04-17-88 2103 EDT WEST GERMAN SECRETLY GAINS ACCESS TO U.S. MILITARY COMPUTERS By JOHN MARKOFF c.1988 N.Y. Times News Service NEW YORK - For almost two years, a West German citizen used global communications networks to secretly gain access to more than 30 computers belonging to the United States military and military contractors, according to computer security experts. The intruder, whose identity and motives remain uncertain, methodically searched for data related to nuclear weapons, intelligence satellites, the Strategic Defense Initiative, the space shuttle, and the North American Air Defense Command. The computer security experts said that the intruder did not gain access to any classified information, nor did he successfully break into what government officials call a ''secure'' government computer where classified information was stored. The computer security experts are alarmed because of the systematic and widespread nature of the break-ins. They said there was evidence that the West German intruder had tried to gain access to a total of 450 computers. The episode raises the possibility that the intruder may have been able to assemble classified data by piecing together material that was sensitive but unclassified. The Reagan administration has been concerned that foreign intelligence agents could piece together classified information by assembling a ''mosaic'' of computerized data. ''This kind of penetration could clearly have been used for espionage,'' said Peter G. Neumann, a computer security expert who is familiar with the case. He works at SRI International, a non-profit research center in Menlo Park, Calif. ''I think most of the attacks before this have been relatively benign on a global scale,'' Neumann said. ''This one is much more insidious.'' A spokesman for the Federal Bureau of Investigation in Washington confirmed on Sunday that the intrusions were investigated, but he declined to comment further. Last week, an article in a West German weekly magazine, Quick, detailed the case, identifying the intruder as Mathias Speer, 24, a computer science student in the city of Hanover. FBI officials, however, would not confirm the identity. The intrusions may have occurred for as long as a year before being discovered by computer managers at the Lawrence Berkeley Laboratory, in Berkeley, Calif., one of the United States' national research laboratories. The laboratory, the site of broad-based unclassified scientific research, is a sister to the Lawrence Livermore Laboratory, in nearby Livermore, which is heavily involved in research on secret nuclear weapons and the Strategic Defense Initiative, or SDI. The laboratories are operated by the University of California for the federal government. Rather than taking steps to deny further computer access to the intruder, the Lawrence Berkeley security experts - working with other government computer security personnel - organized a system to monitor the intrusions. At one point, to trace the intruder, the Lawrence Berkeley officials offered false but seemingly classified information as part of an electronic sting operation. The intruder loaded that information into his computer in West Germany, staying on line long enough for authorities in the United States and West Germany to trace him. Later, as part of the same operation, an apparent accomplice based in the United States appeared to become involved. The identity of the American citizen was not divulged by the Lawrence Berkeley officials or by the FBI. He is believed to have been questioned by the FBI in June 1987, about the same time that the West German was detained and questioned by authorities there. The electronic break-ins ended about the same time. ''We knew the key words he was looking for when he read electronic mail on our computers,'' said Dr. Clifford Stoll, the computer systems manager at Lawrence Berkeley who initially discovered the break-ins in August 1986 and monitored them for approximately 12 months. ''He searched all of the files at LBL for the word 'nuclear.' Then he started looking for 'Star Wars' and SDI. We realized that he had us confused with Lawrence Livermore.'' Not long after the intrusions were discovered, the Lawrence Berkeley computer managers considered that the intrusions might be a prank, perpetrated by a sophisticated computer enthusiast, or ''hacker.'' Stoll said that, after watching the intrusions for several months, he became convinced that they were more than that. The break-ins parallel another set of incidents last year in which a group of West German computer enthusiasts, called the Chaos Computer Club, broke into several international computer networks of the National Aeronautics and Space Administration and rummaged freely among the data for at least three months before being discovered. However, the computer managers at Lawrence Berkeley said they believed that the West German intruder was not associated with the Chaos group. Stoll, who is also an astronomer, has written an article about the incident that is scheduled for publication next month in the technical journal Communications of the Association of Computing Machinery. Lawrence Berkeley has also scheduled a news conference on Tuesday to discuss the intrusions. According to the Lawrence Berkeley officials, the yearlong investigation involved the FBI and security experts from the Air Force and the Army, as well as private security investigators. Under West German law, not enough evidence was obtained for prosecution, the Lawrence Berkeley officials said. According to Stoll, the West German compromised the military computers by taking advantage of security loopholes in several different operating systems, the software programs that manage data in a computer. On computers operating under the Unix system, he frequently used a loophole to give himself ''superuser'' status, which allowed him to read and alter all material stored in the computer. The intrusions involved a variety of U.S. military computer systems in this country, Europe, and Japan. The Lawrence Berkeley Laboratory became a starting point for connecting to two unclassified military networks, known as Milnet and Arpanet. They link computers at military bases and military contractors. At one computer at the Naval Coastal Systems Command, in Panama City, Fla., the intruder transferred to a computer in West Germany an encyrpted file containing user passwords. The intruder broke some of the codes and called back to search through files protected by the passwords. The intruder also gained acess to computers at the Army's Fort Buckner base in Japan and at the Anniston Army Depot, a supply base for the Army's Redstone Arsenal, in Huntsville, Ala. At the Air Force Systems Command, in El Segundo, Calif., the intruder managed to attain the status of system manager. ''I watched as he scanned all of their SDI references and the usual pile of things and then started printing out information on the space shuttle,'' said Stoll. ''The Air Force later told me it was not classifed information.'' Other systems entered included military computers in San Diego, the Pentagon's Optimus data base, and a computer at NASA's Jet Propulsion Laboratory, in Pasadena, Calif. The officials at the Lawrence Berkeley Laboratory said that they monitored attempted intrusions into a total of 450 military computers. ''Basically, he was walking down the street twisting the doorknob of each house,'' Stoll said. ''He wouldn't push hard, but then he would go around and do the electronic equivalent of trying the back door and the side windows. If they didn't budge, he would go to the next house on the street.'' Shortly after discovering the intrusions, Stoll, aided first by City of Berkeley officials and later by federal law-enforcement officers, began trying to trace their origin. They were traced to a computer at a U.S. military contractor in McLean, Va., near Washington. The Lawrence Berkeley officials declined to identify the company. They then discovered that the intruder was dialing from Hanover to a university computer in Bremen, West Germany. That computer was used to connect to machines in the United States. The intruder's location was masked by dialing into the military contractor's computer in Virginia and then using that computer's capability to call other computers around the country, including those at Lawrence Berkeley. The Lawrence Berkeley computer was used to connect to the military networks - Arpanet and Milnet - to gain access to the military installations. In tracing the intruder, the security investigators created an automatic alarm system. Stoll wrote a computer program that would dial his pager whenever the West German gained access to the computer at Lawrence Berkeley. The pager automatically called a security official from the Tymnet McDonnell-Douglas Network Systems Co., a computer network company based in San Jose, Calif. The Tymnet official then notified West German law enforcement officials. But the investigators traced the calls back to Hanover, where it took as long as 30 minutes to set up a trace because of antiquated equipment. The intruder's calls generally lasted no longer than five minutes. In January of 1987, the security managers at Lawrence Berkeley created an electronic sting operation using a large file of fictitious, seemingly secret information. The file contained a reference to an address at the Berkeley laboratory where further information related to the Strategic Defense Initiative could be obtained. Once the file was discovered, the intruder remained connected to the Lawrence Berkeley computer for more than an hour. Three months later, according to the Lawrence Berkeley officials, a letter was mailed from a United States citizen living in the Northeast to the address given by the lab, inquiring about the false SDI information. The letter was given to the FBI. nyt-04-17-88 2157edt ***************