## March 16, 2003

### Idle Hands

Well, I was wrong. The culprit in the massive UT identity theft case was, apparently, a junior CS major at UT with too much time on his hands.

Back when I was in school, the CS majors stumbled sleepily from one massive programming assignment to the next. Hard to imagine one of them having the time or energy to hack into the personnel database.

And this was not a small undertaking. Over the space of 5 days, his program made over 2.6 million database queries (that averages out to more than 22 thousand queries/hour, with peaks — according to the American Statesman article — of 72 thousand queries/hour).

What I don’t quite get is: why? I mean, after the first couple of hundred database queries, you’ve netted yourself a few SSN’s and surely intellectual curiosity has been satisfied. Your program works, the database is vulnerable, and a brute-force attack is clearly practical. If you stop now, probably no one will be the wiser.

If you decide to continue, why use your home computer and make no attempt to cover your tracks? Surely, after a couple of million database queries, it’s likely UT’s ITS folks will begin to notice that something’s afoot.

Maybe Mr. Phillips is hoping to parlay this escapade into a lucrative book deal. Otherwise, it’s hard to make sense of his actions.

## Student charged in UT hacking

### Maximum penalty: 8 years, $500,000, restitution By Ralph K.M. Haurwitz American-Statesman Staff Saturday, March 15, 2003 A student at the University of Texas was charged by federal prosecutors Friday with hacking into the school’s computer system and downloading thousands of names and Social Security numbers. Christopher Andrew Phillips, 20, a junior from Houston studying computer science, turned himself in to the U.S. Secret Service and was taken before a magistrate at the federal courthouse in Austin. The Secret Service investigates identity theft. Phillips was released without having to post any money but would be liable for$10,000 if he violates any of several conditions of his release, including a prohibition on the use of computers without permission from the court.

Phillips is accused of two counts: accessing a computer without authorization and using a Social Security number with the intent of such access. The maximum penalty is eight years in prison, \$500,000 in fines and payment of restitution, said Matthew Devlin, an assistant U.S. attorney.

Allan Williams, a lawyer for Phillips, said it was premature to say how his client would plead.

“His position is that he’s cooperating with the government in every way he can,” Williams said. “He’s a really nice young man. He’s from a really nice family. And it’s our hope that we can resolve this in a way that’s beneficial to him, and we’re going to cooperate with the government in every way we can to reach that end.”

A criminal complaint filed by Clarke Skoby, a Secret Service agent, said Phillips told investigators that he wrote a program to access the UT database, downloaded the information onto his personal computer and did not intend to disseminate the information or use it to anyone’s detriment. Neither prosecutors nor the complaint filed in court identified a possible motive.

University officials say about 55,200 names and Social Security numbers were downloaded. The affected individuals include current and former students, faculty and staff members; job applicants; retirees; and employees at five other UT System campuses and at the system’s administration offices.

Social Security numbers can be used to obtain credit cards in another person’s name and for other fraudulent purposes. But U.S. Attorney Johnny Sutton said he is fairly confident that the information was not used for nefarious purposes.

One apparent sign of his confidence: Sutton, a UT graduate, said he has not checked whether his Social Security number was downloaded.

“I can’t speculate as to why hackers hack in, other than some of them do it just for fun; some of them do it to really hurt people,” Sutton said.

“I think this case is an important example to any folks out there that might think this is a game or that it’s funny to hack into somebody’s computer system, because it’s not a game,” he said. “Certainly penitentiary time is a possibility, but again, we’re at the very early stages of this case … and it’s premature to talk about that other than what the possible range would be.”

Phillips, with short-cropped hair and wearing a light blue shirt and blue cotton slacks, sat stone-faced in court Friday morning as U.S. Magistrate Stephen Capelle asked him whether he understood the charges. He said he did. His mother, Patrice Phillips, and her friend, Gene Baltuskonis, sat in the back of the courtroom.

The student directory on UT’s Web site lists Phillips as a junior in the College of Natural Sciences.

Another hearing is scheduled for April 3. A grand jury is investigating, and prosecutors said an indictment could be returned within 30 days. Prosecutors said they do not think Phillips has had any previous brushes with the law.

In addition to the criminal case, Phillips could face disciplinary proceedings on campus.

University officials said they are prohibited by law from discussing individual cases. Teresa Brett, dean of students and vice president for student affairs, said her office investigates about 1,000 cases a year in which students are accused of violating university rules.

Punishment can range from a letter of reprimand to expulsion, although the latter is rare, she said. In almost all cases, the student agrees to the recommended punishment, but about 10 cases a year go to a quasi-judicial proceeding before a hearing officer, typically a member of the Law School faculty.

The complaint filed Friday in federal court gives insight into how the attack on the UT computer system was carried out and how investigators tracked down a suspect.

UT computer logs showed that a database was queried by an off-campus computer with one Social Security number after another, the complaint said. The query rate was as rapid as 72,000 Social Security numbers an hour, and it spanned portions of five days, ending March 2, when campus computer officials noticed unusual network activity and disconnected the database from the Internet.

UT officials studying campus e-mail logs found that the same computer used to obtain the Social Security numbers had also used the e-mail system during that period. The e-mail account had a user name assigned to Phillips.

Secret Service agents, assisted by the state attorney general’s office and UT police, searched Phillips’ Austin and Houston residences on the evening of March 5 and seized computer equipment.

Phillips was not at his apartment on Rio Grande Street in Austin when officers arrived, but a Secret Service agent contacted him by phone. Phillips returned and acknowledged downloading the information, the complaint said.

© 2003, The Austin American Statesman.

Posted by distler at March 16, 2003 1:20 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/122

## 1 Comment & 2 Trackbacks

Weblog: the maine page
Excerpt: Regarding the recent UT identity theft case, professor Jacques Distler wonders aloud, "what was this kid thinking!?" What I don't quite get is: why? I mean, after the first couple of hundred database queries, you've netted yourself a few SSN's...
Tracked: March 18, 2003 9:04 AM

### Re: Idle Hands

I have a friend at work whose niece is the guy’s girlfriend. We’re both CS guys. My friend says that this guy had written some sort of program and was merely stress-testing it - seeing what it would do with a LARGE amount of data. Apparently he had found this website (I think it was publicly available - not much of a hack) that when you entered a SSN, it would return data for that SSN. He was just ‘wardialing’ SSNs. That’s why all the SSNs were in a certain number range - he just started at 451-00-0000 (451 being a common prefix for those born in Texas) and went from there. Whenever he got anything back, he stored it. I think it is a case of “Never attribute to malice that which can be adequately explained by stupidity”

Steve

Posted by: Steve Donie on March 21, 2003 3:07 PM | Permalink | Reply to this
Read the post UT and SSNs
Weblog: mirell.org - A Man and His Cat
Excerpt: We had a SSN scare here a few months ago, back in March. Apparently a UT student decided to brute-force his way into one of the Administrative databases (Using Adabas, Adaptable Database, I'm assuming) to garner several SSNs and the...
Tracked: November 5, 2003 1:37 AM

Post a New Comment