#CISSP30: 30 Years After the Phonemasters Attacks

nnIn 1994, as the CISSP certification was introduced to help professionalsnand their employers deal with advanced cybersecurity challenges, thenworld saw one of the largest and most disruptive cybersecurity crimensprees take place, orchestrated by a group known as the Phonemasters.nn

n

nThe mid 1990s was a time of profound technological change.n

n

nWindows 95 was just a year away, an operating system that undeniablyntransformed desktop and laptop computing. The early work on Linux hadnalready matured into a powerful and free computing platform, supplantingnUnix as the weapon of choice for many opportunistic cybercriminals andntroublemakers. The industry was advancing in its response to what we nowncall cybersecurity in the form of certifications like the CISSP andneducation to create dedicated professionals to deal with emergingncybersecurity concerns.n

n

n

n

1994 – A Year for Cybercrime

n

n

n

nIn a previous article, we talked aboutnnone of the biggest digital banking heists that took place in 1994, but the year really was a bellwether for both cybercrime and thencybersecurity industry’s response.n

n

nAlongside the incident at Citibank, a much broader range of cyber attacksntook place, accounting for some $1.85 million of costs and losses due to thendamage and disruption caused. An international cybercrime group, dubbed then“Phonemasters” by the U.S. Federal Bureau of Investigation, due to its focusnon telecommunications-based attacks, breached the networks of a variety ofncommunications and data companies including MCI WorldCom, BT, Sprint,nAT&T, Equifax, Dun and Bradstreet and LexisNexis.n

n

n

n

Mischief Managed

n

n

n

nThe actions of the Phonemasters gang was quite broad, mostly focused onncausing mischief and disruption to companies and organizations, rather thanna flat out monetary theft, as was the case with the Citibank incident.nInstead, Phonemasters engaged in activity including allegedly redirecting annFBI phone number to an adult chat line, generating $200,000 in costs. Thengroup also found its way into databases containing phone tappingninformation, as well as obtaining the numbers of a variety of celebritiesnsuch as the singer Madonna.n

n

nHaving created considerable chaos, the FBI looked for a technology solutionnto gather some evidence, identify the gang members and mount a case.n

n

n

n

The Data Tap

n

n

n

nIn order to surveil the attackers, a U.S. federal court granted the FBInpermission to use the first ever “data tap” to monitor the hackers’nactivities. Conventional phone tapping and physical surveillance wasnunlikely to produce any useable evidence as even in 1994, this was a groupnthat was already operating entirely online, even though dedicated data linesnin the home were rare and most online activity was still using dial-upnmodems. Through the data tap, the FBI was able to capture the Phonemastersnkeystrokes as they exchanged stolen credit card numbers. After an extensiveninvestigation that involved law enforcement in Texas, Pennsylvania, Ohio,nColorado, California, Oregon, New York, Florida, Canada, Switzerland, andnItaly, the case was made.n

n

nIn late 1999, the members of the group were finally convicted of theft,npossession of unauthorized access devices and unauthorized access to anfederal computer. Corey Lindsly in Philadelphia, considered to be thenmastermind of the Phonemasters, was sentenced to 41 months in prison, at thentime one of the longest sentences ever handed out in the U.S. for computernmisuse. Calvin Cantrell of Dallas was sentenced to 24 months, while JohnnBosanac received 18 months for his involvement.n

n

n

n

The Significance of the Data Tap and 1960s Legislation

n

n

n

nThe Phonemasters case instigated a number of law enforcement firsts,nhighlighting the need for both professional standards and continuousnprofessional education, as well as technology solutions to combat emergingnfuture cybercrime.n

n

nAlthough arguably out-of-date, having been passed into law in 1968, the FBInand its legal counsel were able to leverage the elderly Omnibus CrimenControl and Safe Streets Act of 1968 to get the powers they needed to fightna very 1990s crime. The law originally applied to – amongst other things –nobtaining legal clearance for telephone wiretaps. However, it was arguednthat Title III of the Act, the part that specifically applied to wiretapsncould also be interpreted to cover any form of ‘tap’ on a communicationsnconnection, regardless of whether the connection was analog or digital, ornwhether the information gathered was spoken word or digital information. Asna result of this, which established legal precedent, the Act remains on thenstatute books to this day, with that precedent serving as the updatedndefinition needed to make the act useable in the internet age andninterconnected decades that followed.n

n

n

n

CISSP – Keeping on Top of a Changing Environment

n

n

n

nThe challenge faced by the FBI in 1994, along with the subsequentndifficulties in building a case using the legislation of the time, comparednwith where we are now illustrates just how much has changed in terms ofntechnology generally, cybersecurity technology and the focus of lawmakers asnthey try and adapt to a threat landscape that is often evolving far fasternthan detailed legislation can keep up with. Even the first CISSPs certifiednin 1994 soon realized that the value of professional certification is not asna one-and-done exam, but as the direction and building blocks of a lifetimenof continuous learning and refreshing of skills and capabilities to keepnpace with threats and countermeasures. Thirty years on, at the heart of thenCISSP program is continuous professional education (CPE), the requirement tonkeep your knowledge and awareness refreshed to maintain your CISSP status.n

n ]]>