RISKS-LIST: RISKS-FORUM Digest Sunday 24 April 1988 Volume 6 : Issue 68 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: [By request: Special issue on LBL and Cliff Stoll for those in the outback] Lawrence Berkeley Lab computer break-ins (John Markoff) Cops Catch Clumsy Computer ``Criminal'' (Curtis C. Galloway) Cliff's Little Black Book (Joseph M. Beckman) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, ftp kl.sri.com, get stripe:risks-i.j ... . Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Thu 21 Apr 88 23:17:11-PDT From: Peter G. Neumann Subject: Lawrence Berkeley Lab computer break-ins [For those who missed it, there was a terrific flurry of news on this subject in the press throughout the week. Here are two of the highlights. I have not tried to edit out the redundancy in the Pittsburgh article that follows.] 04-17-88 2103 EDT WEST GERMAN SECRETLY GAINS ACCESS TO U.S. MILITARY COMPUTERS By JOHN MARKOFF c.1988 N.Y. Times News Service NEW YORK - For almost two years, a West German citizen used global communications networks to secretly gain access to more than 30 computers belonging to the United States military and military contractors, according to computer security experts. The intruder, whose identity and motives remain uncertain, methodically searched for data related to nuclear weapons, intelligence satellites, the Strategic Defense Initiative, the space shuttle, and the North American Air Defense Command. The computer security experts said that the intruder did not gain access to any classified information, nor did he successfully break into what government officials call a ''secure'' government computer where classified information was stored. The computer security experts are alarmed because of the systematic and widespread nature of the break-ins. They said there was evidence that the West German intruder had tried to gain access to a total of 450 computers. The episode raises the possibility that the intruder may have been able to assemble classified data by piecing together material that was sensitive but unclassified. The Reagan administration has been concerned that foreign intelligence agents could piece together classified information by assembling a ''mosaic'' of computerized data. ''This kind of penetration could clearly have been used for espionage,'' said Peter G. Neumann, a computer security expert who is familiar with the case. He works at SRI International, a non-profit research center in Menlo Park, Calif. ''I think most of the attacks before this have been relatively benign on a global scale,'' Neumann said. ''This one is much more insidious.'' A spokesman for the Federal Bureau of Investigation in Washington confirmed on Sunday that the intrusions were investigated, but he declined to comment further. Last week, an article in a West German weekly magazine, Quick, detailed the case, identifying the intruder as Mathias Speer, 24, a computer science student in the city of Hanover. FBI officials, however, would not confirm the identity. The intrusions may have occurred for as long as a year before being discovered by computer managers at the Lawrence Berkeley Laboratory, in Berkeley, Calif., one of the United States' national research laboratories. The laboratory, the site of broad-based unclassified scientific research, is a sister to the Lawrence Livermore Laboratory, in nearby Livermore, which is heavily involved in research on secret nuclear weapons and the Strategic Defense Initiative, or SDI. The laboratories are operated by the University of California for the federal government. Rather than taking steps to deny further computer access to the intruder, the Lawrence Berkeley security experts - working with other government computer security personnel - organized a system to monitor the intrusions. At one point, to trace the intruder, the Lawrence Berkeley officials offered false but seemingly classified information as part of an electronic sting operation. The intruder loaded that information into his computer in West Germany, staying on line long enough for authorities in the United States and West Germany to trace him. Later, as part of the same operation, an apparent accomplice based in the United States appeared to become involved. The identity of the American citizen was not divulged by the Lawrence Berkeley officials or by the FBI. He is believed to have been questioned by the FBI in June 1987, about the same time that the West German was detained and questioned by authorities there. The electronic break-ins ended about the same time. ''We knew the key words he was looking for when he read electronic mail on our computers,'' said Dr. Clifford Stoll, the computer systems manager at Lawrence Berkeley who initially discovered the break-ins in August 1986 and monitored them for approximately 12 months. ''He searched all of the files at LBL for the word 'nuclear.' Then he started looking for 'Star Wars' and SDI. We realized that he had us confused with Lawrence Livermore.'' Not long after the intrusions were discovered, the Lawrence Berkeley computer managers considered that the intrusions might be a prank, perpetrated by a sophisticated computer enthusiast, or ''hacker.'' Stoll said that, after watching the intrusions for several months, he became convinced that they were more than that. The break-ins parallel another set of incidents last year in which a group of West German computer enthusiasts, called the Chaos Computer Club, broke into several international computer networks of the National Aeronautics and Space Administration and rummaged freely among the data for at least three months before being discovered. However, the computer managers at Lawrence Berkeley said they believed that the West German intruder was not associated with the Chaos group. Stoll, who is also an astronomer, has written an article about the incident that is scheduled for publication next month in the technical journal Communications of the Association of Computing Machinery. Lawrence Berkeley has also scheduled a news conference on Tuesday to discuss the intrusions. According to the Lawrence Berkeley officials, the yearlong investigation involved the FBI and security experts from the Air Force and the Army, as well as private security investigators. Under West German law, not enough evidence was obtained for prosecution, the Lawrence Berkeley officials said. According to Stoll, the West German compromised the military computers by taking advantage of security loopholes in several different operating systems, the software programs that manage data in a computer. On computers operating under the Unix system, he frequently used a loophole to give himself ''superuser'' status, which allowed him to read and alter all material stored in the computer. The intrusions involved a variety of U.S. military computer systems in this country, Europe, and Japan. The Lawrence Berkeley Laboratory became a starting point for connecting to two unclassified military networks, known as Milnet and Arpanet. They link computers at military bases and military contractors. At one computer at the Naval Coastal Systems Command, in Panama City, Fla., the intruder transferred to a computer in West Germany an encyrpted file containing user passwords. The intruder broke some of the codes and called back to search through files protected by the passwords. The intruder also gained acess to computers at the Army's Fort Buckner base in Japan and at the Anniston Army Depot, a supply base for the Army's Redstone Arsenal, in Huntsville, Ala. At the Air Force Systems Command, in El Segundo, Calif., the intruder managed to attain the status of system manager. ''I watched as he scanned all of their SDI references and the usual pile of things and then started printing out information on the space shuttle,'' said Stoll. ''The Air Force later told me it was not classifed information.'' Other systems entered included military computers in San Diego, the Pentagon's Optimus data base, and a computer at NASA's Jet Propulsion Laboratory, in Pasadena, Calif. The officials at the Lawrence Berkeley Laboratory said that they monitored attempted intrusions into a total of 450 military computers. ''Basically, he was walking down the street twisting the doorknob of each house,'' Stoll said. ''He wouldn't push hard, but then he would go around and do the electronic equivalent of trying the back door and the side windows. If they didn't budge, he would go to the next house on the street.'' Shortly after discovering the intrusions, Stoll, aided first by City of Berkeley officials and later by federal law-enforcement officers, began trying to trace their origin. They were traced to a computer at a U.S. military contractor in McLean, Va., near Washington. The Lawrence Berkeley officials declined to identify the company. They then discovered that the intruder was dialing from Hanover to a university computer in Bremen, West Germany. That computer was used to connect to machines in the United States. The intruder's location was masked by dialing into the military contractor's computer in Virginia and then using that computer's capability to call other computers around the country, including those at Lawrence Berkeley. The Lawrence Berkeley computer was used to connect to the military networks - Arpanet and Milnet - to gain access to the military installations. In tracing the intruder, the security investigators created an automatic alarm system. Stoll wrote a computer program that would dial his pager whenever the West German gained access to the computer at Lawrence Berkeley. The pager automatically called a security official from the Tymnet McDonnell-Douglas Network Systems Co., a computer network company based in San Jose, Calif. The Tymnet official then notified West German law enforcement officials. But the investigators traced the calls back to Hanover, where it took as long as 30 minutes to set up a trace because of antiquated equipment. The intruder's calls generally lasted no longer than five minutes. In January of 1987, the security managers at Lawrence Berkeley created an electronic sting operation using a large file of fictitious, seemingly secret information. The file contained a reference to an address at the Berkeley laboratory where further information related to the Strategic Defense Initiative could be obtained. Once the file was discovered, the intruder remained connected to the Lawrence Berkeley computer for more than an hour. Three months later, according to the Lawrence Berkeley officials, a letter was mailed from a United States citizen living in the Northeast to the address given by the lab, inquiring about the false SDI information. The letter was given to the FBI. nyt-04-17-88 2157edt ------------------------------ Date: Sun, 24 Apr 88 15:23:02 -0400 (EDT) From: "Curtis C. Galloway" Subject: Cops Catch Clumsy Computer ``Criminal'' From the Pittsburgh Post-Gazette, 24 April 1988, by Roger Stuart. (Used without permission) SOUTH PARK MAN CAUGHT IN U.S. TRAP LEAVES TRAIL CLOUDED IN MYSTERY A South Park man who was stung seeking bogus computer-stored information about U.S. military secrets has a long history of mysterious associations, ranging from foreign intrigue to local garbage. As with past incidents, authorities don't know -- or won't say -- what Laszlo J. Balogh was up to this time when his name surfaced in a sting that caught a West German computer hacker who repeatedly gained access to classified military files. As with past exploits, Balogh, 43, emerged again as part-clever and part-klutzy. Although he has claimed extensive foreign government contacts and driven expensive foreign cars, he once testified that he had difficulty recording an undercover conversation for the FBI because the recorder kept slipping beneath his sweat suit. In the past, Balogh has billed himself as a Hungarian refugee; a draftsman; a credit corporation employee; a trucking company owner; a diamond dealer; a world traveler; a bodyguard for Kuwaiti princesses; a CIA hit man; and an FBI informant. But longtime neighbors on Ventura Drive said they had no clear picture of Balogh's activities because he is "quiet," "keeps to himself" and is "often gone for weeks at a time." ...Balogh in 1978 was an officer in a now-defunct company when another company official was accused of giving Penn Hills officials a forged check drawn on a non-existent bank. The check was to be used as security in an unsuccessful effort to obtain a garbage-hauling contract. ... Balogh also was involved in a Pittsburgh trucking firm that filed for bankruptcy in 1980. His name surfaced again last week in connection with Marcus Hess, identified by The San Francisco Examiner as the West German computer student who broke access codes to snoop in to U.S. military files a half-world away in Berkeley, Calif. Earlier, a West German weekly magazine, Quick, identified the computer intruder as Mathias Speer, 24. Clifford Stoll, a researcher at the Berkeley Laboratory and Leroy Kerth, a Lawrence Berkeley Laboratory director who oversaw the investigation, said that name may have been a pseudonym. In this case, Balogh, in what investigators believe was an attempt to get more information about confidential military files, took the bait investigators dangled in the hopes of learning who was gaining illegal access to the computer system. Having discovered that an intruder had been reading their computer records, officials at the U. S. Department of Energy's Lawrence Berkeley Laboratory planted a fictitious file to bait the hacker's interest. The purpose was to keep the hacker on the line long enough for authorities to trace his phone call. The hacker tapped into the coputer using a telephone and computer modem. In the event that the call coudln't be traced, authorities also included in the fictitious file an address for the snooper to write for additional information. Berkeley officials thought they had solved their security problem in January 1987, when West German officials were able to trace the phone call to a computer student in Hanover. They were surprised four months later when they received a letter from Balogh, who requested the information offered in the fictitious file. ...Although caught, the West German student has not been charged with any crime. The extent of Balogh's involvement has not been revealed. The FBI isn't saying what, if anything, it knows about Balogh, who in 1983 served them as an informant and government witness. [More about Balogh's involvement in schemes to steal $38,000 in diamonds, secure garbage-hauling contracts with a phony check, and steal computer equipment to sell to the Soviets.] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Curt Galloway UUCP: ...!{seismo, ucbvax, harvard}!andrew.cmu.edu!cg13+ ------------------------------ Date: Mon, 18 Apr 88 18:52 EDT From: "Joseph M. Beckman" Subject: Cliff's Little Black Book I have heard Mr. Stoll talk several times on the "Phantom of the ARPANET" [RISKS-6.63] and the lessons learned by LBL. One point he made with great elan (at the last NCSC/NBS Nat'l Computer Security Conference) was that it is essential to write actions and responses down in a 'laboratory' book. However, it is quite obvious (as he has found out) that there are RISKs to doing so! Joseph ------------------------------ End of RISKS-FORUM Digest ************************