Cuckoo's Egg
Page 28
Another clue to Germany, unnecessary, now that the evidence was overwhelming. But why pick an astronaut’s name? Hero worship? Or some more sinister motive?
Could this explain why he kept breaking into computers? Could I have been following someone obsessed with the U.S. space program—a guy who dreamed about becoming an astronaut and collected information about the space program?
Nope. This hacker sought out military computers—not NASA systems. He wanted SDI data, not astronomy. You don’t search for the space shuttle on Okinawa. You don’t find an astronaut’s biography by looking up the Army’s nuclear warfare plans for Central Europe.
Tuesday morning greeted me with a pile of messages from Tymnet. Steve White read some electronic mail from the Deutsche Bundespost. “Since the University of Bremen won’t pay for any more international calls, you’ll have to carry that cost.”
He knew that we couldn’t afford it. “Steve, my boss balks at paying my salary, let alone this hacker’s connections.”
“How much time are you putting in on this chase?”
“Oh, about ten hours a day.” I wasn’t kidding. Even a five-minute connection by the hacker ballooned into a morning of phone calls. Everyone wanted to hear what had happened. Nobody offered support.
“Well then, I’ve some good news for you,” Steve said. “Wolfgang Hoffman says there’s a meeting in Hannover tomorrow. Something about coordinating legal, technical, and law-enforcement activities.”
“Why’s that good news?”
“Because they expect to make an arrest this weekend.”
Finally.
“But there’s a couple problems. The Germans haven’t heard from the FBI yet. So they’re putting things on hold. Wolfgang asks that you pass this message to the FBI.”
“Will do.”
My next call to the FBI showed the flip side of the coin. Special Agent Mike Gibbons explained the situation.
He’d sent telegrams to Bonn telling the FBI’s Legat to contact the German police. At the same time, he shipped by air a folder of information to the Attaché. But somewhere, the messages weren’t getting through—Wolfgang still hadn’t heard about any warrants from the FBI.
“You see, we can’t talk to anyone except through our Legat,” Mike said. “Still, I’ll rattle the cage again, and see that they’re awake in Bonn.”
Well, that FBI agent sure wasn’t dragging his heels. I never did find out much about the Legal Attaché—do they work for the FBI or the State Department? Is it one part-time person or a whole staff? What do they really do? Who do they talk to in the German government? What do you have to do to wake them up?
The CIA wouldn’t leave me alone. Teejay wanted every detail about the past weekend. But the juicy stuff—the guy’s name, his motives, and his backers—remained a mystery. All I knew was that he’d been fingered.
“Say, Teejay, if I find out some of this for you, is there any chance you might, uh, trade some gossip?”
“I don’t copy,” the spook said.
“I mean, suppose you figure out who was behind all this. What’ll you tell me about it?” I really wanted to know if he could send some spy over there and find out what this clown was up to.
“Sorry, Cliff. We’re listeners, not talkers.”
So much for learning anything from the CIA.
Within a day, however, more news came by way of Tymnet. Having traced the hacker’s phone number, they compared his name to that on the German Datex accounts.
Hmmm. They’re doing their homework!
Seems that the hacker used three different identifiers when he manipulated the Datex network. The first identifier belonged to the hacker. Same name, same address. The second one belonged to another person. And the third … well, it belonged to a company. A small company in Hannover that specialized in computers.
Were these identifiers stolen? It’s as easy to steal a network user identifier as it is to steal a telephone credit card number—just watch over someone’s shoulder as she makes a call. Perhaps the hacker has ripped off several people’s Datex network account numbers. If they worked for big multinational firms, they might never notice.
Or was this guy in collusion with someone else?
I’d pretty much convinced myself that he was acting alone. If a couple people were working together, they’d have to constantly exchange passwords. Moreover, the hacker had a single personality—patient, methodical, an almost mechanical diligence. Someone else wouldn’t have quite the same style when prowling around the Milnet.
A few of his targets weren’t sleeping. The day after he tried to pry their doors open, two of them called me. Grant Kerr, of the Hill Air Force Base in Utah, phoned. He was annoyed that one of my users, Sventek, had tried to break into his computer over the past weekend. And Chris McDonald of White Sands Missile Range reported the same.
Super! Some of our military bases keep their eyes open. Thirty-nine in forty are asleep. But there are a few system managers who vigilantly analyze their audit trails.
For the next few days, the hacker kept me hopping. He kept scanning my SDINET files, so every few hours, I’d add a couple more. I wanted the files to reflect an active office—a backlog of work and a busy, chatty secretary who didn’t quite know how her computer worked. Pretty soon, I was wasting an hour a day generating this flimflam, just feeding the hacker.
Zeke Hanson of the National Computer Security Center helped with these bogus files. I knew nothing about military ranks, so he gave me a few hints.
“The military’s just like any other hierarchy. Up at the top, there’s the flag officers. Generals. Below them are colonels, except in the Navy, where there’s captains. Then there’s lieutenant colonels, then majors and captains …”
Things are easier in grad school. Just call everyone with a tie, “Professor,” and anyone with a beard, “Dean.” When in doubt, just say “Doctor.”
Well, every couple days the hacker would log into my system and read the SDINET files. If he had any doubts about the validity of this information, he never showed it. In fact, he soon began trying to log into military computers using the account, SDINET.
Why not? Some of these ersatz files described network links into Milnet computers. I made sure they were crammed with lots of jargon and technobabble.
Still, feeding the hacker bait wasn’t leading us to an arrest. Every time he appeared, we traced him all right, but I kept waiting for a phone call saying, “He’s at the police station now.”
Now that the Germans had a suspect in mind, Mike Gibbons met with the U.S. attorney in Virginia. The FBI’s news was mixed: if a German citizen is involved, extradition is unlikely, unless there’s underlying espionage.
By the end of the week, the hacker had returned for five more sessions, each an hour or more. He checked into the Navy and Army computers, making sure that they still let him in. I wondered why they hadn’t closed their holes yet. Then he played around our laboratory computer, again checking over the SDINET files.
Perhaps he worried that we knew he’d stolen Sventek’s account, for he found yet another unused account at our lab, changed its password, and began using it for his hacking.
With all the high-powered computer folks in my department, I worried that one of them would post a notice to an electronic bulletin board, or casually leak the story in a conversation. The hacker still searched our system for words like “security” and “hacker,” so he’d stumble onto this news and our bird would fly the coop.
The Germans had promised a bust this weekend. The hacker had what I hoped was his last fling on Thursday, January 22, when he broke into a computer at Bolt, Beranak, and Neumann, in Cambridge, Massachusetts. This computer, called the Butterfly-vax, was as unprotected as the rest: you just logged in as “guest,” with no password.
I’d heard of BBN—they had built the Milnet. In fact, most of the Milnet would soon be controlled by their Butterfly computers. The hacker had found a particularly sensitive computer—if he planted
the right kind of Trojan horse in this computer, he might steal all the passwords that ever crossed the Milnet. For this was where BBN developed their network software.
Stealing passwords at Lawrence Berkeley Labs only gives you access to nearby computers. The place to booby-trap software is where it’s distributed. Slip a logic bomb into the development software; it’ll be copied along with the valid programs and shipped to the rest of the country. A year later, your treacherous code will infest hundreds of computers.
The hacker understood this, but probably didn’t realize that he’d stumbled into such a development system. He searched the system and found one glaring security hole: the root account needed no password. Anyone could log in as system manager without so much as a challenge. Whoa!
Someone was sure to discover such an obvious hole, so he wasted no time in exploiting it. He became system manager and created a new, privileged account. Even if the original flaw was discovered, he’d added a new backdoor into BBN’s computer.
He created an account under the name Langman, with a password of “Bbnhack.” I understood the password, all right, but why Langman? Could that be his real name? The German Bundespost won’t tell me, but maybe the hacker himself did. What’s the meaning of the name Langman?
No time to worry about it now. The hacker found a letter on the BBN computer, saying, “Hi, Dick! You can use my account at the University of Rochester. Log in as Thomas, with the password ‘trytedj’ …”
It didn’t take him fifteen seconds to reach into the Rochester computer. He then spent an hour reading information about integrated circuit designs. Apparently, a graduate student at Rochester designed sub-micron circuits, using an advanced computer-controlled technique. The hacker strarted to grab everything, including the programs.
I wouldn’t let him: this would be industrial espionage. Every time he started to copy some interesting files, I jingled my keys on the wires. He could look, but he’d better not touch. Finally, at 5:30, he gave up.
Meanwhile, I wondered about the word Langman. Was it someone’s name?
Aah—there’s a way to find out. Look it up in the phone book. Maggie Morley, our librarian, couldn’t find a Hannover telephone directory, so she ordered one. A week later, with suitable aplomb, Maggie delivered the Deutschen Bundespost Telefonbuch, issue number seventeen, covering Ortsnetz and Hannover, with a rubber-stamp on the side, “Funk-Taxi, 3811.”
My atlas presented a dry, geographic Hannover. And the tourist guides spoke of a historic, scenic city, nestled along the river Leine. But the phone book, well, here’s the city: the opticians, the fabric stores, a few dozen autohauses, even a perfumerie. And people … I spent an hour just paging through the white pages, imagining a whole different world. There were listings for Lang, Langhardt, Langheim, and Langheinecke, but not one Langman. Bum steer.
Steve White relayed a message from Germany. The Germans had been doing their homework. Apparently, when the hacker called a phone, the German police had printed out that phone number. Eventually, they figured out who was involved, just by piecing together the web of phone calls centered on the hacker.
Were the German authorities planning a simultaneous bust? Tymnet passed along a chilling message: “This is not a benign hacker. It is quite serious. The scope of the investigation is being extended. Thirty people are now working on this case. Instead of simply breaking into the apartments of one or two people, locksmiths are making keys to the houses of the hackers, and the arrests will be made when the hackers cannot destroy the evidence. These hackers are linked to the shady dealings of a private company.”
Not a benign hacker? Thirty people working on the case? Shady dealings of a private company? Uh oh.
If you pester an organization long enough, eventually they’ll hold a meeting. After all my calls to the FBI, NSA, CIA, and DOE, it was the Air Force Office of Special Investigations that gave in first. On February 4, they invited everyone to Bolling Air Force Base, in hopes of resolving the problem.
Suburban Washington’s world is measured by position on the beltway. Bolling Air Force Base is somewhere around five o’clock, sort of south by southeast. Even with such explicit directions, I got royally lost: bicycling along Berkeley side streets isn’t quite the same as driving a car around a DC highway.
At 11:30, three Department of Energy people met me at a restaurant near the Air Force base. Over some tortellini, we talked about DOE’s computer security policies. They worry about atomic bomb secrets. But they’re also painfully aware that security gets in the way of operations. High security computers are difficult to get onto, and unfriendly to use. Open, friendly systems are usually insecure.
Then we went to Bolling. It was the first time I’d ever walked on a military base. The movies are accurate: people salute officers, and some poor guy at the guardhouse spends his day saluting every car that comes through. Nobody saluted me, of course—with long hair, jeans, and a beat up jacket, a Martian would have been less conspicuous.
About twenty people showed up, from all the three letter agencies. At last I could hook voices from the telephone to people’s faces. Mike Gibbons actually did look like an FBI agent—thirty years old or so, neatly pressed suit, mustache, and probably lifted weights in his spare time. We talked about microcomputers for a while—he knew the Atari operating system inside and out. Jim Christy, the Air Force computer crime investigator, was tall, lanky, and exuded confidence. And there was Teejay, sitting over in the corner of the room, silent as ever.
Barrel-chested and smiling, Zeke Hanson of the NSA greeted me with a slap on the back. He knew his way around both computers and bureaucracies. Occasionally, he whispered interpretations like, “That guy’s important to your cause” or “She’s just spouting the party line.” I felt uncomfortable among all the suits, but with Zeke’s encouragement I managed to stand up and talk to the gathering.
I babbled for a while, describing the network connections and weak spots, and then the others discussed national policy on computer security. Seems that there wasn’t any.
Through the whole meeting, people kept asking, “Who’s in charge?” I looked over at the contingent from the FBI. Mike Gibbons, the agent handling this case, squirmed in his chair. Sitting next to Mike, George Lane of the FBI handled the questions. “Since we can’t extradite the guy, the FBI isn’t going to devote many resources to this case. We’ve already done all we can.”
The DOE people didn’t let this slide. “We’ve been begging you to call the Germans. They’re begging you to contact them. But Bonn still hasn’t seen your warrant.”
“Uh, we’ve had a few problems in our Legat office, but that doesn’t concern us here,” Lane said. “The bottom line is that there’s been no damage done by this hacker.”
Russ Mundy, a wiry colonel from the Defense Communication Agency, could take it no longer. “No damage! This guy breaks into two dozen military computers and it’s no damage? He’s stealing computer time and network connections. Not to mention programs, data, and passwords. How long do we have to wait before he gets into something really serious?”
“But no classified data has been compromised,” the FBI agent said. “And how much money has been lost—75 cents of computer time in Berkeley?”
I listened as the colonel tried a different approach. “We rely on our networks for communications. Not just military people, but engineers, students, secretaries, hell, even astronomers,” he said, gesturing towards me. “This bastard is undermining the trust that holds our community together.”
The FBI saw the hacker as a minor annoyance; perhaps just some kid messing around after school. The military people took it as a serious attack on their communications lines.
The Department of Justice backed up the FBI. “Germany won’t extradite a German citizen, so why bother? And anyway, the FBI gets a hundred reports like this every year, and we can prosecute only one or two.”
He went on to say that we already had enough evidence to convict the hacker: my logbook
and printouts would stand up at a trial. And according to U.S. law, we didn’t have to catch the hacker flagrante delicto: busting in on him while he was connected to a foreign computer. “So you really ought to close up shop. You’re not strengthening your case, and we already have enough evidence to bring him to trial.”
In the end, the Air Force OSI asked each group for direction. The FBI and Department of Justice wanted us to close up shop and lock the hacker out of our Berkeley computer. Neither Teejay of the CIA nor Zeke of NSA’s National Computer Security Center felt there was anything to gain by staying open.
Leon Breault of the Department of Energy stood up. “We’ve got to support the guys in the trenches and catch this guy. If the FBI won’t, then we will,” he said, glaring at the Department of Justice attorney.
The people being hit by the hacker wanted to keep the monitoring going. Closing our monitoring station just meant that the hacker would prowl around using a different, unobserved pathway.
But who should we turn to for help? The FBI didn’t want to touch the case. The military groups had no authority to issue warrants.
Where was a clearinghouse for reporting problems? This hacker had shown us several novel computer security problems. Who should we report them to?
Why, to the National Computer Security Center, of course. But Zeke told me otherwise: “We set standards for secure computers, and stay away from operational problems. All the same, we’re always willing to collect reports from the field.”
“Yeah, but will you warn me about other’s problems?” I asked. “Will you send me a report describing security holes in my computer? Can you call me on the phone if someone’s trying to break into my computer?”
“No, we’re an information collection point.” Just what I’d expect from a an organization run by NSA. The giant vacuum cleaner that sucks in information, yet never says a thing.
Suppose I find a computer security problem, and it’s widespread. Perhaps I should keep my mouth shut, and hope that nobody else figures it out. Fat chance.