Feeds

'Deceptive duo' hacker pleads guilty

Benjamin Stark in plea bargain deal

  • alert
  • submit to reddit

SANS - Survey on application security programs

A Florida man pleaded guilty in federal court in Washington D.C. on Wednesday to charges stemming from his role as one half of the high-profile hacking team "The Deceptive Duo", responsible for obtaining sensitive information from government systems, and defacing dozens of governmental and private websites with patriotically-themed messages exhorting the U.S. to shore up cyber defenses.

In a plea agreement with prosecutors, Benjamin Stark, 22, admitted to cracking eleven computer networks belonging to nine US government departments and private commercial entities. He faces a likely prison term of 24 to 30 months in custody under federal sentencing guidelines.

The Deceptive Duo drew public attention in April 2002 for defacing government websites with a patriotic "mission outline" in which they described themselves as anonymous citizens determined to save the country from cyberterrorists by exposing security holes in critical infrastructures. "Tighten the security before a foreign attack forces you to," the Duo's defacements typically read. "At a time like this, we cannot risk the possibility of compromise by a foreign enemy." Accompanying the text was a graphic of two handguns against the backdrop of a tattered American flag.

Federal prosecutor John Carlin declined to comment on Stark's motives, but he said there was no mention of the hacker's purported patriotism at Wednesday's plea hearing. "It's not in the plea agreement, and it wasn't mentioned in the statement of facts that were given in the hearing today," Carlin noted.

As part of the plea, Stark admitted to working with an unnamed partner to crack systems at the Federal Aviation Administration (FAA), the Federal Highway Administration, the Defense Logistics Agency; the Department of Defense's Health Affairs office, the Department of Energy's Sandia National Lab, the Naval Air Systems Command, the Air Force Publishing Office, Dynamic Systems Inc. and Midwest Express.

Compromised database

At the FAA, the Duo cracked a server run by the administration's security force, and posted and posted samples from a compromised FAA database detailing passenger screening activity at various US airports in the year 2000, with each screener's name, the number of passengers he or she screened, and the number of guns, explosives or chemicals intercepted. In other intrusion, the pair demonstrated access to passport and social security numbers and other private data.

Each of the charged Deceptive Duo intrusions allegedly resulted in financial damage ranging from about $1,000 to $15,000, except for the Midwest Express hack, which cost the company $57,500, the government claims.

Stark's plea agreement contains no language indicating that he's agreed to testify against his partner in the hacks, believed to be 20-year-old Robert Lyttle, a prolific website defacer raided by the FBI along with Stark. Lyttle has yet to be charged federally for the hacks, and if he is, his attorney has promised to demonstrate that the Deceptive Duo's intrusions were genuinely aimed at preventing terrorist attacks on the information infrastructure. "Robert has a great necessity defense," San Francisco lawyer Omar Figuroa said earlier this month. "I'm confident that Robert would be completely exonerated if charges were filed."

In addition to the Deceptive Duo hacks, Stark admitted to two solo missions. In February 2001 he defaced a U.S. Army Corp of Engineers website under his online moniker "The-Rev". And in December of that year he sold a bundle of 447 stolen credit card numbers to an undercover FBI agent in a chat room for $250.

Stark's sentencing is scheduled for 24 September.

Copyright © 2004, 0

Related stories

'Deceptive Duo' hacker charged
FAA hacked by patriots

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.