####################################### # # # # # ======== =\ = ====== # # == = \ = = # # == = \ = ====== # # == = \ = = # # == = \= ====== # # # # # # # # ''''''''''''''''''''' # # # # # # > Written by Dr. Hugo P. Tolmes < # # # # # ####################################### Issue Number: 13 Release Date: November 19, 1987 TNS Issue #13 will try to help explain the events concerning an article about Capt. Zap in the Wall Street Journal. $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ TITLE: It Takes a Hacker to Catch a Hacker As Well as a Thief FROM: The Wall Street Journal DATE: November 3, 1987 Ian Murphy Helps Companies Catch Computer Pirates; But Whose Side Is He On? By Dennis Kneale PHILADELPHIA- It is almost 2 a.m., and the room is dark but for the phosphorous glow of the computer screen that illuminates the cherubic face of Capt. Zap. He taps the keyboard in his lap and searches for "hackers" who break into computer systems for fun or malice. "We've got one," Capt. Zap says. he starts an on-screen dialogue with the hacker and asks for phone numbers to corporate data bases that might be fun to hack into. The hacker advises that the best place to look tonight is the "Holiday Inn," a secret electronic bulletin board that lists such numbers. The captain heads thataway. Capt. Zap, actually Ian A. Murphy, is well-known as one of the first convicted computer-hacker thieves. He has since reformed- he swears it - and has been resurrected as a consultant, working the other side of the bulletin boards and the right side of the law. His detractors doubt it. CRIME CREDENTIALS Other consultants, many of them graying military veterans, try to flush out illicit hackers. But few boast the distinction of a real hacker-and one with a felony among his credentials Capt. Zap is more comfortable at the screen than in a conversation. Asked to name his closest friend, he shakes his head and throws up his hands. He has none. "I don't like people," he says. "They're dreadful." "He's legendary to the hacking world and has access to what's going on. That's a very valuable commodity to us," says Robert P. Campbell of Advanced Information Management in Woodbridge, Va., Mr. Murphy's mentor, who has hired him for consulting jobs. The 30-year-old Mr. Murphy is well-connected to his nocturnal netherworld. Every night till 4 a.m., he walks a beat through some of the hundreds of electronic bulletin boards where hackers swap tales and techniques of computer break-ins. They trade passwords. They debate the fine points of stealing long-distance calls. They give tutorials: "Feds: How to Find and Eliminate Them." It is very busy these nights. On the Stonehenge bulletine board, "The Marauder" has put up a phone number for Citibank's checking and credit-card records, advising, "Give it a calphy finds a primer for rookie "hacklings," written by "The Knights of the Shadow." On yet another, he sifts out network codes for the Defense Department's research agency. He watches the boards for clients and warns when a system is under attack. For a fee of $800 a day and up, his firm, IAM/Secure Data Systems Inc., will test the securtiy of a data base by trying to break in, investigate how the security was breached, eavesdrop on anyone you want, and do anything else that strikes his fancy as a nerd vs. spy. He says his clients have included Monsanto Co., United Airlines, General Foods Corp. and Peat Marwick. Some probably don't know he worked for them. His felony rap- not to mention his caustic style - forces him to work often under a more established consultant. "Ian hasn't grown up yet, but he's a technically brilliant kid," says Lindsey L. Baird, an Army veteran whose firm, Info-Systems Safeguards in Morristown, N.J., has hired Capt. Zap. Mr. Murphy blames corporate "stupidity" and laziness for the hacker problem. He says companies aren't alarmed enough over the lapses, and he blares the blunt message on "Good Morning America," at industry seminars and in technical papers. His kinds of services are much in demand these days, even if his blunt criticisms aren't. Computer break-ins cost companies millions of dollars each year in corporate espionage, fraud and hassle. The accounting firm of Ernst & Whinney puts computer-fraud losses at more than $3 billion a year. Other experts say any figures are bogus because most thefts of data, software and such things as credit-card information aren't reported. Companies don't like admitting they were outfoxed by techies barely old enough to vote. Lots of hackers have been busy lately. Agents recently busted "Shadow Hawk," 17-year-old Herbert Zinn of Chicago. He hacked into American Telephone & Telegraph Co. systems and allegedly heisted software worth $1 million by "downloading" it to a home computer. RUINED RESEARCH This summer, hackers in West Germany tapped into the U.S. space agency's European network, peeking at files on booster rockets and shuttle contracts. One of them changed a variable in a scientist's equation from pi (3.14159265) to 7, ruining two months of research. Capt. Zap views this underword from a frighteningly cluttered apartment on the city's north side. Short and pudgy, he hovers at the screen surrounded by an electronic arsenal: closed-circuit video, printer, police radio, TV, eavesdropping gear, auto-dialer, shortwave radio, oscilloscopes and other gizmos. "He's in control, it's his little world," says his wife, Carole Adrienne, who uses her psychology training to analyze the hacker mind-set. The place is so messy she refuses to live there. When they were first separated, Mr. Murphy admits he spied on her. "I'm an extremely jealous man," he says, "and I have the technology to stop any man." Says she "You never know when the surveilance ends." Mr. Murphy's electronic voyeurism started early. At age 14, he woul back yard to tap into the phone-switch box and listen to neighbor's calls. (He still eavesdrops now and then.) He quit high school at age 17. By 19 he was impersonating a student and sneaking into the computing center at Temple University to play computer games. EASY TRANSITION From there it was an easy transition to Capt. Zap's role of breaking in and peeking at academic records, credit ratings, a Pentagon list of the sites of missiles aimed at U.S., and other verboten verblage. He left even his resume inside Bell of Pensylvania's computer, asking for a job. The elctronic tinkering got him into trouble in 1981. Federal agents swarmed around his parents' home in the wealthy suburb of Gladwyne, Pa. They seized a computer and left an arrest warrant. Capt. Zap was in a ring of eight hackers who ran up $212,000 in long-distance calls by using a "blue box" that mimics phone-company gear. They also ordered $200,000 in hardware by charging it to stolen credit-card numbers and using false mail drops and bogus purchase orders. Mr. Murphy was the leader because "I had the most contempt" for authority, he says. In 1982, he pleaded guilty to receiving stolen goods and ws sentenced to 1,000 hours of community service and 2 1/2 years of probation. "It wasn't illegal. It was electronically unethical," he says, unrepentant. "Do you know anyone who likes the phone company? Who would have a problem with ripping them off?" Mr. Murphy, who had installed commercial air conditioning in an earlier job, was unable to find work after his arrest and conviction. So the hacker became a hack. One day in his cab he picked up a Dun & Bradstreet Corp. manager while he was carrying a printout of hacker instructions for tapping into Dun's systems. Thus, he solicited his first consulting assignment: "I think you need to talk to me." He got the job. Now Mr. Murphy treads a thin line between the hackers he revers and the corporate clients he reviles. The line is so thin that critics doubt that his reformation is real. "Ian is a nice guy, I like him. I just don't trust his ethics. I think he's still on both sides of the law," says Carl Jackson, a security executive at Ford Motor Co. Some say Mr. Murphy is more loyal to hackers than clients. He claims to employ the nation's top 10 hackers to break into client computers. This gives executives the jitters. Once hackers find a way in, while getting paid to do it, what is to stop them from breaking in again later on? Mr. Murphy won't disclose who is behind a break-in and won't help catch the culprit. he even advises hackers how to detect bugging by the feds. "I am not a bouty hunter," he says. As a consultant, Mr. Murphy gets to do, legally, the shenanigans that got him into trouble in the first place. "When I was a kid, hacking was fun. Now I can make money at it and still have a lot of fun." He loves "tiger teaming" testing a client's security by breaking into his computer by any means necessary. In tiger teaming, Mr. Murphy has even crawled through garbage bins in searchiscarded passwords (To demonstrate this on a moonlit walk at 3 o'clock one morning, he rips open a dozen trash bags outside an office building and exposes reams of papers.) Wearing a yellow slicker labeled "Bell of Pennsylvania," he bluffed his way into an insurance office posing as a repairman. Once inside, he made a beeline for the computer room. The inspiration for such capers? Old reruns of "Mission: Impossible," he says. Some clients get queasy over his methods. Mr. Murphy had a row with Peat Marwick when one official balked at his criminal record and how he tiger-teamed the insurance office. Mr. Murphy says the accounting firm at first wouldn't pay him the $24,000 he was owed, but it relented. Gary G. Goehringer, a Peat Marwick manager, confirms he hired Mr. Murphy for two jobs and stresses he was under close supervision at all times. Now Ian Murphy looks to his next job. A Chicago company in a patent-infringment dispute suspects that a rival stole secrets by hacking into its computer system. Mr. Murphy may tiger-team the client's computer system to see whether getting is doable. Better yet, he may break into the rival's computers to see whether the client's data are stored inside. He must check the legalities, or lack of them, for what doing this. Capt. Zap can barely wait. $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ NOTA: The notes on this article will be extrememly long. Capt. Zap claims that he is not a "bounty hunter" but there are a few things to consider: ====================================== "It Takes a Hacker to Catch a Hacker"- Does Capt. Zap catch hackers? "Ian Murphy Helps Companies Catch Computer Pirates"- Does he really catch computer pirates (hackers)? "He taps the keyboard in his lap and searches for 'hackers'"- Again, does he go searching for them? Like a bounty hunter? "He walks a beat through some of the hundreds of electronic bulletin boards where hackers swap tales and techniques"- Walks a beat? Like a cop? "working the other side of the bulletin boards and the right side of the law"- Is he on the "other side"? All of the quoted material comes from the article. The impression that Capt. Zap tracks them down actually seems to be false. He does NOT work like John Maxfield (Cable Pair) and the article states that he is not a "bounty hunter" or is involved in the busting of hackers. Capt. Zap tries to get this across in the article but the writer of the article should be blamed for any type of view that Capt. Zap works for the "other side." Capt. Zap does do security work (as do many other hackers) but don't think of him as a threat or some agent sent out to infiltrate bulletin boards. Most of his security work is in protecting systems. Interested persons who would like to employ his services should contact him (which shouldn't be too difficult since he is on many bulletin boards across the country.) Personally, I have said some unjust things about Capt. Zap and should apologize but the article does give a certain impressihacker tracker. ====================================== Capt. Zap "is well-known as one of the first convicted computer-hacker thieves"- Capt. Zap wasn't actually one of the first convicted computer-hacker thieves. His arrest did not involve computers. But he is well-known in the hacking world and has been around for a long time. ====================================== "On another board, Mr. Murphy finds a primer for rookie 'hacklings,' written by 'The Knights of the Shadow.'"- This refers to the series put out by the Knights of the Shadow a long time ago. There are actually 4 files (introduction and 3 instruction files.) The files mentioned detail hacking into: DEC-20's, VAX/UNIX, and Data General systems. ====================================== For a moment I'd just like to stray off the subject. Capt. Zap and Tuc know each other and are both well-known in the hack/phreak world. Not so long ago, Capt. Zap learned that Tuc was giving seminars on computer security and was working as a security consultant. Capt. Zap left the following messages on various bulletin boards concerning Tuc's actions. These posts are taken from many different bulletin boards: 87Sep19 From CAPT. ZAP Yes it seeems that because of one person, we will all have to pay for his actions. It is very strange that such things happen just when you thought it was safe to dial... Well the phone police have struck again! And while I am thinking about it, there seems to be a small leak possible here and I would like to bringit to the attention of the systems owners. As I have heard about this person and his ways to do things, we also have the distinct knowledge that the person is now going to release certain information to persons unauthoriÿed. I will relay this information by voice only to those who identify themselves beyond a shadow of a doubt. And to the person who I am speaking about, we know who you are and your days of asking questions and trying to be something that yo are not, are comming to a close very soon. And remember I have your number! For those who wish to find out what and who the person is and the background information may call 215-634-5749. \/ Capt. Zap \/ ** --------- ** Copyright @ 1987, I.A.M. , IAM /SDS Inc. 87Sep23 From CAPT. ZAP Well once again its time for news from real world.... First, we have the continuing story of the Shadow Hawk incident! He will be going away on a federal or state sponsered vacation, and then we have the civil damages that will come from his actions and the major lawsuits to be fielded by his parents. Now I do not know what sort of amounts will be leived, but you can bet that they will be heavy. As to the continuing story of federal agents and the like, we have the TUC story brought to by me. It turns out that our large friend is helping in a seminar produced by the Maryland chamber of commerence. His little thing will be called "How to break into your computer system". He has 45 minutes and his title is President of Telecom Corp. Now I wasession that he was working for his father and collecting Cabbage Patch dolls while reporting on his fellow phreaks to the like of Mr. Maxfield and Mr. Bowens from MCI security. Now since he is an informant and will be sharing his knowledge with others, I see this as an excellent reason to use the copyright law to stop any use of information that he may collect from being used by others or read by others without permission. I will say that I will be sending a letter to him and his sponser that will inform him and the sponser that any and all information that I have posted or provided, is for the use of AUTHORIZED persons or organizations and that any use without the expressed written permission ÿill constitute a violation. I THINK THAT IT IS TIME TO PUT AN END TO TUCS COMPUTER RELATED LIFE! NO ACCESS SO WHAT SO EVER! \/ Capt. Zap \/ Copyright @ 1987, I.A.M. , IAM/SDS Inc. Numb: 33 Subj: More Important News! From: CAPT ZAP Date: THU SEP 24 7:08:14 PM Well I have learned that the one person who we all consider a fed will be speaking in Baltimore and his topic will be.... How to break into yor computer system, presented by none other than our friend TUC. He has gone over to the other side in a big way and is now considered to be fair game for all of us to stop! He claims to to be the president of TELECOM Corporation! I will be perfroming a search to see if such a company does live! But now is the time to spread the word and in a big way to stop him from gaining access to ANY SYSTEM throughout the nation. Now I am wondering if there is a way to put a damper on this project and put a stop to him once and for all! As you know we have a number of informants on here and that we have to stop any person or group (federal or phone police) from gaining access As you might notice from the previous messages posted by Capt. Zap, he is definitely angry that TUC is doing computer security work. Even thought he does almost the exact same thing. His messages tell of TUC giving a lecture on computer security and not busting people. His messages also suggest that TUC is working for John Maxfield (as an informer) and also for MCI. Both of the charges are unsubstantiated but Capt. Zap says that he is doing it anyway. Now that we've seen how angry Capt. Zap was, let's go back to the article (the one printed at the beginning of this issue: "He says companies aren't alarmed enough over the lapses, and he blares the blunt message on 'Good Morning America,' at industry seminars and in technical papers"- You'll notice how Capt. Zap gives even more speaking on hackers than TUC does. TUC, according to Capt. Zap, did a seminar in Baltimore (and probably other seminars at other places) but Capt. Zap did the same thing on "Good Morning, America." Capt. Zap became angry at TUC for working as a security consultant and claiming to be president of TELECOM Corporation, even though Capt. Zap is the president of his own corporation (IAM/Secure Data Systems Inc.) It might even be likely thatfraid that TUC was taking business away from him. Exactly why Capt. Zap said those things about TUC when he was doing the same thing is not known. Now we'll continue with a few more things from the article. ====================================== "On the Stonehenge bulletin board, 'The Marauder' has put up a phone number for Citibank's checking and credit-card records"- The Stonehenge bulletin board is most likely one of two boards. 1) The Central Office (also known as Stonehenge) or 2) Phonehenge (previously Stonehenge) ====================================== "Agents recently busted 'Shadow Hawk,' 17-year-old Herbert Zinn of Chicago."- For details on Shadow Hawk's bust, see TNS Issues #10 and #11. ====================================== "This summer, hackers in West Germany tapped into the U.S. space agency's European network"- For information on the West German hackers, see TNS Issue #9. ====================================== "He claims to employ the nation's top 10 hackers to break into client computers."- This is most likely just something that Capt. Zap said to get clients for his business. It is very unlikely that he employes the nation's top 10 hackers to break into systems. Very unlikely. ====================================== The events surrounding this article/Capt. Zap/ I.A.M./ and whether or not he is an informant will be written in TNS as more information is acquired. As I stated earlier, when I read the article it pissed me off extremely. When turning the page to continue the article, the top of the page had the following heading: "COMPUTER HACKER IAN MURPHY PROWLS A NIGHT BEAT TRACKING DOWN OTHER HACKERS WHO PIRATE DATA" The thought of this made me very angry but Capt. Zap has claimed that he is not a "bounty hunter." the article also has parts that show his loyalty to hackers. After reading this part (as well as the entire article), I was ready to kill Zap. Again, any impression that Capt. Zap turns in hackers is the impression given by the author of the article and doesn't seem to be the truth. For those who are reading this and are in need of the services of a computer security consultant, Capt. Zap's telephone number was printed in a post by him. Remember, don't think that Capt. Zap is an informer.. it appears that he is just as much of a loyal hacker as the rest of us (well almost). [OTHER WORLD BBS] Downloaded From P-80 International Information Systems 304-744-2253