better known to many as MafiaBoy), the perpetrator behind the highly publicized denial-of-service (DDoS) attacks on a number of leading e-commerce websites resulting in total damages estimated at 1.7 billion Canadian dollars.
Calce wasn't a precocious child — he was a genuine prodigy. He received his first computer at age 6 and claimed the most exciting moment of his life was when he first accessed the internet.
At the tender age of 9, he was utilizing the app AOHell to manipulate legitimate AOL users into giving up their account information and would soon talk his way into a band of hackers who helped hone his nascent skills. When Calce was just 13, TnTForce, one of the world's elite hacking gangs, asked him to join them.
During an eight day period in February 2000, 15-year-old Calce targeted the online behemoths CNN, Amazon.com, Fifa.com, E*Trade, eBay and the world's biggest search-engine (at the time) Yahoo! He also launched unsuccessful attacks against nine of the internet's thirteen root name servers.
At first Calce didn't think he had done anything too bad. He quickly realized things were serious when he saw U.S. President Bill Clinton talking about his hack on TV. Calce might have gotten away with his hack, but like teenage boys throughout time, he just couldn't keep from bragging. Online Calce claimed he was responsible for bringing down Dell.com — the disruption of which was a tidbit law enforcement authorities had never released. Oops.
Ironically the young doer of dastardly deeds was arrested while watching the gangster movie, Goodfellas. Calce pled guilty and received one year of probation, restricted Internet use, and a $250 fine; a lite sentence due to his age and a lack of Canadian computer security laws.
For a time, consumers lost confidence in online retailers as security experts acknowledged the weak levels of protection for commercial computer systems, in some cases claiming they are "essentially defenseless." Fear of an "electronic Pearl Harbor" led to a massive increase in the development of online security practices and protocols.
Calce currently works as a cybersecurity expert. His story is immortalized in the short film Rivolta.
California Payroll Database Breach (2002)
On April 5, 2002, an as yet unidentified party hacked into the server that held the California State government's payroll database. Once inside they had wide open access to names, social security numbers and salary information for all 265,000 state workers, including the governor.
In what was surely one of the worst attempts ever to ease worker concerns, the governor's spokesman, Steve Maviglio, in a press interview stated that "it didn't appear as if any personnel information was used illegally."
After offering suggestions on how state employees could protect their personnel data in the future, Maviglio declared California was not alone in the cyber wars: "This happens to thousands of computers worldwide, it's not isolated to the state. We have strong protections, but hackers are able to figure ways around it."
It wasn't the breach that caused problems so much as when the press found out that the State Controller's Office had waited two weeks before revealing the breach.
State legislators were understandably upset at the delay and in response, passed the country's first breach-disclosure law, SB 1386. The law required hacked organizations to "promptly warn potential identity theft victims."
The cat was completely out of the bag as a number of major corporate breaches in California soon made headlines. Other states soon followed California's lead and passed similar data-breach laws. Today each U.S. State has such a law in place.
The FBI did track the attack to an e-mail address in Massachusetts but were unable to identify the offending party and gave up the investigation, perhaps concluding it was most likely just the latest round in Boston versus L.A.
Max Vision (2006)
Max Ray Vision, also known as "Iceman," was a talented cybersecurity pro who just couldn't stay out of trouble. His life and career were tumultuous. He was fired from several jobs and sued by a number of former employers.
Vision also did a couple of stretches in the Big House: 3.5 for assault and then 18 months for hacking into Defense Department computers.
For a time, Vision worked as a legitimate cybersecurity consultant, but like a moth to a flame, he simultaneously ran CardersMarket, an online forum where criminals could buy and sell sensitive data like credit and debit cards, social security numbers, and so forth.
Up to this point Vision's little dance outside the law hadn't been enough to get him noticed by the authorities. That all changed one night in 2006 when he decided to go big time. Vision went on a 48-hour hackathon. In a made-for-Hollywood twist, he didn't target legitimate organizations, instead he went after fellow identity thieves.
Vision hacked into numerous online carder forums, wiped their data bases clean and shut the sites down. Throwing salt into the wound, he added their content and memberships to his own forum. With 6,000 members CardersMarket was now the largest English-speaking criminal marketplace on the web. Vision and fellow members would go on to steal two million credit cards and run up approximately $86 million in fraudulent charges.
Unfortunately, Vision's hostile takeover of the illegal sites drew the attention of the FBI — officials were already investigating his victims and had actually infiltrated a number of their sites. It took a year for the Bureau to track Vision down and arrest him. In 2007, faced with a life sentence under federal sentencing guidelines, Vision took a plea deal and scored a 13-year prison incarceration — the longest to date in the U.S. for a computer hacker. He also has to pay $27.5 million in restitution upon his release.
Besides the obvious lesson that card issuers needed to better secure customer accounts, the FBI created a division focused solely on cybercrimes. In 2018, Vision was again charged with wire fraud, two counts of conspiracy and possessing stolen credit card numbers and contraband in prison. Vision proved that an incarcerated IT-pro can still be dangerous by using a commercial-grade drone to smuggle a T-Mobile "MyTouch" cellphone into prison to access the internet and obtain stolen debit card numbers.