The Cybercrimes of Ehud Tenenbaum

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


Ehud Tenenbaum is an Israeli citizen and infamous hacker. His known criminal career began in 1989 at the age of 19, when he was charged with penetrating hundreds of U.S. Government web sites. Remanded to Israel for prosecution, he received marginal punishment and went on to create his own computer security firm. Tenenbaum was unable to resist the urge to violate the law. On subsequent occasions he was arrested by Canadian and U.S. officials for various computer crimes. Tenenbaum was the possible catalyst or accelerator of modern computer security awareness; the years 1996 – 2002 saw a sharp increase in the creation of major U.S. Government cyber infrastructure security policies as well as the Federal Bureau of Investigation’s creation of the National Infrastructure Protection Center.

Keywords: Ehud Tenenbaum, hacking, NASA, US Government, Israel, 2XS, fraud

A Brief Biography of Ehud Tenenbaum

Ehud Tenenbaum was born in the central Israeli village of Hod HaSharon in 1979. He earned top scores in science and math throughout high school and was an excellent student in spite of dyslexia. Operating from a middle-class neighborhood, Tenenbaum taught himself hacking skills at the age of 15. In online chat rooms and hacker for a he was known by the tags Pink Pony and The Analyzer (Demick, 1998).

Rise to notoriety

Tenenbaum came to the attention of the world in 1998. The then 19-year old hacker managed to penetrate a distinguished list of targets via computer. Victims included the U.S. Air Force, the U.S. Navy, the Pentagon, the National Aeronautics and Space Administration, the Israeli government, various U.S. and Israeli universities, Lawrence Livermore National Laboratory, and Israeli President Ezer Weizman’s computer. He also, unsuccessfully, attempted to penetrate the Israel Defense Forces classified systems (Trounson, 1998).

From thrill-seeking to fraud. Tenenbaum and three others were arrested in September 2008 for credit card fraud. The joint Royal Canadian Mounted Police – U.S. Secret Service investigation resulted in Tenenbaum’s indictment for six counts of credit card fraud and theft of approximately $1.5 million. Investigators also tied Tenenbaum to groups conducting cyber-attacks against financial institutions world-wide. Credit card information was reaped from the institutional sites and sold on dark-web sites for profit (Zetter, 2012).

The Analyzer was unable to flee to Israel before being extradited into the custody of the U.S. Marshal Service. He served about a year in prison within the U.S. and returned to Israel in 2010.

Third strike. In November, 2013, Tenenbaum was arrested for the money laundering of millions of shekels in Israel.[1] As of 2014 he was still incarcerated by the Israeli government (Kubovich, 2013).

Exploration of the 1998 Thrill-Seeking Attacks

The Case Against The Analyzer

The Deputy Secretary of Defense, John Hamre, announced in February, 1998, that Pentagon and other government computer systems were suffering "the most organized and systematic attack to date" (Key, (n.d.)). Hundreds of computers and thousands of files were accessed throughout the United States, mostly focusing on military, NASA, and military research facilities.

(Poulsen, 2001) describes the formation of a joint task force of the FBI, the Air Force Office of Special Investigations, NASA, the U.S. Department of Justice, the Defense Information Systems Agency, the NSA, and the CIA. Solar Sunrise had been declared such an imminent threat to our nation that the President was receiving daily briefings on the task force’s progress.

Deputy Secretary Hamre was loathe to admit that the hacks had exploited a well-known Solaris vulnerability for which the U.S. Government had not yet tested, certified, or applied the widely-adopted patch.

Iraq had just denied United Nations inspectors access to its nuclear power and weapons research sites resulting in the movement, by order of President Clinton, of military forces to staging areas in the Middle East (FBI, 1999). It was obvious to experts that the intent of the attacks was to gather intelligence on U.S. plans for actions in Iraq and disrupt command-and-control and logistics systems. Iraqi information warriors were identified as the threat and an FBI task force traveled to Abu Dhabi for a raid; the flow of information had been traced to a specific building. The task force came up empty-handed; Abu Dhabi was a server site tagged by the hackers as a decoy (Adams, 2001). By monitoring the servers, the FBI eventually arrested two California teenagers, “Mac” and “Stimpy,” who had only a minor role in Solar Sunrise but revealed their relationship with Tenenbaum (Poulsen, 2001), allowing authorities to locate him in Israel.

Tenenbaum was apprehended at his home in Israel. Investigators discovered packet analyzer and Trojan horse software identical to that which had been installed on affected servers in the U.S. and other locations. Upon his arrest, Tenenbaum was immediately placed on military duty in an unknown role by the Israeli Defense Forces (LaRosa, 2003).[2] He was released a short time later due to a minor traffic accident.[3] In February 1999, Tenenbaum was indicted under Israeli computer crime law. He plead guilty to conspiracy, wrongful infiltration of computerized material, disruption of computer use and destroying evidence. He was placed on a year of probation, fined $18,000 USD, and given a suspended, two-year sentence. His actual jail time amounted to six months of community service as a means of bypassing penalties under Israel’s Deri Law. The Deri Law banned from national office anyone convicted of a crime reflecting ethical violations and who served a year or more in prison (Harkov, 2011); prosecutors appealed to the court’s sensitivity of Tenenbaum’s age and future potential value to Israel. By the time the case was heard and the sentence imposed, Tenenbaum had already started his own computer security consulting service, 2Xs, in Israel (Zetter, 2012).

Israeli Reaction

Israeli Prime Minister Benjamin Netanyahu publicly announced Tenenbaum’s hacking skills as "damn good," but also added that he was dangerous. Having received the praise of the Prime Minister instantly catapulted Tenenbaum into a national folk hero. Along with offers of employment, Tenenbaum was featured on a full-page computer security ad in Israel’s largest newspaper. As payment, the Israeli computer company gave Tenenbaum an upgraded system to replace the one seized by the police during his arrest (Trounson, 1998).

Trounson (1998) quoted Dror Feuer, editor of the Haaretz newspaper's weekly technology supplement "He's become a folk hero. People see him as the outlaw of our time, and they really like the fact that this little Israeli went up against the big guys--the Pentagon."

Industry Reaction to Tenenbaum’s Exploits

While a folk hero to Israel, most others were less kind in their opinions of Tenenbaum’s skills. William Zane, President of the Santa Rosa, California company Netdex, was one of Tenenbaum’s first victim. (Trounson, 1998):

"These people are the cancer of the Internet. They're nasty little people who have diminished the real flow of information and free speech on the Internet. What they've done is unethical and illegal, and for people like Netanyahu and others to make jokes about it is just terribly unfortunate." (as cited inTrounson, 1998)

Netdex was forced to spend tens of thousands of dollars to repair the damage to their network, restore capability, and harden against prevent future attacks. Zane said the public needed to realize the damage wasn’t a prank and the teenagers were not geniuses. “We don't need bands of kids running around the Internet trying to smash things" (as cited in Richtell, 1998).

The U.S. Government’s Reaction

Having occurred just during the buildup against Iraq and displaying an unquestionable international link, the U.S. Government suspected a connection to cyber-terrorists or a nation-state. The situation was so worrisome that Deputy Secretary Hamre visited Europe to discuss the intrusions, the threat, and to assist and to seek help in securing systems across the North Atlantic Treaty Organization (Trounson, 1998). to the Enterprise Systems Journal (ESJ, 1998), in February 1998 the FBI created the theNational Infrastructure Protection Centerin direct response to the Tenenbaum attacks. The Center’s purpose was to report and to investigate computer intrusions with an ultimate goal to predict, identify, and try to prevent attacks prior to their occurrence.

The FBI did not state a policy of pursuing young hackers but clearly were not adverse to that message going out into the hacker communities. The FBI from that point forward would treat all such computer intrusions as crimes regardless of the age of the hacker (Richtell, 1998).

Cascade effects. In the nine years from 1984 through 1995, only two, national, cyber-security focused laws were enacted in the United States:

  1. Computer Security Act of 1987,Pub. L. No. 100-235, 101 Stat. 1724 (Jan. 8, 1988),codified atvarious code sections.
  2. Computer Fraud and Abuse Act (CFAA) of 1986, Pub. L. No. 99-474, 100 Stat. 1213 (Oct. 16, 1986),codified at18 U.S.C. 1030,amending Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, Pub. L. No. 98-473, 98 Stat. 1837 (Oct. 12, 1984) (Vogl, n.d.).

Beginning in 1996, a flurry of legislation occurred creating the legal foundation for further protection of the Cyber Domain. In a six-year span from 1996 through 2002, cyber security became an urgent issue in the United States in the post-Tenenbaum years. With the probable exception of the USA Patriot Act (2001) in response to 9/11, the number and the breadth of enacted laws shows a strong reaction to and preparation against cyber threats. Along with Presidential Decision Directive 63 that drove much of the legislation, six new laws came into effect:

  1. Homeland Security Act of 2002,Pub. L. No. 107-296, 116 Stat. 2135 (Nov. 25, 2002),codified atvarious code sections(includesCyber Security Enhancement Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135 (Nov. 25, 2002),codified at6 U.S.C. 145andCritical Infrastructure Information Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135 (Nov. 25, 2002)),codified at6 U.S.C. 131et seq.
  2. Cyber-Security Research and Development Act,Pub. L. No. 107-305, 116 Stat. 2367 (Nov. 27, 2002),codified at15 U.S.C. 7401et seq.
  3. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001,Pub. L. No. 107-56, 115 Stat. 272 (Oct. 26, 2001),codified at various code sections(includesCritical Infrastructures Protection Act of 2001,Pub. L. No. 107-56, 115 Stat. 272 (Oct. 26, 2001),codified at42 U.S.C. 5196c).
  4. No Electronic Theft (NET) Act of 1997,Pub. L. No. 105-147, 111 Stat. 2678 (Dec. 16, 1997),amending17 U.S.C. 506(a).
  5. National Information Infrastructure Protection Act of 1996,Pub. L. No. 104-294, 110 Stat. 3488 (Oct. 11, 1996),codified at18 U.S.C. 1030.[4]
  6. Economic Espionage Act of 1996,Pub. L. No. 104-294, 110 Stat. 3488 (Oct. 11, 1996),codified at18 U.S.C. 1831(passed as part of theNational Information Infrastructure Protection Act of 1996) (Vogl, n.d.).

By 2003 the US Computer Emergency Response Team had delivered a computer program, EINSTEIN, to protect computer networks across the federal government. EINSTEIN-1 could identify a cyber-attack directed against essential government services. EINSTEIN-1 used rudimentary artificial intelligence to examine traffic and compare it to a baseline derived from all government traffic, searching for anomalies which could be evaluated by human operators (Gerth, Pike, Talbot, 2009).

If any agency reported an event, humans would analyze the potential attack and look for identical data across other agencies, determining if the attack was local or government-wide.

Analysis of Israel’s Prosecution

Within Israel there was discussion as to whether Tenenbaum could be prosecuted at all, the reasoning being that he had entered foreign computer systems and there was no statute against this within Israeli law. The public and immediate commendation by Prime Minister Netanyahu also served to minimize any penalties at the time. Israel seemed to inexplicably disregard the impact upon the U.S. Government and commerce, as well Israel’s own Parliament. This begs the question as to whether Tenenbaum’s penalties were marginalized because he was indeed debriefed by the Mossad, the Shabak domestic security forces, and/or Israeli Defense Forces.

Israel’s security and intelligence forces are recognized as aggressive collectors against the U.S. Israel uses joint technology defense contracts, research and trade missions as platforms for their collection. U.S. counter-intelligence officers briefed members of the House Judiciary and Foreign Affairs committees that Jerusalem had “crossed red lines”and that industrial espionage currently is Israel’s main collection effort against the U.S. (Stein, 2014).

Were Tenenbaum to have been debriefed, it is unlikely that he would have been able to retain any information from the interrogation teams. Hacker cases in the U.S. are often plea bargained and result in the hacker being hired by the FBI in a white-hat, defensive hacker consultant role with a respectable salary. Tenenbaum was probably compelled to provide intelligence under duress using State security laws which remain secrets of the nation of Israel.

Should Tenenbaum have exfiltrated any data from U.S. systems, Israel certainly would have obtained a copy. Likewise, any remaining Trojan back doors would have been exploited by Tenenbaum, under Israel’s control. The software, tactics, techniques, and procedures also would have been collected and executed up to the time the access points were purged and patched.

Analysis and Conclusion

Analysis of Tenenbaum as a threat. While Tenenbaum’s activities as a cyber-finance criminal were serious and resulted in international prosecution, it was his first known activity at the age of 19 that drew the particular attention and the disdain of the U.S. Government and resulted in sweeping changes in the way the United States to this day looks at cyber-security and critical infrastructure protection.

After the attack the FBI made a short 18 minutes training video called, Solar Sunrise: Dawn of a New Threat that was sold as part of hacker defense course [7] that was discontinued in September 2004.[9]

[1] The exact amount, either in shekels or USD, was not specified.

[2] Military service is mandatory for Israeli citizens upon reaching 18 years of age. Up to 50% manage to avoid service by various means. Apprehension for minor crimes is often the impetus for service.

[3] It is likely that his military service was actually a catch-and-release debriefing by the IDF, as Tenenbaum had also attempted to penetrate classified IDF systems.

[4] Impetus for the National Information Infrastructure Protection Center created in 1998.