30 September 2014

A Sign of the Times: Profile of a Hacker Approached by the US Government

Justin Jouvenal
Washington Post
September 28, 2014

A Virginia hacker catches the attention of federal law enforcement

Muneeb Akhter, a 22-year-old cybersecurity expert and self-described hacker, at his home in Springfield, Va. (Evelyn Hockstein/For The Washington Post)

The agents from the Department of Homeland Security and the Secret Service showed up on Muneeb Akhter’s Springfield doorstep in mid-July, he said, soon after they learned that he claimed to have created a hack so powerful it was like printing virtual money.

The cybersecurity expert and self-described hacker, who started college at 16, had casually told co-workers soon after starting work as a DHS contractor that he could add money to major retailers’ gift cards without spending a dime.

Now, as the 22-year-old and the agents sat around his family’s dining room table, the officials wanted to know how. Akhter thought they might arrest him as he explained the hack, but instead, he said, they extended an extraordinary offer: Work secretly as a hacker for the government.

“There is no university we can go to and just recruit people,” a man, who Akhter said is a DHS agent, is heard saying on an audio recording of the meeting that Akhter’s family made. “The people we’re looking for might be the people they have concerns about because you have special skills that we need.”

The would-be offer intrigued Akhter, who had first heard about the potential job the day he revealed his hack to DHS colleagues. But it also roused his suspicions: Were the agents recruiting him or simply creating a ruse to get him to turn over evidence that authorities could use to prosecute him?

The account of the case is drawn from interviews with Akhter and his family, an audio recording of that July meeting with agents and a search warrant filed in Fairfax County Circuit Court. Such warrants often are precursors to criminal charges.

A DHS spokesman said he would not comment on the investigation, so the meeting at Akhter’s home and the recording could not be independently verified. Two of Akhter’s relatives who were present confirmed his account.

For now, the case is one of classic D.C. intrigue: What were Akhter’s intentions in supposedly creating the code? Does it exist? And even more fundamental in a region full of federal workers: Would an agency really recruit this way?

Akhter admits to stepping over the line. He said in a signed, sworn statement given to authorities that he used one of his hacked gift cards to make purchases at a Dunkin’ Donuts and helped friends load gift cards that they used to purchase airline frequent-flier miles. He now denies the latter admission.

He also has dabbled with other “black hat” hacks, such as code that allowed him to win Web auctions with low-ball bids.

Still, he said his intentions in this case were motivated by curiosity, not criminality. He said he was exploring a major security vulnerability that could cost some of the nation’s largest retailers, from Kmart to Starbucks.

Some experts say it is not so far-fetched to think Akhter was being considered for a job. They say that the growing threat of complex cyberattacks has given people with his skills new cachet and that federal agencies have had difficulty hiring and retaining such talent, in part because of the cultural conflict between stodgy federal bureaucracy and the freewheeling hacker underground.

Last year, Janet Napolitano — then the DHS director — said she was seeking to hire 600 “hackers for good” to fend off those with malicious intent.
Gabriella Coleman, a professor at McGill University in Montreal and the author of a forthcoming book about the hacking group Anonymous, put it simply: “American and British governments are hungry to hire hackers.”

*** Akhter said his trouble began in late June, after he obtained a security clearance and a job as a cybersecurity contractor with DHS. Over lunch, he said, he told colleagues about the gift card hack. He also showed them some of the cards.

Akhter said those workers alerted his company, General Dynamics, which told DHS. When Akhter showed up for work the next day, he said his security badge was confiscated and he was ushered into a small room.

He said a DHS agent asked him to explain the hack and, afterward, a second DHS agent told him he was going to verify its feasibility with his cybersecurity team.

When the agent returned, Akhter said, they dangled the offer for the first time. They were considering him for a position with a classified hacking unit. He was told he would make $155,700 a year and be stationed in Seattle.

There was one catch: Akhter said he was required to sign a statement saying he had created the hack and to show agents that he could actually do it.

Akhter was interested. They set up the meeting at his house. And he swore out the statement, which is included in the search warrant.

In the statement, Akhter said he loaded at least $495 onto a Kmart gift card, $480 onto a Whole Foods card, $700 onto a Shell gas card, $180 onto a Dunkin’ Donuts card and $100 onto a Starbucks card.

Akhter used the Dunkin’ Donuts card himself and helped acquaintances load gift cards that they used to purchase frequent-flier miles with US Airways and American Airlines, according to the statement. The statement does not say whether the other cards were used.

In an interview, Akhter said he used the one card to confirm that his hack worked. He now says he has never loaded cards for others and that law enforcement officials miswrote what he told them. He said he simply showed the code to friends.

“I just did it to see if it would work or not,” Akhter said. “I’m a researcher. I’m not using [the code] maliciously.” He said he planned to take his concerns to the retailers and see if they would hire him to fix the problem, but that he hadn’t yet taken that step.

If the hack is legitimate, it would be in keeping with early talent Akhter showed in computing. He was born in Maryland but in the mid-1990s moved to Saudi Arabia, where his father is an engineer. He attended a private high school there before returning to the United States for college.

Akhter and his twin brother, Sohaib, enrolled at George Mason University before they had their driver’s licenses. During their time there, they built a robot with a teleconferencing system that allowed them to communicate with friends. They outfitted it with speakers that blasted music and dubbed it the “partybot.”

The brothers were George Mason’s youngest graduates in 2011, and Muneeb completed his master’s in computer engineering at the school by the time he turned 20. While Muneeb was getting the advanced degree, the brothers received a $200,000 grant from the Defense Advanced Research Project Agency, or DARPA, in 2012. The program gave hackers seed money to try to solve cyberdefense problems.

The Akhters’ project involved creating a device that would assess a computer’s vulnerability to “side channel attacks.”

Skilled users can observe a device’s power, electromagnetic radiation, timing and even sounds to determine what encryption software it is running and then crack it, not unlike a safecracker listening to lock clicks with a stethoscope in a caper movie.

“These two guys were super smart,” said Dan Farmer, who also received a DARPA grant and is a pioneering cybersecurity expert.

Akhter said he discovered the gift card hack while researching a topic equally as esoteric as side channel attacks. It employs a technique called “bit squatting.”

Computers encode Internet addresses as 0s and 1s, but very rarely heat, hardware issues or even cosmic rays will randomly cause a digit to flip and a Web user will be sent to the wrong site — for instance, Micro2oft.com instead of Microsoft.com.

A hacker could register the faulty Web address and use it to exploit an unlucky Web user through malware or other attacks.

Cybersecurity researcher Artem Dinaburg first warned of hackers doing this in 2011, but he said that until now it had remained a hypothesis. “This would be the first documented attack that I’m aware of using bit squatting,” Dinaburg said.

Dinaburg is skeptical about Akhter’s claims, but Farmer thought such a hack was theoretically possible. For now, the truth lies on Akhter’s hard drive, which was seized by the DHS agents. Presumably, authorities are looking for the code to create the gift card hack.

*** Some experts said it was unlikely that DHS would hire anyone in this manner, but the need for hacking skills might make Akhter an appealing target.

Coleman, the McGill professor, noted that the former head of the National Security Agency has spoken at hacker conventions, and recently the FBI director floated the idea of relaxing the agency’s strict drug policy in order to hire more hackers. Coleman said British intelligence has created online puzzles to draw in more renegade technologists.

Coleman said there is another possibility: DHS is trying to turn Akhter into an informant.

Federal law enforcement officials have used some high-profile hackers who have run afoul of the law to infiltrate hacker networks. One of the key members of a hacking group called Lulzsec helped lead investigators to other members of his group. The hacker behind one of the largest cases of identity theft in U.S. history helped authorities orchestrate a sophisticated sting on credit card thieves called “Operation Firewall.”
Akhter said that because of the hack he was fired by General Dynamics for unacceptable workplace conduct. When the federal agents visited his home, he said, the job they offered had changed somewhat from the original description. He said the agents wanted him to hack and work as an informant. That made him more skeptical about the supposed job.

On the audiotape, one of the men he identified as an agent tells him: “We have good toys the private sector doesn’t have.” And then later: “I want you to work with us.”

Akhter now believes the job offer probably was a trick.

“I’m surprised at how the intelligence community actually works,” Akhter said. “I expected them to see my skill set and think, ‘This guy could be used for a lot of things.’ Instead, I’m going to being charged with something.”

No comments: