Police: Wireless network hacker targeted Seattle-area businesses

Law officers have moved to seize a Seattle man's car they claim was used in a "wardriving" spree that saw Seattle-area wireless networks hacked and harvested for information.

In filings with the U.S. District Court at Seattle, investigators contend the 1988 Mercedes sedan was a rolling base of operations for hackers intent on forcing their way into wireless networks to obtain personal information.

Federal prosecutors describe the seizure requested last week as a small piece of a years-long investigation into a string of network intrusions and commercial burglaries in which two other Seattle men were accused of stealing $750,000 in computer equipment and other items.

Writing the court, Seattle Police Detective Chris Hansen said the car's owner is suspected of using sophisticated electronic equipment to break through networks using a 12-year-old security algorithm -- Wired Equivalent Privacy, or WEP protection -- since superseded by more modern defenses.

A search of the car conducted after the owner's arrest in October uncovered network tools, antennas and other items used to break into wireless networks, the detective said in court documents.

'Wardriving,' 'piggybacking' and an arrest





Hansen – assigned to the Seattle department's fraud unit and serving on an interagency taskforce hosted by the Secret Service – noted that an unspecified number of small and medium-sized businesses around the Puget Sound had suffered network intrusions.

"Based on the investigation to date, I believe that these network intrusion incidents are the work of a loosely associated group of criminals in the Seattle area," the detective continued, noting that the suspects are thought to have been working together since May 2006.

The car's owner was seen in the vicinity of several network intrusions, the detective told the court.

The 35-year-old Capitol Hill man, the detective claimed, was using the black car in so-called "wardriving."

Essentially, those engaged in "wardriving" use laptops or other devices to map wireless networks. The term is apparently derived from the 1983 Matthew Broderick film "WarGames," in which Broderick's character uses his computer in "wardialing" hundreds of phone numbers in an effort to find a modem.

Hansen noted that the "wardriving" suspects would, after locating a network, then "piggyback" on the networks to obtain financial information.

"Once a suspect has gained unauthorized access to a wireless network, computers in the vehicle can be used to run programs such as port scanning software and password recovery software designed to breach security on machines within the network," the detective told the court.

With access achieved, thieves then pull identifying information and financial data off the network for later use.

The car's owner was arrested in October at a Capitol Hill wine bar after attempting to use a gift card stolen during a string of commercial burglaries, the detective told the court.

Two charged in burglary string





During much of 2010, King County prosecutors contend, a pair of burglars targeted commercial businesses in Bellevue, Redmond and elsewhere on the Eastside.

In an odd twist, the men charged in nine of the break-ins – Seattle residents Brad Lowe, 36, and Joshuah Witt, 34 -- are alleged to have sought out servers and internal documents believed to contain identifying information.

Writing King County Superior Court in January after burglary charges were filed against Lowe and Witt, Deputy Prosecutor Mafe Rajul alleged the men had stolen $750,000 worth of equipment during a nine-month period.

"The defendants are prolific and sophisticated burglars who target large businesses to steal computer servers containing large databases of people's personal information," Rajul told the court.

Rajul added that, though the men have been charged in nine burglaries, they are suspected in many more.

Describing the largest single burglary of which the men are accused, Redmond Detective Brian Coats alleged the men broke into the Union Hill Road offices of Concur Technologies twice during the weekend of Nov. 27.

Servers worth $300,000 were taken from the site, the detective told the court. More troubling, Coats continued, the thieves appeared to have targeted electronic data files rather than physical property.

Eight servers were stolen from the payroll-management company's server room, including one containing the company's email archive.

"Those servers contained six years worth of employee and customer email exchanges," Coats told the court. "The suspects could have the ability to access personal information of the company's employees and customers as well as proprietary information concerning the operation of the business."

Video surveillance showed the men walk directly to the company's server room on Nov. 27, the detective continued. Multiple loads of items were taken by handcart to a waiting van, which left the area four hours after the burglary began.

The burglars returned the following morning and retrieved additional servers, according to charging documents. Several cabinets and drawers were also pried open, and the company CEO's computer was stolen. Also taken were a variety of cellular phones, gift cards and an electric toothbrush, among other items.

Investigators reviewing security camera footage from Concur recognized the burglars from the earlier break-ins as well as the wireless network intrusions, Coats told the court.

Police searching Witt's Queen Anne apartment recovered 36 laptop computers – including one taken from the city of Seattle – dozens of computer hard drives, a server and other items, Coats said. Also found were several keys to commercial buildings hit during the burglary string.

Writing the court, a King County detective investigating a pair of burglaries at businesses on Woodinville-Redmond Road described the break-ins as one facet of a wide-ranging fraud that also included the attacks on wireless networks.

"Once in possession of information from these networks, they have used the data for financial gain," the detective told the court. "This has included using identity information from victims to commit fraud, redirect money to fake payroll accounts and use bank account and credit card account information to purchase consumer electronics and car parts."

Police: Antenna, 'hacking tools' seized





In October, Bellevue police learned that gift cards reported stolen during a burglary had been used at a Capitol Hill wine bar.

Later in the month, Seattle police arrested the owner of the Mercedes at the wine bar after he attempted to use one of the stolen cards there, Hansen told the court. Confronted by officers, he allegedly said he'd purchased the cards on Craigslist.

Pressed by investigators, the man admitted to knowing about the burglaries but refused to share the information, the detective told the court.

"I know, but I can't tell you about it," he said, according to police statements.

Officers also seized his car – a black 1988 Mercedes with darkened windows and a laptop stand – which was searched after a warrant was obtained. The warrant remains under seal with the U.S. District Court.

Searching the car, officers found a laptop computer drawing power from the car. Hansen noted a laptop stand had been installed in the car to allow a person to operate the computer while driving.

Investigators also found tools used to create networks, a long-range antenna and other items described as "hacking tools." Car parts purchased with stolen financial information were also found inside the vehicle or installed on the car, the detective continued.

"The vehicle itself is both evidence of the crimes under investigation, and constitutes proceeds of the same," the detective told the court.

On Friday, a U.S. District Court judge authorized the Secret Service to seize the car and hold it. Federal prosecutors have asked that the car be forfeited to the government as proceeds of criminal activity.

The car's owner has not yet been publicly charged with a crime related to the investigation. Seattlepi.com does not usually name suspects until they've been charged.

Witt and Lowe have each been charged with multiple counts of second-degree burglary. Attorneys for each man declined to comment on the allegations.

Check the Seattle 911 crime blog for more Seattle crime news. Visit seattlepi.com's home page for more Seattle news.

Levi Pulkkinen can be reached at 206-448-8348 or levipulkkinen@seattlepi.com. Follow Levi on Twitter at twitter.com/levipulk.