washingtonpost.com
Services' E-Mail Hacking Illegal, but Officials Need More Than That to Prosecute

By Tom Jackman
Washington Post Staff Writer
Monday, September 7, 2009; A01

When Elaine Cioni found out that her married boyfriend had other girlfriends, she became obsessed, federal prosecutors say. So she turned to YourHackerz.com.

And for only $100, YourHackerz.com provided Cioni, then living in Northern Virginia, with the password to her boyfriend's AOL e-mail account, court records show. For another $100, she got her boyfriend's wife's e-mail password. And then the passwords of at least one other girlfriend and the boyfriend's two children. None had any clue what Cioni was doing, they would later testify.

Cioni, however, went further and began making harassing phone calls to her boyfriend and his family, using a "spoofing" service to disguise her voice as a man's. This attracted the attention of federal authorities, who prosecuted Cioni, 53, in Alexandria last year for unauthorized access to computers, among other crimes. She was convicted and is serving a 15-month sentence.

But such services as YourHackerz.com are still active and plentiful, with clever names like "piratecrackers.com" and "hackmail.net." They boast of having little trouble hacking into such Web-based e-mail systems as AOL, Yahoo, Gmail, Facebook and Hotmail, and they advertise openly.

And, experts said, there doesn't appear to be much anyone can do about it.

"This is an important point that people haven't grasped," said Peter Eckersley, a staff technologist for the Electronic Frontier Foundation in San Francisco. "We've been using e-mail for years, and it's been insecure all that time. . . . If you have any hacker who is competent and spends the time and targets you, he's going to get you."

Federal law prohibits hacking into e-mail, but without further illegal activity, it's only a misdemeanor, noted Orin Kerr, a law professor at George Washington University and a former trial attorney in the Justice Department's computer crime section.

"The feds usually don't have the resources to investigate and prosecute misdemeanors," Kerr said. "And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace."

Every state has laws roughly similar to the federal computer laws, Kerr said, and rate the offenses as misdemeanors.

Not long after Gov. Sarah Palin of Alaska was named the Republican nominee for vice president last year, someone hacked into her personal Yahoo e-mail accounts. And as the election neared, someone at George Mason University hacked into the e-mail of the school's provost and sent a schoolwide e-mail saying the election date had been changed.

"Web Based email password hacking or cracking is one of our all time favourite and unique hobby," write the folks at YourHackerz.com. It's not clear where YourHackerz.com is located, but experts suspect that most of the businesses are based overseas. "We will provide you with the original Passwords. No questions asked whatsoever. Payment only after you are CONVINCED. 100% guarantee of Cracking. Total privacy of your information. No legal hassles."

At SlickHackers.com, they boast, "We are professionals interested in helping serious people for whom an email password would mean saving their marriage, knowing the truth, preventing a fraud, protecting their family/job/interests only when conventional ways and normal procedures do not work."

All the services advertise that they will e-mail a screenshot of the target's in-box or even send an e-mail from the target's e-mail as proof that they've cracked the password. The customer then sends payment. One service, whose fee is only 20 British pounds (about $33), then responds with the script from a scene from a Shakespeare play, with the stolen password hidden in the copy.

E-mail inquiries to several of these services did not elicit any responses.

The FBI cannot police the Internet, a spokesman said. "The FBI is aware of these illegal services," spokesman Paul Bresson said, "and we have been successful in the past in identifying criminal activity and working with prosecutors to bring indictments. Users of these services should know that just because a product is marketed on the Internet doesn't mean it's legal."

But agents must be made aware of specific illegal acts occurring in this country before they can pursue a provider, Bresson said. They can't investigate an online service without evidence of a particular crime in the United States.

"This kind of thing has been on the radar of law enforcement already," said Alissa Cooper of the Center for Democracy and Technology in Washington. But with many of the hackers overseas, "in practice it takes a lot of resources and time to build up relationships with [law enforcement] in other countries. They're starting to do that in the cybersecurity realm."

Experts said there are numerous ways to steal someone's e-mail password, from simply guessing at family names or pet names to high-tech infiltration. The most common way is to send the target a link to a greeting card or something else they might specifically be interested in. When the target opens the link, software is installed on his or her computer that snatches the password the next time it's typed in and sends it to the hacker. Web-based e-mail, such as Google's gmail and Yahoo, can also be attacked through bugs in the Web browser, Eckersley said.

"The unfortunate news is there's rather less of computer security than we would want," Eckersley said. "We think of a computer as being incredibly sophisticated. But as it does more, it actually becomes less secure."

Another problem is that many computer users are not terribly computer savvy. "As human beings, we don't have good intuitions about the internal workings of computers. Ninety percent of us make the wrong decision when something pops up about accepting an unauthorized certificate. It's really saying, 'Do you want to be hacked?' "

The Electronic Frontier Foundation published a brochure this summer for people wanting to avoid government detection in international hot spots, including Iran and Burma, but the tips apply universally, Eckersley said. Beware of malware, such as viruses, worms and keystroke loggers. Choose the least risky communication channels. Use encryption. Use different passwords for everything. Eckersley said changing operating systems and carrying all important data on portable disks is another step, if a burdensome one.

The tips are available on the EFF's Web site.

But "if you're an ordinary person and afraid you have an ex-lover who wants to hack you," Eckersley advised, "you're probably better off not using computers for the kinds of communications you want to keep secret."

Once authorities decide to follow a hacker, it's not difficult to determine the source. An FBI agent investigating Cioni simply subpoenaed her phone and e-mail records from the various providers, which showed that she had used e-mail and PayPal to enlist YourHackerz in her quest. A search of her computer found fragments of her targets' e-mail in-boxes.

Then, according to testimony at her trial, when she called her boyfriend, she mentioned material that could be known only by those who had read her boyfriend's e-mail.

View all comments that have been posted about this article.

© 2009 The Washington Post Company