Risky Business By Joseph C. Panettieri, Sm@rt Reseller Petersen Some of the world's largest corporations hired Justin Petersen. So did the FBI. In fact, in law-enforcement circles, he's known as Agent Steal, and he's got a long list of technical skills and references that would make most resellers drool. Consider his most recent tour of duty, which includes developing intranets and extranets for Cosmic Media, a Los Angeles-based Internet consulting firm that has deployed secure electronic commerce sites for Digital Media and other fledgling businesses. He has also launched his own 1,000 square-foot computer center, which features two server rooms, a control room and an earthquake resistant design. Now, for the twist: Petersen, 37, is also a reformed hacker. Earlier this decade he served time for breaking into several corporate networks, making bomb threats and stealing money from a bank electronically. "I imagine if I walked into a place and tried to get a regular job, my record would be an issue," concedes Petersen, speaking from the Los Angeles apartment he has called home since his release from prison last year. "But I've known a couple of guys from Cosmic Media for a long time, and I have other friends in the industry--including a Webmaster over at CNET. Friends who are aware of my convictions support me and hire me. "Hacking was a phase I went through," continues Petersen. "I learned what I wanted to learn, and I got it out of my system. That phase of my life is over." FBI Informant As if Petersen's story wasn't outrageous enough, portions of his digital crime spree actually were committed while he was working undercover for the FBI, according to court documents obtained by Sm@rt Reseller. He also has crossed paths with notorious Internet hacker Kevin Mitnick. The FBI and the U.S. Department of Justice took Petersen's offenses quite seriously. When Petersen pleaded guilty to several computer-related crimes on March 27, 1995, the DOJ promptly issued a tersely worded press release stating that he faced a "maximum sentence of 60 years in prison and $2 million in fines." Today, that very same press release begs two troubling questions: How did Petersen emerge from prison so quickly? And can he be trusted to work with computers, the Internet and channel players? To be sure, hackers increasingly are turning over new leafs as resellers and security consultants. Says John Klein, president of Rent-A-Hacker (www.rent-a-hacker.com), "I've seen my customers hire hackers. Sometimes an 18-year-old kid who lives on the Internet has more experience than a 30 year old with a Master's [Degree] in computer science." Still, hiring a young cyberpunk who knocked over a few Web sites is one thing. But recruiting the likes of Agent Steal is in another class. Says Art Brieva, chief technology officer at The PC Authority, a Plainview, N.Y.-based reseller: "There are hackers who mess around with systems for the pure challenge of it, and then there are hackers who have malicious intent. I would tend to steer clear of the latter." Quite A Child Hood Petersen says he started wiretapping phone systems and hacking computers when he was only 12. In his early years, he simply explored computer systems rather than damage them. For more than a decade, he read about technology and honed his hacking skills before breaking into TRW Inc.'s credit system in 1989. Later that year, he and fellow cyberpunk Kevin Poulsen rigged Pacific Bell's telecom network and seized a radio station's phone lines to win a $10,000 call-in contest. "Poulsen taught me a great deal about hacking," allows Petersen. "But I was mostly self-taught. I bought lots of books and always read a lot about computers." Petersen, working with Poulsen, found a security hole in a Pacific Bell test and maintenance system that made the radio station hack possible. Petersen claims the duo could latch onto any phone line within Pacific Bell's network, monitor it, ring it, dial out, and so on. Far from complicated, the hack required a single PC and two phone lines (one for control via computer and one to monitor). "Pacific Bell thought the system was secure, but they shut it down after they discovered the weakness we exploited," Petersen says. After parting ways with Poulsen, Petersen fled to Texas in 1991 and was arrested after being caught driving a stolen Porsche. A search of Petersen's apartment by police uncovered more than a dozen fraudulent credit cards, modems and a computer. Police suspected Petersen was using the PC to illegally access TRW's credit system to obtain credit cards under several aliases, according to court documents. Rather than face full prosecution, Petersen's legal troubles took a dramatic turn for the better in September 1991. According to court documents, a Secret Service agent visited Petersen in a Texas jail several times and they struck a stunning deal: In return for pleading guilty to various computer-related crimes, Petersen agreed to work undercover for the FBI. He was released and placed under the FBI's supervision in California. Petersen's legal case also was transferred to California, and his sentencing was delayed until his work for the FBI was completed, according to the court documents. Hunting Hackers The nature of Petersen's service for the FBI remains unclear at best. Neither the FBI nor the Secret Service is willing to comment about Petersen's case. For his part, Petersen claims the FBI rented him a furnished apartment and gave him a salary, two computers, two modems and phone lines to gather information about alleged hackers who may pose a threat to the government. In particular, Petersen and several attorneys close to his case say he helped the FBI amass evidence against former buddy Poulsen, as well as Mitnick and Lewis DePayne. Poulsen is now free after serving time for rigging the 1989 radio contest and facing a much more serious charge of international espionage. Mitnick and DePayne await a Jan. 19, 1999, trial date for an alleged Internet crime spree that Miramax, a major Hollywood movie studio, is transforming into a motion picture. As for Petersen, his work for the FBI continued until Oct. 22, 1993. On that day, government officials met with Petersen and asked him if he had committed additional computer-related crimes while working for the FBI. According to court documents, Petersen panicked and fled the meeting. Like Mitnick at the time, he was now a fugitive. Petersen remained at large for more than a year. He surfaced again on Aug. 17, 1994, when he hacked Heller Financial Inc., a commercial financial service provider in Glendale, Calif. Once inside Heller's network, Petersen identified a line between two network switches that was accidentally left unencrypted. Petersen used the weak link, which has since been corrected, to transfer $150,000 from Heller's electronic vaults to an account at Union Bank in Bellflower, Calif. Petersen made two bomb threats to Heller in an effort to distract employees so they would not notice the transfer of funds, according to court documents. This Is Only A Test Petersen considered the first transfer a "test," and planned to return for more cash a few weeks after the first transaction. But the FBI was searching for him, and he was tracked down and arrested three weeks after hacking Heller's network. In early 1995 he pleaded guilty to committing computer wire fraud while a fugitive and didn't emerge from prison until April, 1997. Petersen's time behind bars fell far short of the potential 60-year sentence he faced. Some lawyers, including Mitnick's attorney, Donald Randolph, consider Petersen's short sentence rather curious. Others are surprised that Petersen is free to work with computers and the Internet. By contrast, Mitnick is only allowed to use a non-networked PC when researching documents related to his criminal case. Petersen faces no such restrictions. Says alleged hacker DePayne, the co-defendant in Mitnick's case: "Petersen hacked for profit then cooperated with the government. Poulsen didn't cooperate with the Feds. I'd say that's why Justin [Petersen], rather than Kevin [Poulsen], can now work with computers without any limitations." Asst. U.S. Attorney David Schindler says Petersen is subject to a "supervised release" and must "get approval" from a parole officer before accepting high-technology jobs or any other work that may tempt fate. Still, one question remains: How did Petersen circumvent the possible 60-year prison sentence mentioned in the 1995 DOJ press release? "That's a question I'd love the government to answer," says attorney Richard Sherman, who has defended Mitnick and currently represents DePayne. Schindler says Petersen got time off for good behavior, and adds that the DOJ's press release was a bit misleading. Enjoying Freedom Petersen has certainly made the most of his early release. In recent months, he has devoured technical manuals, and quickly gotten up to speed on numerous technologies that gained popularity during his prison stay, including Windows 95, Windows NT, Java and Internet development tools. "I haven't been in any trouble since my release," he says (and attorney Schindler confirms). "I'm concentrating on Web development and my NT skills, and hope to launch an adult Web site down the road." Petersen, by all accounts, is no longer using his hacker skills, but he certainly doesn't hide his past. His personal Web site features legal documents from his court case, interviews published in hacker publications, as well as a few booby traps that could send some Web users running for cover. (Because of the latter issue, Sm@rt Reseller has elected not to publish Petersen's URL.) Until very recently, the Web site manipulated a visitor's computer by launching nefarious Java applets. And his current e-mail address pokes fun at one of his former victims, Pacific Bell. It's unclear how long Petersen will continue working side-by-side with channel players. Aside from launching his adult Web site, Petersen also is promoting Los Angeles night clubs. But despite such demands on his time, he's willing to continue lending local Web consultants a hand if the price is right. And there are certainly resellers interested in the likes of Petersen. "Hackers are the best consultants out there," says Kevin Johnson, owner of security consultancy and reseller Johnson & Associates. "I've got a guy working for me who was a hacker, and he's very good at what he does." Even one of Petersen's staunchest critics, attorney Sherman, defends Petersen's right to work within the computer industry. Quips Sherman: "I don't think anyone's right to use a computer should be taken away. But if Justin hacks me, I'll kill him." Reformed hacker Justin Petersen is working side-by-side with Web consultants and resellers. Would you hire him? April 1989 Petersen's digital crime spree begins when he steals credit card information by hacking TRW Inc. and wiretapping Telenet Corp. Poulsen Sept. 1989 Petersen and Kevin Poulsen rig Pacific Bell's telephone network to win a $10,000 Los Angeles radio station call-in contest. Dec. 1990 With FBI agents in pursuit, Petersen flees Los Angeles and heads to Texas. Feb. 1991 Petersen hacks TRW Information Services and Trans Union Credit Corp. to obtain fraudulent credit cards from Citibank, Chevron, Texaco, U.S. Sprint and Pacific Bell, among others. June 1991 U.S. District Court in northern Texas issues an arrest warrant for Petersen. He's picked up in a stolen Porsche. Sept. 1991 Secret Service agents meet with Petersen in a Texas jail. They cut a deal: Petersen pleads guilty to various computer crimes and agrees to work undercover for the FBI. Oct. 1991 Petersen is released into FBI custody and his case is transferred to California. 1992-1993 Petersen's sentencing is delayed or "continued" numerous times because of his continued undercover work with the FBI. He allegedly helps in the FBI's cases against Poulsen, Kevin Mitnick and Lewis DePayne. Oct. 1993 Petersen commits credit card and wiretapping crimes while still serving as an FBI informant. When confronted about the alleged crimes, Petersen flees the FBI and becomes a fugitive. May 1994 In a letter to U.S. Attorney General Janet Reno, California attorney Richard Sherman, who once represented Mitnick and now represents DePayne, alleges that Petersen was committing crimes wile working for the FBI. Aug. 1994 Petersen hacks a financial institution and transfers $150,000 to a local California bank. He makes two bomb threats to distract employees during the transfer. He's arrested shortly thereafter. March 1995 Petersen pleads guilty to committing computer wire fraud while a fugitive. The DOJ issues a press release stating that Petersen faces a maximum possible sentence of 60 years and $2 million in fines. April 1997-present Petersen is released from prison. He quickly gets up to speed on Windows 95 and Windows NT, and works as a Web developer. Justin Petersen cannot escape his past, particularly his mysterious work as an FBI informant. Details about Petersen's work for the Feds are shady at best, but that could change as soon as Jan. 19, 1999. That's when the government's case against alleged hackers Kevin Mitnick and Lewis DePayne is expected to go to trial. In what could be a bombshell, Sm@rt Reseller has learned that Petersen may be called to testify at the trial. "It's a good possibility," says Mitnick's attorney, Donald Randolph. Adds DePayne's attorney, Richard Sherman, "I want to know what activities Justin was engaged in for the government and how that relates to my client. If there's enough evidence related to Justin, I'll call him. You know something? Let me rephrase that: I'm gonna call him." Sherman alleges that the FBI allowed Petersen to place illegal wiretaps throughout California. Sherman made some of these allegations in a 1994 letter to U.S. Attorney General Janet Reno. The government promised to investigate Sherman's allegations, but never issued a formal response. Asst. U.S. Attorney David Schindler, however, says Petersen has no bearing in the upcoming Mitnick-DePayne trial. Mitnick was arrested in February 1995. He faces a 26-count indictment related to computer fraud and wire fraud. Mitnick is accused of hacking Motorola, Novell and Sun Microsystems, among others. DePayne allegedly aided and abetted Mitnick during his run from justice. "I was in contact with Kevin while he was a fugitive," concedes DePayne. "But I can't help it if Kevin kept calling me." DePayne remains free because he has no criminal record. Mitnick, on the other hand, has previous convictions and remains behind bars in Los Angeles' Metropolitan Detention Center. In preparation for the trial, a U.S. District Court judge has ruled that Mitnick can use a standalone PC with no modem or network connection to review 9.7 gigabytes worth of legal documents pertaining to his case. Meanwhile, DePayne is leaving his legal case to attorney Sherman and turning his attention to Tinsel Town. He hopes to land a bit part in "Takedown," a movie about the Mitnick case that Hollywood studio Miramax recently began filming. They sound like common sense, but Justin Petersen's security tips could shield your network--and your customers' systems--from probing eyes. 1. All systems should have an alpha-numeric password (that is, a password that uses a mix of letters and numbers) at least four characters long. 2. Change all passwords every 30 to 90 days, delete unused accounts on multi-user systems, and disable network passwords the moment an employee, temp or contractor no longer works for the company. 3. Firewalls are certainly handy, but don't forget about a hacker's back door--modems. Whenever possible, all modems should be disabled when not in use. Otherwise, you're tempting fate. 4. If you must use numerous dial-up connections within a network, hire a security consultant and evaluate the dial-ups for security holes. 5. Install, maintain and use virus protection on all desktops and servers throughout a network. 6. Most resellers are wise enough to back up data, but don't forget to store it off-site. That way, a disaster (such as a fire or flood) can't knock out your primary network and the backup data. 7. Educate all employees about the threat of "social engineering," which is hacker lingo for a collection of clever tactics and phrases used to gain employee names, business titles, phone numbers, or passwords during a casual phone conversation with company employees. 8. Remember that PCs and Web servers aren't the only systems a hacker may attack to gain information. Other potentially vulnerable systems include voice-mail systems, phone systems, audio processors, answering machines and remote transmitter controls.