#CISSP30: 30 Years After the Phonemasters Attacks

In 1994, as the CISSP certification was introduced to help professionals and their employers deal with advanced cybersecurity challenges, the world saw one of the largest and most disruptive cybersecurity crime sprees take place, orchestrated by a group known as the Phonemasters.

The mid 1990s was a time of profound technological change.

Windows 95 was just a year away, an operating system that undeniably transformed desktop and laptop computing. The early work on Linux had already matured into a powerful and free computing platform, supplanting Unix as the weapon of choice for many opportunistic cybercriminals and troublemakers. The industry was advancing in its response to what we now call cybersecurity in the form of certifications like the CISSP and education to create dedicated professionals to deal with emerging cybersecurity concerns.

1994 – A Year for Cybercrime

In a previous article, we talked about one of the biggest digital banking heists that took place in 1994, but the year really was a bellwether for both cybercrime and the cybersecurity industry’s response.

Alongside the incident at Citibank, a much broader range of cyber attacks took place, accounting for some $1.85 million of costs and losses due to the damage and disruption caused. An international cybercrime group, dubbed the “Phonemasters” by the U.S. Federal Bureau of Investigation, due to its focus on telecommunications-based attacks, breached the networks of a variety of communications and data companies including MCI WorldCom, BT, Sprint, AT&T, Equifax, Dun and Bradstreet and LexisNexis.

Mischief Managed

The actions of the Phonemasters gang was quite broad, mostly focused on causing mischief and disruption to companies and organizations, rather than a flat out monetary theft, as was the case with the Citibank incident. Instead, Phonemasters engaged in activity including allegedly redirecting an FBI phone number to an adult chat line, generating $200,000 in costs. The group also found its way into databases containing phone tapping information, as well as obtaining the numbers of a variety of celebrities such as the singer Madonna.

Having created considerable chaos, the FBI looked for a technology solution to gather some evidence, identify the gang members and mount a case.

The Data Tap

In order to surveil the attackers, a U.S. federal court granted the FBI permission to use the first ever "data tap" to monitor the hackers' activities. Conventional phone tapping and physical surveillance was unlikely to produce any useable evidence as even in 1994, this was a group that was already operating entirely online, even though dedicated data lines in the home were rare and most online activity was still using dial-up modems. Through the data tap, the FBI was able to capture the Phonemasters keystrokes as they exchanged stolen credit card numbers. After an extensive investigation that involved law enforcement in Texas, Pennsylvania, Ohio, Colorado, California, Oregon, New York, Florida, Canada, Switzerland, and Italy, the case was made.

In late 1999, the members of the group were finally convicted of theft, possession of unauthorized access devices and unauthorized access to a federal computer. Corey Lindsly in Philadelphia, considered to be the mastermind of the Phonemasters, was sentenced to 41 months in prison, at the time one of the longest sentences ever handed out in the U.S. for computer misuse. Calvin Cantrell of Dallas was sentenced to 24 months, while John Bosanac received 18 months for his involvement.

The Significance of the Data Tap and 1960s Legislation

The Phonemasters case instigated a number of law enforcement firsts, highlighting the need for both professional standards and continuous professional education, as well as technology solutions to combat emerging future cybercrime.

Although arguably out-of-date, having been passed into law in 1968, the FBI and its legal counsel were able to leverage the elderly Omnibus Crime Control and Safe Streets Act of 1968 to get the powers they needed to fight a very 1990s crime. The law originally applied to – amongst other things – obtaining legal clearance for telephone wiretaps. However, it was argued that Title III of the Act, the part that specifically applied to wiretaps could also be interpreted to cover any form of ‘tap’ on a communications connection, regardless of whether the connection was analog or digital, or whether the information gathered was spoken word or digital information. As a result of this, which established legal precedent, the Act remains on the statute books to this day, with that precedent serving as the updated definition needed to make the act useable in the internet age and interconnected decades that followed.

CISSP – Keeping on Top of a Changing Environment

The challenge faced by the FBI in 1994, along with the subsequent difficulties in building a case using the legislation of the time, compared with where we are now illustrates just how much has changed in terms of technology generally, cybersecurity technology and the focus of lawmakers as they try and adapt to a threat landscape that is often evolving far faster than detailed legislation can keep up with. Even the first CISSPs certified in 1994 soon realized that the value of professional certification is not as a one-and-done exam, but as the direction and building blocks of a lifetime of continuous learning and refreshing of skills and capabilities to keep pace with threats and countermeasures. Thirty years on, at the heart of the CISSP program is continuous professional education (CPE), the requirement to keep your knowledge and awareness refreshed to maintain your CISSP status.