News


Roommate: Alleged hacker said he was paid to attack news site

Suspect's friend thought it was just a boastful claim

Alleged Almanac Online hacker Ross M. Colby told a housemate that he had hacked a news website for pay, according to testimony in San Jose federal court on Friday.

The revelation came after two days of largely technical testimony by FBI special agents and the Information Technology department staff of Almanac Online's parent company Embarcadero Media.

Colby is charged with two felonies and three misdemeanors relating to alleged computer intrusions leading up to the Sept. 17, 2015, shut down of five of the news organization’s websites and erasure of internal file servers.

The former roommate, who is a software engineer, was one of four housemates sharing a residence in 2015 with Colby on South Van Ness Avenue in San Francisco.

He testified that when Colby told him about having hacked a newspaper website he didn't believe him and viewed it as just a boastful claim.

“He’s made other hard-to-believe remarks,” he said.

Neither the prosecutor nor Colby's defense attorney asked further questions of the roommate regarding the statement.

The roommate also testified that he once witnessed Colby successfully gain access to the protected areas of a friend's website, with the friend’s permission, in order to demonstrate the site’s vulnerability.

He testified that he and Colby had a number of conversations about computer security, and frequently had discussions about the Linux operating system and about Virtual Private Networks or VPNs, which are used to set up private internet addresses to maintain a user’s anonymity.

The roommate said he helped Colby set up a VPN, but testified he had never participated in any hacking activity nor accessed anyone's email account without permission.

Vicki Young, Colby’s attorney, tried to discredit the roommate’s testimony by questioning him about previous mental health problems and drug use.

In response to questions about his drug use, the roommate then indicated he might invoke his Fifth Amendment rights against self-incrimination and was excused from the courtroom for a short period until he could receive advice from a court-appointed attorney. He then returned to the witness stand and said he would testify fully and forthrightly.

Young questioned the reliability of his memory and whether it had been affected by his drug use.

But the roommate disputed that his memory was impaired. While all drugs affect memory in some sense, his memory would not have been greatly affected, he said.

“I was employed as a software engineer, which required a lot of memory,” he added.

He said he was no longer using drugs, nor was he doing so at the time Colby made his admission regarding a hack. He was in a drug rehabilitation program at that time, he testified.

He reconfirmed on questioning from prosecutors that he clearly remembered his conversation about the hack with Colby and that it had taken place in the apartment hallway.

Because he has not been charged with a crime, the Embarcadero news group is not publishing his name.

The roommate also testified that he held no ill feelings toward Colby and still considered him a friend.

“I hope he will still think of me as his friend,” he said, despite his testimony.

Earlier in the day, John Colby, Ross Colby's father, testified that his son was visiting at the father's residence in Massachusetts in late July 2015 for about 10 days, a period during which intrusions into Embarcadero's system occurred.

Prosecutors had previously shown that John Colby’s home IP addresses -- the string of numbers identifying specific internet connections -- were used to access the email accounts of Embarcadero Media employees during late July and early August 2015.

The elder Colby, a retired Massachusetts state trooper, said he has never accessed another person’s email account without permission.

Evidence presented by the FBI also showed that the IP address at Ross Colby's San Francisco residence had been used to access the Embarcadero IT employees' email accounts, as was the IP address of the Flying Pig Bistro, a small cafe across the street from Colby's Van Ness Avenue residence frequented by Colby.

In her cross-examination of FBI special agent Frazier, Young focused on numerous connections that were made into the Embarcadero accounts using VPNs that hid the IP address of the person connecting, and pointed out that Colby's own email accounts were also accessed from untraceable IP addresses.

But during Assistant U.S. Attorney Susan Knight’s redirect questioning, Frazier said that a person using a VPN could use it to access their own email account while using another device to access another site.

Prosecutor Joe Springsteen asked about the significance of a suspect using a private IP address to access his personal account if the period of use was in close proximity to the IP address being used for criminal activity.

“If a suspect used an IP address to conduct criminal activity and then personal activity it would indicate that the person was the same individual,” Frazier said.

John Allan Arsenault, general counsel for London Trust Media, a VPN company, testified about how many VPN companies, including his, intentionally don’t retain logs of internet activity of their clients so that they cannot be produced in response to subpoenas from law enforcement or others. London Trust Media operates the brand Private Internet Access (PIA), which owns several IP addresses used to hack Embarcadero Media.

Private Internet Access does not log user activity, such as what files they accessed or changes they made to a website.

The company accepts many kinds of payment methods, including cryptocurrency, but it doesn’t keep records of the individual’s name and address. The only record of the customer maintained is the email address provided when signing up for the service.

There are many legitimate uses for VPNs, including by large corporations with worldwide operations, law enforcement and investigative journalists who might want to protect their sources, but he admitted some people use them for nefarious purposes.

Arsenault said he could not find any record of Ross Colby subscribing to the VPN service when he searched using Ross Colby’s two known email addresses, which he received from law enforcement.

But that means little, he said.

"We’re limited to search by what the government gives us. Just because we can’t find it doesn’t mean” they didn’t use the VPN service.

“Someone could create a throw-away (email) account to subscribe to us,” he said.

Someone using Private Internet Access-owned IP addresses did log in to the email accounts of Embarcadero Media IT employees Frank Bravo, Chris Planessi and Cesar Torres in early August, he said.

The person used at least three Private Internet Access-owned IP addresses to gain access to the employees’ accounts dozens of times, Arsenault said. Cesar Torres’ Google accounts were accessed on Aug. 4 and Planessi’s Google accounts on Sept. 14 and 15.

Some of the dates, particularly in August, were also when John Colby’s accounts in Massachusetts were used to hack the Embarcadero IT employees' addresses.

Keena Willis, a senior paralegal compliance officer for GoDaddy.com, a domain name-hosting company, testified that on Sept. 17, 2015, starting at about 10:48 p.m., someone began altering five Embarcadero Media-owned domain names, including embarcaderomediagroup.com, paloaltoonline.com, almanacnews.com, supportlocaljournalism.com and tourdemenlo.com.

At 11:12 p.m., someone canceled PaloAltoOnline.com with the others following in the minutes thereafter. The domain pages were sent to a parked page that contained the Guy Fawkes image and a notice that the Embarcadero websites had been hacked.

Meanwhile, Embarcadero would not receive notifications of the shutdowns because it no longer had control over its email addresses. The Google Mail MX records, which specify a mail server responsible for accepting email messages on behalf of a domain, were also sent to another black hole at nowherenowherenowhere.net.

“The emails would literally go nowhere,” Willis said.

The hacker also changed the contact phone number from Embarcadero’s general office number to one at a 404 area code in Atlanta, Georgia. If GoDaddy tried to contact the subscriber, it would not have been able to reach the company, she said. The FBI previously testified that the number belonged to an individual who was not implicated in the crime.

Embarcadero Media IT Director Frank Bravo was able to change the domains back to Embarcadero Media that same night after submitting a credit card number that GoDaddy used for verification. But it took five days to get all of the changes fully corrected.

Both sides are expected to rest their cases and deliver closing arguments on Monday. The jury is expected to begin deliberations that same day.

Comments

Like this comment
Posted by Hello
a resident of Menlo Park: Central Menlo Park
on Jun 6, 2018 at 3:23 pm

“If a suspect used an IP address to conduct criminal activity and then personal activity it would indicate that the person was the same individual,” Frazier said.

This is a lie. PIA and most other VPN companies use shared IP addresses, meaning that dozens, if not hundreds, of totally unconnected people will use the same IP address. Unless some other information is known (their real IP address, for example) there is no way to connect two different activities to the same VPN user, because it could just as easily be two different VPN subscribers.


Like this comment
Posted by Conflict
a resident of Atherton: other
on Jun 6, 2018 at 3:28 pm

Isn't there an obvious conflict for the Almanac to be reporting on a case in which it's the victim?


Like this comment
Posted by resident
a resident of Menlo Park: other
on Jun 6, 2018 at 6:34 pm

I have no problems with them reporting on this story as long as they clearly disclose their connection to the crime.

This is not like one of the "news reports" in this newspaper that is clearly written by one of their advertisers with little or no disclosure.


Sorry, but further commenting on this topic has been closed.

Babka bakery to open Thursday in Palo Alto
By Elena Kadvany | 10 comments | 6,722 views

UCSB's CCS program
By John Raftrey and Lori McCormick | 1 comment | 1,219 views

Ten Tips for Teens and Young Adults to Survive a Dysfunctional Family
By Chandrama Anderson | 1 comment | 1,181 views

Farm Bill Passes Congress
By Laura Stec | 0 comments | 445 views