💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › stoll.doc captured on 2023-01-29 at 07:57:51.
⬅️ Previous capture (2021-12-04)
-=-=-=-=-=-=-
I grabbed these philes of a CD-ROM disk, hope you enjoy, they are interresting. BTW, Cliff's # is 1-617-495-7149. Hehehe! L8r dudes, Chamelion Journal: PC-Computing Oct 1989 v2 n10 p114(9) Title: The Cuckoo's egg. (tracing a hacker) (part 2) Author: Stoll, Clifford. Summary: When Astronomer Clifford Stoll discovered a subtle breach into the computer system at the Lawrence Berkeley Labs, Stoll knew he might be dealing with something big. The hacker was apparently after information with national security implications. Stoll set out to find and trap the hacker. Here, in Part 2 of his story, Stoll follows the trail to West Germany, closing in on the invader. Full Text: THE STORY SO FAR : Whoever had stolen into the computer system at the Lawrence Berkeley Labs was after something big. This hacker scanned for military secrets, and Clifford Stoll knew he might well be a spy working for a foreign power. Astronomer Stoll set out to snare the invader. The trail began with 75 cents' worth of computing time left unaccounted for. Stoll quickly discovered that the hacker was entering via the international communications company Tymnet-he could be coming from anywhere in the world. The hacker's dabblings in the LBL computer left other bread crumbs-his mission was to find information about nuclear arms and SDI. Stoll assembled a posse to catch his hacker. They trailed him as he breached the Milnet, a network that links military computers. The hacker tapped into CIA and National Security Agency systems, and meandered through files at the Anniston army base and the Navy Research Labs. Stoll and company tracked his progress by tracing his connections and phone calls. The mystery man entered Tymnet over an ITT line, they found, one that came through a communications satellite over the Atlantic-he was in Europe. Probing deeper, they learned that the hacker was using the German Datex network, and they solicited the help of the Bundespost, the German national post office, to draw the net tighter. PART II Curious whether other people might have a similar problem with a hacker, I spent a few hours one early December day searching bulletin boards on the Usenet network for news about hackers and found one note from Toronto. I called the author on the phone-I didn't trust electronic mail. Bob Orr, the manager of the University of Toronto's physics computers, told a familiar story. "Some hackers from Germany have invaded our system, changing programs and damaging our operating system." "How'd they get in?" "We collaborate with the Swiss physics lab, CERN. And a group of German hackers called the Chaos Club has thoroughly walked through their computers. They probably stole passwords to our system and linked directly to us." As an aside, Bob mentioned that the Chaos Club might have gotten into the US Fermilab computer as well. "One guy uses the pseudonym Hagbard," he told me. "Another, Pengo. I don't know their real names." Next I called Stanford and asked one of their system managers, Dan Kolkowitz, if he'd heard anything from Germany. "Come to think of it, someone broke in a few months ago. I monitored what he did and have a listing of him." Dan read the listing over the phone. Some hacker with the nom-de-guerre of Hagbard was sending a file of passwords to some hackers named Zombie and Pengo. Hagbard and Pengo again. I wrote them in my logbook. One good thing was happening. One by one, I was making contact with other people who were losing sleep and slugging down Maalox over the same troubles that obsessed me. It was comforting to learn that I wasn't completely alone. A few days later, I received a call telling me that the German Bundespost had determined that the hacker came from the University of Bremen. Soon they found the account he was using to connect across the Atlantic. They set a trap on that account: the next time someone used it, they'd trace the can. The Germans weren't sining around. The university would monitor the suspicious account, and the Bundespost would keep track of the network activity. More and more mouseholes were being watched. Friday, December 19, 1986, at 1:38 p.m., the hacker showed up again. Stayed around for two hours, fishing on the Milnet. A pleasant Friday afternoon, trying to guess passwords to the Strategic Air Command, the European Milnet Gateway, the West Point Geography Department, and 70 other assorted military computers. I phoned Steve White at Tymnet. "The hacker's on our computer. Tymnet's logical port number 14." "OK," Steve said. The usual keyboard clatter in the background. Twenty seconds elapsed, and he called"Got it!" Steve had traced a connection from California to Germany in less than a minute. "He's not coming from Bremen," he told me. "Today, he's dialing into Hannover." "So where is he? In Bremen or Hannover?" "Wolfgang Hoffman, the Datex network manager in Germany, doesn't know. For all we know he could be in Paris, calling long distance." Yesterday it was Bremen. Today Hannover. Where would he hide tomorrow? The hacker, I discovered, didn't take holidays; he even logged in on New Year's Day. His hacker's celebration was saved on my printers. I scribbled notes on the printouts, next to his: WELCOME TO THE ARMY OPTIMIS DATABASE PLEASE ENTER A WORD OR 'EXIT'. / SDI Looking for SDI dope THE WORD "SDI" WAS NOT FOUND. But there's none there PLEASE ENTER A WORD OR 'EXIT'. / STEALTH Any word on the Stealth bomber? THE WORD "STEALTH" WAS NOT FOUND. No such luck PLEASE ENTER A WORD OR 'EXIT'. / SAC Strategic Air Command? THE WORD "SAC" WAS NOT FOUND. Nope PLEASE ENTER A WORD OR 'EXIT'. / NUCLEAR THANK YOU. I HAVE FOUND 29 DOCUMENT(S) CONTAINING THE PHRASE 'NUCLEAR'. ITEM* MARKS* TITLE 1 20-lF IG INSPECTIONS (HEADQUARTERS, DEPART MENT OF THE ARMY) 2 50A NUCLEAR, CHEMICAL, AND BIOLOGICAL NATION AL SECURITY AFFAIRS 3 50B NUCLEAR, CHEMICAL, AND BIOLOGICAL WAR FARE ARMS CONTROLS 4 50D NUCLEAR AND CHEMICAL STRATEGY FORMULATIONS 5 50E NUCLEAR AND CHEMICAL POLITICO-MILITARY AFFAIRS 6 5OF NUCLEAR AND CHEMICAL REQUIREMENTS 7 5OG NUCLEAR AND CHEMICAL CAPABILITIES 8 50H THEATER NUCLEAR FORCE STRUCTURE DEVELOPMENTS 9 501 NUCLEAR AND CHEMICAL WARFARE BUDGET FORMULATIONS 10 50J NUCLEAR AND CHEMICAL PROGRESS AND STA TISTICAL REPORTS 11 50K ARMY NUCLEAR, CHEMICAL, AND BIOLOGICAL DEFENSE PROGRAM 12 50M NUCLEAR AND CHEMICAL COST ANALYSES 13 5ON NUCLEAR, CHEMICAL WARFARE, AND BIOLOGI CAL DEFENSE SCIENTIFIC AND TECHNICAL INFORMATION 14 50P NUCLEAR COMMAND AND CONTROL COMMUNICATIONS 15 50Q CHEMICAL AND NUCLEAR DEMILITARIZATIONS 16 5OR CHEMICAL AND NUCLEAR PLANS 17 50-5A NUCLEAR ACCIDENT/INCIDENT CONTROLS 18 50-5B NUCLEAR MANPOWER ALLOCATIONS 19 50-5C NUCLEAR SURETY FILES 20 50-5D NUCLEAR SITE RESTORATIONS 21 50,5-lA NUCLEAR SITE UPGRADING FILES 22 50-115A NUCLEAR SAFETY FILES 23 55-355FRTD DOMESTIC SHIPMENT CONTROLS 24 200-IC HAZARDOUS MATERIAL MANAGEMENT FILES 25 385-11K RADIATION INCIDENT CASES 26 385-11M RADIOACTIVE MATERIAL LICENSING 27 385-40C RADIATION INCIDENT CASES 28 700-65A INTERNATIONAL NUCLEAR LOGISTICS FILES 29 1125-2-300A PLANT DATA And he wasn't satisfied with the titles to these documents-he dumped all 29 over the line printer. Page after page was filled with army doubletalk. At one point, my printer jammed. The old DECwriter had paid its dues for the past ten years and now needed an adjustment with a sledgehammer. Damn. Right where the hacker had listed the army's plans for nuclear bombs in the central European theater, there was only an ink blot. Around noon on Sunday, January 4, my beeper sounded. I jumped for the computer, checked that the hacker was around, then called Steve White. Within a minute, he'd started the trace. The hacker tried the Air Force Systems Command, Space Division, and managed to log in as Field Service: not as an ordinary user but as one with a completely privileged account. His first command was to show what privileges he'd garnered. The air force computer responded automatically: System Privilege, and a slew of other rights, including the ability to read, write, or erase any file on the system. He was even authorized to run security audits on the air force computer. I could imagine him sitting behind his terminal in Germany, staring in disbelief at the screen. He didn't just have free run of the Space Command's computer; he controlled it. Confident that he was undetected, he probed nearby computers. In a moment, he'd discovered four on the air force network and a pathway to connect to others. From his high ground, none of these were hidden from him; if their passwords weren't guessable, he could steal them by setting up Trojan horses. This wasn't a little desktop computer he'd broken into. He found thousands of files on the system, and hundreds of users. He commanded the air force computer to list the names of all its files; it went merrily along typing out names like "Laser-design-plans" and "Shuttlelaunch-manifest." But he didn't know how to shut off the spigot. For two hours, it poured a Niagara of information onto his terminal. Finally, at 2:30, he hung up. While the hacker stepped through the air force computer, Steve White traced Tymnet's lines. I asked Steve for the details. "I checked with Wolfgang Hoffman at the Bundespost. Your visitor is coming from Karlsruhe today. The University of Karlsruhe." My hacker was moving around. Or maybe he was staying in one place, playing a shell game with the telephone system. Perhaps he was a student, visiting different campuses and showing off to his friends. Was I certain that there was only one hacker-or was I watching several people? Two days later, the hacker was back. He went straight over thc Milnet to the Air Force Space Division. I watched him log in as Field Service. He didn't waste a minute. He went straight to the authorization software, searched for an old, unused account, and modified it, giving it system privileges and a new password: AFHACK. AFHACK-what arrogance. He's thumbing his nose at the United States Air Force. From now on, he didn't need the field service account. Disguised as an officer in the air force, he had unlimited access to the Space Division's computer. A call to Steve White started a trace rolling. Within five minutes, he'd traced the connection to Hannover and called the Bundespost. A few minutes of silence then: "Cliff does the con nection look like it will be a long one?" "I can't tell, but I think so," I said. "OK." Steve was on another telephone; I could hear only an occasional shout. In a minute, Steve returned to my fine. "Wolfgang is tracing the call in Hannover. It's a local call. They're going to try to trace it all the way." Here's news! A local call in Hannover meant that the hacker was somewhere in Hannover. Steve shouted instructions from Wolfgang: "Whatever you do, don't disconnect the hacker. Keep him on the line if you can!" But he's rifling files at the air force base. It was like letting a burglar rob your home while you watched. He went for operational plans. Documents describing air force payloads for the space shuttle. Test results from satellite detection systems. SDI research proposals. A description of an astronaut-operated camera system. Tymnet came back on the I'm sorry, Cliff, but the trace in Germany is stymied." "Can't they trace the call?" "Well, the hacker's line comes from Hannover, all right," Steve replied. "But Hannover's phone fines connect through mechanical switches-noisy, complicated widgets-and these can be traced only by people, not by computers." Another opportunity lost. I cut off the hacker's connection so that he couldn't do more harm. Later, Steve White explained that American telephones are computer controlled, so it's pretty easy to trace them. But in Germany they need someone at the Hannover exchange to trace the call. "So we can't trace him unless the hacker calls during the day or evening?" I asked. "Worse than that. It'll take an hour or two to make the trace once it's started." Lately, the hacker had been showing up for five minutes at a time. Long enough to wake me up, but hardly enough for a two-hour trace. How could I keep him on for a couple of hours? The answer, I realized, was disarmingly simplegive him what he wants: all the classified data, all the top-secret information he could gather. Not for real, of course. Instead, I'd create a phony database. Its documents would describe a new Star Wars project. An outsider reading them would believe that Lawrence Berkeley Laboratories had just landed a fat government contract to manage a new computer network. The SDI Network. This bogus network, which would apparently link together scores of classified computers,would extend to military bases around the world. By reading the files, you'd find lieutenants and colonels, scientists and engineers. Here and there, I would drop hints of meetings and classified reports. And I invented Barbara Sherwin, the sweet, bumbling secretary trying to figure out her new word processor and keep track of the endless stream of documents produced by our newly invented "Strategic Defense Initiative Network Office." My snare was baited. If the hacker bit, he'd take two hours to swallow the bait. Long enough for the Germans to track him down. The next move was the hacker's. My beeper sounded at 5:14 p.m., Friday, January 16. There's the hacker. It didn't take him very long to swallow the hook; soon he broke into my phony SDInet. Quickly, I got on the phone to Steve White. "Steve, call Germany. The hacker's on, and it'll be a long session." "Spot-on, Cliff. Call you back in ten minutes." For the next 45 minutes, the hacker dumped out file after file, reading all the garbage that I had created. Boring, tedious ore, with an occasional nugget of technical information. Then he dumped the file named FORM LETTER: DEAR SIR: THANK YOU FOR YOUR INQUIRY ABOUT SDINET. WE ARE HAPPY TO COMPLY WITH YOUR REQUEST FOR MORE INFORMATION ABOUT THIS NETWORK. THE FOLLOWING DOCUMENTS ARE AVAILABLE FROM THIS OFFICE. PLEASE STATE WHICH DOCUMENTS YOU WISH MAILED TO YOU: #37.6 SDINET OVERVIEW DESCRIPTION DOCUMENT 19 PAGES, REVISED SEPT. 1985 #41.7 STRATEGIC DEFENSE INITIATIVE AND COMPUTER NETWORKS: PLANS AND IMPLEMENTATIONS (CONFERENCE NOTES) 227 PAGES, REVISED SEPT. 1985 #45.2 STRATEGIC DEFENSE INITIATIVE AND COMPUTER NETWORKS: PLANS AND IMPLEMENTATIONS (CONFERENCE NOTES) 300 PAGES, JUNE 1986 #47.3 SDINET CONNECTIVITY REQUIREMENTS 65 PAGES, REVISED APRIL 1986 #48.8 How TO LINK INTO THE SDINET 25 PAGES, JULY 1986 #49.1 X.25 AND X.75 CONNECTIONS TO SDINET (INCLUDES JAPA NESE, EUROPEAN, AND HAWAIIAN NODES) 8 PAGES, DECEMBER 1986 #55.2 SDINET MANAGEMENT PLAN FOR 1986 TO 1988 47 PAGES, NOVEMBER 1985 #62.7 UNCLASSIFIED SDINET MEMBERSHIP LIST (INCLUDES MAJOR MILNET CONNECTIONS) 24 PAGES, NOVEMBER 1986 #65.3 CLASSIFIED SDINET MEMBERSHIP LIST 9 PAGES, NOVEMBER 1986 #69.1 DEVELOPMENTS IN SDINET AND SDI DISNET 28 PAGES, OCTOBER 1986 SINCERELY YOURS, MRS. BARBARA SHERWIN DOCUMENTS SECRETARY SDINET PROJECT Steve White called back from Tymnet. "I've traced your connection over to the University of Bremen. And the Bundespost has traced the Datex line from Bremen into Hannover. In the past half hour, the technician traced the line and has narrowed it down to one of 50 telephone numbers." "Why can't they get the actual number?" "Wolfgang's unclear about that. It sounds like they've determined the number to be from a group of local phones, but the next time they make a trace, they'll zero in on the actual telephone. From tile sound of Wolfgang's message, they're excited about solving this case." The next day, at 10:17 a.m., the hacker came back. This time, he wasn't interested in SDI files. Instead, he went out over the Milnet, trying to break into military computers. He was concentrating on air force and army computers, though he occasionally knocked on the navy's door as well. Places I'd never heard of, like the Air Force Weapons Lab, Descom headquarters, Air Force CC OIS, and the CCA-amc. Fifty places, all without success. Then he slid across the Milnet into a computer named Buckner. He got right in . . . didn't even need a password on the account named "guest." He'd broken into the Army Communications Center in Building 23, Room 121, of Fort Buckner. Fort Buckner was in Okinawa. What a connection! From Hannover, Germany, the hacker linked to the University of Bremen, across a transatlantic cable into Tymnet, then into my Berkeley computer, and into the Milnet, finally reaching Okinawa. A bit after 11 in the morning, he finally grew tired and logged off. While he'd circled the globe with his spiderweb of connections, the German Bundespost had homed in on him. The phone rang-had to be Steve White. "Hi Cliff," Steve said, "The trace is complete." "The Germans got the guy?" "They know his phone number." "Well, who is he?" I asked. "They can't say right now, but you're supposed to tell the FBI." "Just tell me this much," I asked Steve. "Is it a computer or a person?" "A person with a computer at his home. Or should I say, at his business." Days later, Tymnet passed along a chilling message: "This is not a benign hacker. It is quite serious. The scope of the investigation is being extended. Thirty people are now working on this case. Instead of simply breaking into the apartments of one or two people, locksmiths are making keys to the houses of the hackers, and the arrests will be made when the hackers cannot destroy the evidence. These hackers are linked to the shady dealings of a private company." Throughout the spring, I kept making new bait. My mythical Barbara Sherwin created memos and letters, requisitions and travel orders. Here and there, she sprinkled a few technical articles, explaining how the SDI network interconnected all sorts of classified computers. On Monday, April 27, came one of the biggest shocks. A letter arrived, addressed to the imaginary Barbara Sherwin. Triam International, Inc. 6512 Ventura Drive Pittsburgh, PA 15236 April 21, 1987 Dear Mrs. Sherwin: I am interested in the following documents. Please send me a price list and an update on SDI Network Project. Thank you for your cooperation. Very truly yours, Laszlo J. Balogh Balogh then asked for every phony document I had made up in the file called FORM LETTER. Someone had swallowed the bait and was asking for more information! I could understand it if the letter came from Hannover. But Pittsburgh? I called Mike Gibbons at the Alexandria FBI office and told him about it. "OK," Mike said. "Listen up carefully. Don't touch that letter. Especially, don't touch around the edges. Go find a glassine envelope. Gently insert the paper in the envelope. Then express mail it to me. Whatever you do, don't handle it. Wear gloves if you must." This sounded like Dick Tracy's "Crimestoppers," but I followed orders. A hacker in Hannover, Germany, learns a secret from Berkeley, California. Three months later, a Hungarian named Laszlo Balogh living in Pittsburgh writes us a letter. What's happening here? Tuesday moming, June 23, Mike Gibbons called from the FBI. "You can close up shop, Cliff." "What's happened?" "Arrest warrants were issued this morning at IO." "Anyone arrested?" "I can't say." Something was happening. But Mike wouldn't say what. A few hours later, Wolfgang Hoffman sent a message: "An apartment and a company were searched, and nobody was home at the time. Printouts, disks, and tapes were seized and will be analyzed in the next few days. Expect no further break-ins." Finally, it was over. The FBI still wasn't talking, but I managed to fmd out who the Germans had fingered; I could now attach a name to the shadowy hacker I had chased across two continents: Markus Hess. So what really happened? Was Hess working alone, or was he in league with others? And why was he breaking into defense department computers? Here's my estimate, based on interviews, police reports, newspaper accounts, and messages from German computer programmers. In the mid-1980s, a dozen hackers started the Chaos Computer Club, whose members specialized in creating viruses, breaking into computers, and serving as a computer counterculture. Through electronic bulletin boards and telephone links, they anonymously exchanged phone numbers of hacked computers, as well as stolen passwords and credit cards. Markus Hess knew of the Chaos Club, although he was never a central figure there. Rather, he kept his distance as a freelance hacker. During thc day, he worked at a small software firm in downtown Hannover. Over a crackling phone connection, an astronomer friend in Hannover explained to me, "You see, Hess knew Hagbard, who kept in touch with other hackers in Germany, Eke Pengo and Frimp. Hagbard is a pseudonym, of course, his real name is . . . " Hagbard. I'd heard that name before-he'd broken into Fermilab and Stanford. Hagbard worked closely with Markus Hess. The two drank beers together at Hannover bars and spent evenings behind Hess's computer. Apparently, Hess apparently just played around the networks at first, searching for ways to connect around the world. Like a ham-radio operator, he started out a hobbyist, trying to reach as far away as possible. In the beginning, he managed to connect to Karlsruhe; later he reached Bremen over the Datex network. Soon he discovered that many system managers hadn't locked their back doors. Usually these were university computers, but Markus Hess began to wonder: how many other systems were wide open? What other ways could you sneak into computers? By September 1985, Hagbard and Pengo were routinely breaking into computers in North America: mostly high energy physics labs, but a few NASA sites as well. Excitedly, Hagbard described his exploits to Hess. Hess began to explore outside of Germany. But he no longer cared about universities and physics laboratories-he wanted some real excitement. Hess now targeted the military. The leaders of the Chaos Computer Club had issued a warning to their members: "Never penetrate a military computer. The security people on the other side will be playing a game with you almost like chess. Remember that they've practiced this game for a long time. . . . " Markus Hess wasn't listening. Hess apparently found his way into an unprotected computer belonging to a German subsidiary of U.S. defense contractor Mitre. Once inside that system, he discovered detailed instructions to link into Mitre's computers in Bedford, Massachusetts, and McLean, Virginia. By summer 1986, Hess and Hagbard were operating separately but frequently comparing notes. Meanwhile, Hess worked in Hannover, programming VAX computers and managing several systems. Hess soon expanded his beachhead at Mitre. He explored the system internally, then sent out tentacles into other American computers. He collected telephone numbers and network addresses and methodically attacked these systems. On August 20, he struck Lawrence Berkeley Labs. Even then, Hess was only fooling around. He'd realized that he was privy to secrets, both industrial and national, but kept his mouth shut. Then, around the end of September, in a smoky Hannover beergarden, he described his latest exploit to Hagbard. Hagbard smelled money. And Hagbard knew who to contact: Pengo, in West Berlin. Pengo, with his contacts to hackers across Germany, knew how to use Hess's information. Carrying Hess's printouts, one of the Berlin hackers crossed into East Berlin and met with agents from the East German Staatssicherheitsdienst-the Secret Service. The deal was. made: around 30,000 deutschemarks-$18,000-for printouts and passwords. From there, who knows what happened to the information? The East German Secret Service cooperates closely with the Soviet KGB; surely the Staatssicherheitsdienst would tell the KGB about this new form of espionage. The KGB wasn't just paying for printouts, though. Hess and company apparently sold their techniques as well: how to break into VAX computers; which networks to use when crossing the Atlantic; details on how the Milnet operates. Even more important to the KGB was obtaining research data about Western technology, including integrated circuit design, computer-aided manufacturing, and, especially, operating system software that was under U.S. export control. They offered 250,000 deutschemarks for copies of Digital Equipment's VMS operating system. According to the German television station NDR, the Berlin hackers supplied much of this order, including source code to the Unix operating system designs for high-speed gallium-arsenide integrated circuits, and computer programs used to engineer computer memory chips. Hagbard wanted more than money. He demanded co caine. The East German Secret Service was a willing supplier. Hagbard passed some of the money (but none of the cocaine) to Hess in retum for printouts, passwords, and network information. Hagbard's cut went toward paying his telephone bill which sometimes ran over $1,000 a month as he called computers around the world. Hess saved everything. He kept a detailed notebook and saved every session on a floppy disk. This way, after he disconnected from a military computer, he could print out the interesting parts and pass these along to Hagbard and on to the KGB. Also on the KGB's wish list was SDI data. As Hess searched for it, I naturally detected SDI showing up in his requests. And I had fed Hess plenty of SDI fodder. But could the East Germans (or KGB?) trust these printouts? How could they be sure Hagbard wasn't inventing all of this to feed his own coke habit? The KGB decided to verify the German hacker ring. The mythical Barbara Sherwin served as a perfect way to test the validity of this new form of espionage. She had, after all, invited people to write to her for more information. But secret services don't handle things directly. They use intermediaries. The East Germans (KGB?) contacted another agency-either the Hungarian or Bulgarian intelligence service. They, in tum, apparently had a professional relationship with a contact in Pittsburgh: Laszlo Balogh. Does the FBI have enough evidence to indict Laszlo Balogh? They won't tell me. But the way I see it, Laszlo's in deep trouble: the FBI is watching him, and whoever's pulling his puppet strings isn't pleased. The West German police, though, have plenty of evidence against Markus Hess. Printouts, phone traces, and my logbook. When they broke into his apartment on June 29, 1987, they seized a hundred floppy disks, a computer, and documentation describing the U.S. Milnet. But when the police raided Hess's apartment, nobody was home. Though I was waiting patiently for him to appear on my computer, the German police entered his place when he wasn't connected. At his first trial, Hess got off on appeal. His lawyer argued that since Hess wasn't connected at the moment his apartment was raided, he might not have done the hacking. This, along with a problem in the search warrants, was enough to overtum the case against Hess on computer theft. But the German federal police continued to investigate. On March 2, 1989, German authorities charged five people with espionage: Pengo, Hagbard, Peter Carl, Dirk Bresinsky, and Markus Hess. Peter Carl met regularly with KGB agents in East Berlin, selling any data the others could find. When the German officials caught up with him, he was about to run off to Spain. He's now in jail, waiting for trial, along with Dirk Bresinsky, who was jailed for desertion from the German army. Pengo is having second thoughts about his years working for the KGB. He says that he hopes he "did the right thing by giving the German police detailed information about my involvement." But as long as there's an active criminal case, he'll say no more. All the same, the publicity hasn't helped Pengo's professional life as a computer consultant. His business partners have shied away from backing him, and several of his computing projects have been canceled. Outside of his business losses, I'm not sure that he feels there's anything wrong with what he did. Today, Markus Hess is walking the streets of Hannover, free on bail while awaiting a trial for espionage. Hagbard, who hacked with Hess for a year, tried to kick his cocaine habit in late 1988. But not before spending his profits from the KGB: he was deep in debt and without a job. In spring 1989 he found a job at the office of a political party in Hannover. By cooperating with the police, he and Pengo avoided prosecution for espionage. Hagbard was last seen alive on May 23, 1989. In an isolated forest outside of Hannover, police found his chaffed bones next to a melted can of gasoline. A borrowed car was parked nearby, keys still in the ignition. No suicide note was found. Journal: PC-Computing Sept 1989 v2 n9 p112(8) Title: The cuckoo's egg. (excerpts from book on hacker espionage) Author: Stoll, Clifford. Full Text: Me, a wizard? Until a week before, I had been an astronomer, contentedly designing telescope optics. But then I found myself transferred from the Keck Observatory at the Lawrence Berkeley Lab (LBL) down to the computer center in the basement of the same building. On either side of my new cubicle were the offices of two systems people, Wayne Graves and Dave Cleveland, the old hands of the system. Together, Wayne, Dave, and I were to run the computers as a labwide utility. We managed a dozen mainframe computers-giant workhorses for solving physics problems, together worth around $6 million. The scientists using the computers were supposed to see a simple, powerful computing system, as reliable as the electric company. This meant keeping the machines running full-time, around the clock. And just like a utility company, we charged for every cycle of computing that was used. On my second day, Dave was mumbling about a hiccup in the Unix accounting system. Someone must have used a few seconds of computing time without paying for it. The computer's books didn't quite balance; last month's bills of $2,387 showed a 75-cent shortfall. Now, an error of a few thousand dollars is obvious, and isn't hard to find. But errors in the pennies column arise from deeply buried problems, so finding these bugs is a natural test for a budding software wizard. Around about 7 p.m., my eye caught the name of one user, Hunter. This guy didn't have a valid billing address. Ha! Hunter had used 75 cents of time in the past month, but nobody had paid for him. Here was the source of our imbalance. Someone had screwed up while adding a user to our system. A trivial problem caused by a trivial error. A day later, an obscure computer named Dockmaster sent us an electronic-mail message. Its system manager claimed that someone from our laboratory had tried to break into his computer over the weekend. I guessed Dockmaster was some navy shipyard. It wasn't important, but it seemed worth spending a few minutes looking into. The message gave the date and time when someone on our Unix computer tried to log in to Dockmaster's computer. Our stock Unix accounting file showed a user, Sventek, logging in to our system at 8:25, doing nothing for half an hour, and then disconnecting. No time-stamped activity in between. Our homebrew software also recorded Sventek's activity, but it showed him using the networks from 8:31 until 9:01 a.m. Jeez. Another accounting problem. The timestamps didn't agree. One recorded activity when the other account said everything was dormant. Why were the two accounting systems keeping different times? And why was some activity logged in one file without showing up in the other? Was this related to the earlier accounting problem? Had I screwed things up when I poked around before? Or was there some other explanation-was there a hacker on the loose? So how do you find a hacker? I figured it was simple: just watch for anyone using Sventek's accounts, and try to trace the connection. I spent Thursday watching people log in to the computer. I wrote a program to beep my terminal whenever someone connected. At 12:33 on Thursday afternoon, Sventek logged in. I felt a rush of adrenaline, then a complete letdown when he disappeared within a minute. Where was he? The only pointer left for me was the identifier of his terminal: he had used terminal port tt23. I suspected a dial-in modem, connected fRom some telephone line, but it might conceivably be someone at the laboratory. By lucky accident, the connection had left some footprints behind. Paul Murray, a reclusive hardware technician who hides in thickets of telephone wire, had been collecting statistics on how many people used our communications switchyard. By chance he had recorded the port numbers of each connection for the past month. Since I knew when Sventek was active on port tt23, we could figure out where he came from. The printout of the statistics showed a one-minute, 1,200-bit-per-second connection had taken place at 12:33. Any lab employee here on the hill would run at high speed-9,600 or 19,200 bps. Only someone calling through a modem would let his data dribble out a 1,200-bps soda straw. But how to catch him? About the only place to watch our incoming traffic was in between the modems and the computers. Our modem lines were flat, 25-conductor wires, snaking underneath the switchyard's false floor. A printer or personal computer could be wired in parallel with each of these lines, recording every keystroke that came through. A kludge? Yes. Workable? Maybe. All we'd need were 50 teletypes, printers, and portable computers. I rounded them up; strewn with four dozen obsolete teletypes and portable terminals, the floor looked like a computer engineer's nightmare. I slept in the middle, nursing the printers and computers. Each was grabbing data from a different line, and whenever someone dialed our system, I'd wake up to the chatter of their typing. Every half-hour, a printer would run out of paper or a computer out of disk space, so I'd have to roll over and reload. Saturday morning, a coworker shook me awake. "Well, where's your hacker?" The first 49 printers and monitors showed nothing interesting. But from the 50th trailed 80 feet of printout. During the night, someone had sneaked in through a hole in the operating system. For three hours a hacker had strolled through my system, reading whatever he wished. Unknown to him, my DECwriter had saved his session on singlespaced computer paper. Here was every command he issued, every typing mistake, and every response from the computer. This printer monitored the line from Tymnet, a communications company that interconnected computers around the world. Our hacker might be anywhere. How the Cuckoo Laid Its Egg The hacker had become a super-user. He was like a cuckoo bird. The cuckoo is a nesting parasite that lays her eggs in other birds' nests: some other bird will raise her young. The survival of cuckoo chicks depends on the ignorance of other species. Our mysterious visitor had laid an egg-program into our computer, letting the system hatch it and feed it privileges. That morning, the hacker wrote a short program to grab privileges. Normally, Unix won't allow such a program to run, since it never gives privileges beyond what a user is assigned. But if our hacker ran this program from a privileged account, he'd become privileged. His problem was to masquerade this special program-the cuckoo's egg-so that it would be hatched by the system. Every five minutes, the Unix system executes its own program called atrun. In turn, atnin schedules other jobs and does routine housecleaning tasks. It runs in a privileged mode, with the full power and trust of the operating system behind it. If a bogus atrun program were substituted, it would be executed within five minutes, with full system privileges. For this reason, atrun sits in a protected area of the system, available only to the system manager. Nobody else has license to tamper with atrun. Here was the cuckoo's nest: for five minutes he would swap his egg for the system's atrun program. For this attack, he needed to find a way to move his egg-program into the protected systems nest. The operating system's barriers are built specifically to prevent this. But there was a wildcard that we'd never noticed. We used a powerful editing program called GnuEmacs. But Gnu's much more than just a text editor-it's a foundation upon which other programs can be built. It even has its own mail facility built in. just one problem: there's a bug in that software. Because of the way it was installed on our Unix computer, the Gnu-Emacs editor lets you forward a mail file from your own directory to anyone else's. It doesn't check to see who's receiving it, or even whether they want the file. No problem to send a file from your area to mine. But you'd better not be able to move a file into the protected systems area: only the systems manager is allowed there. Gnu didn't check. It let anyone move a file into protected systems space. The hacker knew this; we didn't. He used Gnu to swap his special atrun file for the system's legitimate version. Five minutes later, the system hatched his egg, and he held the keys to my computer. In front of me, the first few feet of the printout showed the cuckoo preparing the nest, laying the egg, and waiting for it to hatch. The next 70 feet showed the fledgling cuckoo testing its wings. As a super-user, he had the run of our system and could read anybody's work. By studying several scientists' command files and scripts, he discovered pathways into other lab computers. Every night, our computer automatically calls 20 others, to exchange mail and network news. When the hacker read these phone numbers, he learned 20 new targets. I had to weave a net fine enough to catch the hacker but coarse enough to let our scientists through. I'd have to detect the hacker as soon as he came online and call Tymnet's technicians to trace the call. If I knew the stolen account names, it would be easy to write a program that watched for the bad guy to show up. No need to check out every person using the computer; just ring a bell when a stolen account was in use. But I also had to stay invisible to the hacker, so I wrote the program for a new Unix-8 system we had just installed. I could connect it to our local area network, secure it against all possible attacks, and let it watch the other computers, all the while recording the traffic on printers. Wednesday afternoon, September 3, 1986, marked a week since we'd first detected the hacker. Suddenly, the terminal beeped twice: Sventek's account was active. I ran to the switchyard; the top of the ream of paper showed that the hacker had logged in at 2:26 and was still active. Logged in as Sventek, he first listed the names of everyone connected. Lucky-there was nobody but the usual gang of physicists and astronomers; my watchdog program was well concealed within the Unix-8 computer. He didn't become a super-user; rather, he checked that the Gnu-Emacs file hadn't been modified. At 2:37, 11 minutes after logging in, he abruptly logged off. But not before we'd started the trace. Ron Vivier traces Tymnet's network within North America 'In a couple of minutes he had traced the connection from LBL's Tymnet port into an Oakland Tymnet office, where someone had dialed in. It's easier to call straight into our Berkeley lab than to go through Oakland's Tymnet office. Calling the local Tymnet access number instead of our lab was like taking the interstate to drive three blocks. But calling via Tymnet added one more layer to trace. Whoever was at the other end of the line knew how to hide. The morning after we had watched the hacker break in to our system, my boss met with Aletha Owens, the lab's attorney. She wasted no time in calling the FBI. Our local FBI office didn't raise an eyebrow. Fred Wyniken, special agent with the Oakland resident agency, asked incredulously"You're calling us because you've lost 75 cents in computer time?" Owens tried explaining information security and the value of our data. Wyniken interrupted, "Look, if you can demonstrate a loss of more than a million dollars, or that someone's prying through classified data, then we'll open an investigation. Until then, leave us alone." Wednesday, September 10, at 7:51 a.m., the hacker appeared in our system for six minutes. I wasn't at the lab to watch, but the printer saved three pages of his trail. He logged in to our computer from Tymnet as Sventek, then jumped into another network. Using Milnet, a network that links military computers, he connected to address 26.0.0.113. He logged in there as Hunter, checked that they had a copy of Gnu-Emacs, and disappeared. The hacker left an indelible trail downstream to the Redstone Army Depot in Anniston, Alabama, the home of the army's Redstone missile complex2,000 miles from Berkeley. He listed files at the Anniston system. judging from the dates of these files, he'd been in Anniston's computers since early June. For four months, an illegitimate system manager had been using an army computer. Yet he'd been discovered by accident, not through some logic bomb or lost information. Looking closely at the morning's printout, I saw that, on the Anniston computer, the hacker had changed Hunter's password to Hedges. A clue at last: of zillions of possible passwords, he'd chosen Hedges. Hedges Hunter? Hunter Hedges? A hedge hunter? Time was running out; if I didn't catch the hacker soon, the lab would shut down my tracking operation and put me on other work. At 2:30 in the afternoon, the printer advanced a page and the hacker logged in with a new stolen account, Goran. A minute after the hacker connected, I called the phone company and Ron Vivier at Tymnet. I took notes as Ron mumbled. "He's coming into your port 14 and entering Tymnet from Oakland. It's our port 322, which is, uh, let me see here." I could hear him tapping his keyboard. "Yeah, it's 2902. 430-2902. That's the number to trace.' The phone company, by law, couldn't reveal information about the trace to me, but my printers showed his every move. While I talked to Tymnet and the telephone techs, the hacker had prowled through my computer. He wasn't satisfied reading the system manager's mail; he also snooped through mail for several nuclear physicists. After 15 minutes of reading our mail, he jumped back into Goran's stolen account, using a new password, Benson. He started a program that searched our users' files for passwords; while that executed, he called up the Milnet Network Information Center and asked for a pathway into the CIA. Instead of their computer, though, he found four people who worked at the CIA. Later, I phoned one of them. I didn't know where to begin. How do you introduce yourself to a spy? "Uh, you don't know me, but I'm a computer manager, and we've been following a computer hacker." "Uh-huh." "Well, he searched for a pathway to try to get into the CIA's computers. He found your name and phone number." "Who are you?" Nervously, I told him, expecting him to send over a gang of hit men in trench coats. I described our laboratory, making sure he understood that the People's Republic of Berkeley didn't have official diplomatic relations with his organization. He sent over a delegation several days later. OK, so they didn't wear trench coats. Not even sunglasses. just boring suits and ties. Wayne saw the four of them walk up the drive and flashed a message to my terminal: "All hands on deck. Sales reps approach through starboard portal. Charcoal gray suits. Set warp speed to avoid IBM sales pitch." If only he knew. The four spooks introduced themselves. One guy in his fifties said he was there as a "navigator" and didn't give his name-he just sat there quietly the whole time. The second spy, Greg Fennel, I guessed to be a computer jockey, because he seemed uncomfortable in a suit. The third agent, Teejay, was built like a halfback. The fourth guy must have been the bigwig: everyone shut up when he talked. Together, they looked more like bureaucrats than spies. The four of them sat quietly while we gave them an overview of what we'd seen. Mr. Big nodded and asked, "What keywords has he scanned for?" "He looks for words like password, nuclear, SDI, and Norad He's picked some curious passwords: lblhack hedges, jaeger, hunter, and benson. The accounts he stole, Goran, Sventek, Whitberg, and Mark don't say much about him, because the names are people here at the laboratory." Mr. Big nodded and asked, "Tell me, what did he do at Anniston?" "I don't have much of a printout there," I said. "He was into their system for several months, perhaps as long as a year. Now, since he knows they've detected him, he logs in only for a moment." Mr. Big fidgeted a bit, meaning that the meeting was about to break up. Greg asked one more question. "What machines has he attacked?" "Ours, of course, and the army base in Anniston. He's tried to get into White Sands Missile Range, and some navy shipyard in Maryland. I think it's called Dockmaster." "Shit!" Greg and Teejay simultaneously exclaimed. Greg said, "How do you know he hit Dockmaster?" "About the same time he screwed up our accounting, this Dockmaster place sent us a message saying that someone had tried to break in there." "Did he succeed?" "I don't think so. What is this Dockmaster place, anyway? Aren't they some navy shipyard?" They whispered among themselves, and Mr. Big nodded. Greg explained: "Dockmaster isn't a navy shipyard. It's run by the National Security Agency." A hacker breaking into the NSA? Bizarre. This wanted to get into the CIA, the NSA, army missile bases, and the North American Air Defense headquarters. "Dockmaster is NSA's only unclassified computer," Greg said. "It belongs to its computer security group, which is actually public." Mr. Big started talking slowly. "There's not much we can do about this affair. I think there's no evidence of foreign espionage." "Well, who should be working on this case?" I asked. "The FBI. I'm sorry, but this isn't our bailiwick. Our entire involvement has been the exposure of four names-names that are already in the public domain, I might add." Then they were gone. The spooks were no help, so I was on my own again. I searched the Berkeley phone book for Jaegers and Bensons; I figured I ought to try Stanford as well. So I stopped by the library. Maggie Morley, our 45-year-old documentmeister, plays rough-and-tumble Scrabble: posted on her door is a list of all legal three-letter Scrabble words. "I need a Stanford telephone book," I I'm looking for everyone in Silicon Valley named Jaeger or Benson." 'Jaeger. A word that's been kind to me," Maggie smiled. "Worth 16 points, but I once won a game with it, when the [J] landed on a triple-letter score. Turned into 75 points." "Yeah, but I need it because it's the hacker's password. Hey, I didn't know names were legal in Scrabble." "Jaeger's not a name. Well, maybe it's a nameEllsworth jaeger, the famous omithologist, for instance-but it's a type of bird. Gets its name from the German word meaning hunter." "Huh? Did you say hunter?" "Yes. Jaegers are hunting birds that badger other birds with full beaks. They harass weaker birds until they drop their prey." "Hot ziggity! You answered my question. I don't need the phone book." "Well, what else I can do for you?" "How about explaining the relationship between the words hedges, jaeger, hunter, and benson?" "Well, jaeger and hunter is obvious to anyone who knows German. And smokers know Benson & Hedges." Omigod-my hacker smokes Benson & Hedges. Maggie had won on a triple-word score. During one of the phone traces, I had copied down all the numbers and digits I heard from the technician. I called all combinations of them and ended up at a computer modem at Mitre, a defense contractor just down the road from CIA headquarters in McLean, Virginia. How deeply was Mitre's system infested? By listing its directory, I saw that the hacker had created a Trojan horse there on June 17. For six months, someone had silently booby-trapped Mitre's computers. In alllikelihood, Mitre served as a way station, a stepping-stone on the way to breaking into other computers. Someone dialed into Mitre, turned around, and dialed out from it. This way, Mitre paid the bills both ways: the incoming Tymnet connection and the outgoing long-distance phone call. Even nicer, Mitre served as a hiding place, a hole in the wall that couldn't be traced. Monday morning, I called a man named Bill Chandler at Mitre and told him the news. Bill wanted me to be quiet about the problems I had found. Well, yes, but I had a price. "Say, Bill, could you send me copies of your computer's phone bills?" "What for?" "It might be fun to see where else this hacker got into." Two weeks later, a thick envelope arrived, stuffed with long-distance bills from Chesapeake and Potomac. Six months of phone bills. Dates, times, phone numbers, and cities. Probably 5,000 in all. So many that I couldn't analyze them by hand. Perfect for analyzing on a computer-there's plenty of software designed to search out correlations. All I had to do was enter them into my Macintosh computer and run a few programs. Ever type 5,000 phone numbers? It's as boring as it sounds. And I had to do it twice, to make sure I didn't make any mistakes. Took me two days. After running an analysis, I found that this hacker hadn't just broken into my computer. He was into more than six, and possibly a dozen. From Mitre, the hacker had made long connections to Norfolk, Oak Ridge, Omaha, San Diego, Pasadena, Livermore, and Atlanta. At least as interesting: he had made hundreds of one-minute phone calls, all across the country. To air force bases, navy shipyards, aircraft builders, and defense contractors. What can you learn from a oneminute phone call to an army proving ground? For six months, this hacker had been breaking into bases and computers all across the country. Nobody knew it. He was out there, alone, silent, anonymous, persistent, and apparently successful-but why? What was he after? What had he already learned? And what was he doing with this information? Friday, December 5, the hacker showed up again at 1:21 in the afternoon. Nine minutes later, he disappeared. Enough time for me to trace the connection to Tymnet. But the network's sorcerer, Ron Vivier, was taking a long lunch that day, so Tymnet couldn't make the trace. Another chance lost. Ron returned my call an hour later. "Hey, Cliff, how come you never call me at night?" "Guess the hacker doesn't show up at night. I wonder why." He started me thinking. My logbook recorded every time the hacker had shown up. On the average, when was he active? I'd remembered him on at 6 a.m. and at 7 p.m. But never at midnight. Isn't midnight operation the very image of a hacker? On the average, the hacker showed up at noon, Pacific time. So what did this mean? Suppose he lives in California. Then he's hacking during the day. If he's on the East Coast, he's three hours ahead of us, so he works around 3 or 4 in the afternoon. This didn't make sense. He'd work at night to save on long-distance telephone fees. To avoid network congestion. And to avoid detection. Yet he brazenly breaks in during the day. Why? When it's noon in California, I wondered, where is it evening? Lunchtime in Berkeley is bedtime in Europe. Was the hacker coming from Europe? On a Saturday afternoon, the hacker hit again. I called Tymnet's Ron Vivier at home. "I've got a live one for you," I gasped. "Just trace my port 14." "Right. It'll take a minute." A couple of eons passed, and Ron came back on the line. "Hey, Cliff, are you certain that it's the same guy?," I watched the hacker searching for the word ]DI on our computer"Yes, it's him." "He's coming in from a gateway that I've never heard of. I'm locked onto his network address, so it doesn't matter if he hangs up. But the guy's coming from somewhere strange." "Where's that?" "I don't know. It's Tymnet node 3513, which is a strange one. I'll have to look it up in our directory." In the background, Ron's keyboard clicked. "Here it is. Your hacker is coming from outside the Tymnet system. He's entering Tymnet from a communications line operated by the International Telephone and Telegraph company." "So what?" "ITT takes a Westar downlink, the communications satellite over the Atlantic. It handles ten or twenty thousand phone calls at once." "So my hacker is coming from Europe?" "For sure." "Where?" "That's the part I don't know, and I probably can't find out. But hold on, and I'll see what's there." More keyboard clicks. Ron came back to the phone. "Well, ITT identifies the line as DSEA 744031. That's their line number. It can connect to either Spain, France, Germany, or Britain." "Well, which is it?" "Sorry, I don't know. In three days they'll send us billing information, and then I can find out. Meantime, I can't tell you much more than that." Ron rang off, but the hacker was still on my computer, trying to chisel into the Navy Research Labs, when one of Tymnet's international specialists, Steve White, called. "Ron can't trace any farther," Steve said. "I'll do the trace myself" I kept watching the hacker on my screen, hoping that he wouldn't hang up while Steve made the trace. Steve came back on the line. In his modulated, almost theatrical British accent, he said, "Your hacker has the calling address DNIC dash 2624 dash 542104214." "So where's the hacker coming from?" "West Germany. The German Datex network." "What's that?" "It's their national network to connect computers together. We'll have to call the Bundespost to find out more." "Who's the Bundespost?" "They're the German national postal office. The government communications monopoly." Steve seemed pessimistic about completing a successful "We know where he connects into the system. But there's a couple of possibilities there. The hacker might be at a computer in Germany, simply connected over the German Datex network. If that's the case, then we've got him cold, We know his address, the address points to his computer, and the computer points to him." "It is unlikely. More likely, the hacker is coming into the German Datex network through a dial-in modem." Just like Tymnet, Datex let anyone dial into its system and connect to computers on the network. Perfect for businesspeople and scientists. And hackers. "The real problem is in German law," Steve said. "I don't think they recognize hacking as a crime." "You're kidding, of course." "No," he said. "A lot of countries have outdated laws. In Canada, a hacker who broke into a computer was convicted of stealing electricity, rather than trespassing. He was prosecuted only because the connection had used a microwatt of power from the computer." Steve's pessimism was contagious. But his trace jogged my spirits. So what if we couldn't nail the hacker-our circle was closing around him. Germany. I remembered my librarian recognizing the hacker's password. "Jaeger-it's a German word meaning hunter." The answer had been right in front of me, but I'd been blind. Some details were still fuzzy, but I understood how he operated. Somewhere in Europe, the hacker called into the German Datex network. He asked for Tymnet, and the Bundespost made the connection. Once he reached the States, he connected to my laboratory and hacked his way around Milnet. Mitre must have been his stopover point. Now I realized why Mitre paid for a thousand one-minutelong phone calls. The hacker would connect to Mitre and instruct the system to phone another computer. When it answered, he would try to log in with a default name and password. Usually he failed and went on to another phone number. He'd been scanning computers, with Mitre picking up the tab. But he'd left a trail. On Mitre's phone bills. The path led back to Germany, but it might not end there. Conceivably, someone in Berkeley could have called Berlin, connected to the Datex network, connected through Tymnet, and come back to Berkeley. Maybe the start of the path was in Mongolia. Or Moscow. I couldn't tell. For the present, my working hypothesis would be Germany. And he scanned for militaly secrets. Could I be following a spy? A real spy, working for them-but who's "them"? Three months ago, I'd seen some mouse droppings in my accounting files. Quietly we'd watched this mouse sneak through our computer, out through a hole, and into the military networks and computers. At last I knew what this rodent was after. And where he was from. I'd been mistaken. This wasn't a mouse. It was a rat.