Cuckoo's Egg
Page 30
Then, routinely scanning my monitor’s printouts, I noticed someone using the Lawrence Berkeley Lab’s Petvax computer. It looked like they were entering the Petvax from a Caltech computer called Cithex.
I’d been warned about Cithex—Dan Kolkowitz at Stanford had noticed German hackers using that system to break into his computers. So I looked closely at the traffic from our Petvax to the Cithex computer.
Yeah. There it was. Someone had connected into the Caltech machine from the Petvax, and was trying to break into a place called Tinker, in Oklahoma.
Tinker? I looked it up in the Milnet directory. Tinker Air Force Base. Uh oh. A little bit later, there’s a connection into the Optimis database at the Pentagon. Then he tries the Letterman Army Institute. The Comptroller of the Army at Fort Harrison.
Oh hell. If it’s not the same hacker, then someone’s behaving just like him. That’s why the hacker’s been quiet for three weeks. He’s been using a different set of computers to get onto the Milnet.
Obviously, closing up my laboratory’s security holes won’t keep him off the networks. This pestilence would have to be eradicated at the source.
The Petvax, of all computers! An outsider would think it’s a toy—after all, a pet Vax computer, no?
Hardly. Pet is an acronym for Positron Emission Tomography. It’s a medical diagnostic technique to locate where oxygen is consumed in people’s brains. By injecting a patient with an activated isotope, LBL’s scientists create images of the brain’s interior. All you need is a particle accelerator to create radioactive isotopes, a hypersensitive particle detector, and a powerful computer.
That computer is the Petvax. Stored within it are patient records, analysis programs, medical data, and scans of people’s brains.
This hacker was playing games with medical tools. Break this computer, and someone’s going to get hurt. A bad diagnosis or a dangerous injection. Or what?
The doctors and patients who used this instrument needed it to work perfectly. This was a sensitive medical device, not a plaything for some cyberpunk. Some poor computer geek, indeed.
Was it the same hacker? Two minutes after he disconnected from the Petvax, he entered my Unix computer, using the name Sventek. Nobody else knew that password.
We locked up the Petvax, changing its passwords and setting alarms on it. But the incident worried me. How many other computers was this hacker slithering through?
On February 27, Tymnet forwarded some electronic mail from Wolfgang Hoffman of the Bundespost. Apparently the German police can only arrest the hackers while they’re connected. There’s no shortage of evidence to bring them to trial, but without positive identification, the charges won’t stick. We had to catch them red-handed.
Meanwhile, one of the LBL computer masters described the whole incident to a programmer at the Lawrence Livermore Lab. He, in turn, sent out electronic mail to several dozen people, saying that he was going to invite me to give a talk on “how we caught the German hackers.” Dumb.
Ten minutes after he posted his note, three people called me up, each asking, “I thought you were keeping this hush-hush. Why the sudden publicity?”
Terrific. How do I undo this? If the hacker sees the note, it’s all over.
John Erlichman observed that once you squeeze the toothpaste tube, it’s tough to get the stuff back in. I called Livermore; it took five minutes to convince them to erase the message from all of their systems. But how do we prevent this kind of leak in the future?
Well, I could start by keeping my officemates better informed. From now on, every week I told them what was happening and why we had to keep quiet. It worked remarkably well … tell people the truth, and they’ll respect your need for secrecy.
The hacker showed up occasionally during March. Just often enough to upset my life, but not quite enough to let the Germans nail him.
Thursday, March 12, was an overcast Berkeley day. Dry in the morning, so I biked in without a raincoat. At 12:19, the hacker visited his old haunt for a couple minutes. Listed a few of my SDINET files—he found out that Barbara Sherwin had recently bought a car and that SDINET was expanding overseas. He saw the names of thirty new documents, but he didn’t read them. Why not?
Steve White had shown up in town, passing through to visit Ron Vivier at Tymnet’s office in Silicon Valley. He and Martha and I had a date at a Thai restaurant, so I had to be home by six.
It started to rain about four, and I realized that I would get drenched bicycling home. Not much choice in the matter, so I insanely biked home—the rain turned the bike’s brakes into banana peels. My raincoat wouldn’t have been much defense against the sheet of water thrown up by an old DeSoto. Traffic splashed me from the side, and my bike’s tires got me from below.
By the time I got home, I was sopping wet. Well, I’ve plenty of dry clothes. But only one pair of shoes. The grungy sneakers I was wearing. And they were soaked. I couldn’t dry ’em out in time, so I looked around. There’s Claudia’s new microwave oven. I wonder …
So I popped the sneakers into Claudia’s microwave, and pressed a few buttons. The display read “120.” I wondered whether that meant 120 seconds, 120 watts, 120 degrees, or 120 light-years. I dunno.
It didn’t make any difference. I’d just watch the sneakers through the window and make sure nothing goes wrong. For the first few seconds, no problem. Then the phone rang.
I ran into the front room to answer it. It was Martha.
“I’ll be home in half an hour, honey,” she said. “Don’t forget dinner with Steve White.”
“I’m getting ready right now. Uh, Martha, how do I set the microwave oven?”
“You don’t need to. We’re going out for dinner, remember?”
“Suppose I want to dry out my sneakers,” I said. “What should I set on the microwave?”
“Be serious.”
“I am being serious. My sneakers are wet.”
“Don’t you dare put them in the microwave.”
“Well, theoretically speaking, how long should I hypothetically set the microwave for?”
“Don’t even think about it. I’ll come home and show you how to dry them out.”
“Well, uh, sweetheart, ” I tried to interrupt.
“No. Don’t touch the microwave,” she said. “Just sit tight. Bye for now.”
As I hung up the phone, I heard four beeps from the kitchen. Uh oh.
Bolling out of the back of Claudia’s new Panasonic microwave oven was an angry cloud of thick, black smoke. The kind you see in newsreels, when the oil refinery blows up. And the stench—it smelled like an old tire burning.
I swung open the microwave, and another cloud of smoke belched out. I reached in and tried pulling out the sneakers—they still looked like sneakers, but had the texture of hot mozzarella cheese. I tossed them and the glass tray out the kitchen window. The tray shattered in the driveway, and the smoldering sneakers lay seething next to the plum tree.
Now I’m in deep yogurt. Martha’s due home in half an hour and the kitchen smells like Akron during the tire-burning festival. Time to clean up the mess.
I got out the paper towels and started scrubbing the microwave. Black soot all over. Not the kind of soot that washes away, either. Wiping the glop only spreads the black plague further.
Half an hour. How do you get rid of the delicate fragrance of burning rubber? I swung open the windows and door, letting the wind blow the stench away. It didn’t do much for the smell, and now the rain was blowing in the windows.
When you make a mess, cover it up. I remembered a homemakers’ column: to mask household aromas, boil a small amount of vanilla on the stove. Well, it can’t make things worse. I dump a couple of ounces of vanilla in a pan and crank up the heat.
Sure enough, in a couple minutes, the vanilla works. The kitchen no longer smells like a burning old blackwall tire. No, now it smells like a burning new whitewall tire.
Meanwhile, I’m cleaning the walls and ceiling. But I forgot t
he vanilla. The vanilla evaporates, the pot burns, and I’ve now screwed up twice. Three times, if you count the soggy floor.
Fifteen minutes. What to do? Appeasement. I’ll bake her some cookies. Reach into the refrigerator for last night’s cookie dough, and slap lumps of it onto a cookie pan. Set the oven at 375, just right for chocolate chips.
Well, a third of the cookies slid off the pan and stuck on the bottom of the oven where they turned to cinders.
Martha walks in, takes one sniff, sees the black welt on the ceiling, and says, “You didn’t.”
“I’m sorry.”
“I told you.”
“I’m sorry twice.”
“But I said …”
The doorbell rings. Steve White enters, and with British aplomb says, “I say, old chap. Is there a tire factory nearby?”
Through March and early April, the hacker laid low. Occasionally, he’d pop in, just long enough to keep his accounts on the active list. But he seemed uninterested in reaching into other computers, and pretty much ignored my new SDINET files. What was happening to this guy? If he’s been arrested, he wouldn’t show up here. And if he’s busy on other projects, why does he just show up for a minute, then disappear?
On April 14, I was working on the Unix system when I noticed Marv Atchley logged into the system.
Odd. Marv’s upstairs, giving a pep talk to some programmers. I wandered over to his cubicle and looked at his terminal. Not even turned on.
Who’s using Marv’s account? I ran over to the switchyard and saw someone coming in through our Tymnet port. They were connected into the system as Marv Atchley.
I called Tymnet—Steve traced the line quickly. “It’s from Hannover, Germany. Are you sure it’s not the hacker?”
“Hard to say. I’ll call you right back.”
I ran up four flights of stairs and peered into the conference room. Yep, there was Marv Atchley, giving an animated talk to twenty-five programmers.
By the time I returned to the switchyard, the pseudo-Marv was gone. But I could see that he’d entered the system without any tricks. Otherwise he would have set off my alarms. Whoever it was must know Marv’s password.
When the meeting ended, I showed the printout to Marv.
“Damned if I know who it is. I sure never gave my password to anyone.”
“How long since you changed it?”
“Oh, a few weeks ago.”
“And what’s your password?”
“Messiah. I’ll change it right now.”
How the hell did this hacker get Marv’s password? I would have noticed if he’d set a Trojan horse. Could he have guessed the word “Messiah”?
Uh oh. There’s a way he could have.
Our passwords are stored encrypted. You can search the entire computer, and you’ll never find the word “Messiah.” You will find it encrypted as “p3kqznqiewe.” Our password file was filled with such encrypted gibberish. And there’s no way to reconstruct the avocado from that guacamole.
But you can guess passwords. Suppose the hacker tried to log in as Marv, then tried the password “Aardvark.” My system says, “no good.” The hacker, being persistent, then tries again, using the password “Aaron.” Again, no luck.
One by one, he tries to log on using passwords that he looks up in a dictionary. Eventually, he tries the password “Messiah.” The door opens wide.
Each trial takes a couple seconds. His fingers would wear out before he tried the whole dictionary. Such a brute-force method of guessing passwords will only work on a completely mismanaged computer.
But I saw this hacker copy our password file into his own computer. How could he use a list of our encrypted passwords?
The Unix password scheme uses an encryption program that’s public. Anyone can get a copy of it—it’s posted to bulletin boards. With a hundred thousand Unix computers in the world, you couldn’t keep the program secret.
The Unix encryption program works in one direction only: it will encrypt from English text into gibberish. You can’t reverse the process to translate encrypted passwords into English.
But with this encryption program, you can encrypt every word in the dictionary. Make a list of encrypted English words from your dictionary. Then, it’s a simple matter to compare what’s in my password file to your list of encrypted passwords. This must be how the hacker is cracking passwords.
On his computer in Hannover, he’d run the Unix password encryption program. He’d feed it the whole dictionary, and one by one, his program would encrypt every word in the English language. Something like this:
Aardvark encrypts to “vi4zkcvlsfz.” Is that the same as “p3kqznqiewe”? No, so go on to the next word in the dictionary.
Aaron encrypts to “zzole9cklg8.” Not the same as “p3kqznqiewe,” so go on to the next word in the dictionary.
Eventually, his program would discover that Messiah encrypts to “p3kqznqiewe.”
When his program found a match, bingo—it would print it out.
My hacker was cracking passwords using a dictionary. He could find anyone’s password, so long as it was an English word.
This was serious stuff. It meant that every time I’d seen him copy a password file, he could now figure out legitimate users’ passwords. Bad news. I checked my logbook. He’d copied these files from our Unix computer, the Anniston system, and the Navy Coastal Systems Command. I wondered if he’d be back in those computers.
Hey—I’d proven that he was cracking passwords on his computer. There are around a hundred thousand words in an English dictionary. It had been about three weeks since he copied my password file. If his password cracker worked continually for three weeks, could he have guessed Marv’s password?
Well, on an ordinary Vax computer, it takes about a second to encrypt one password. A hundred thousand words, then, would take around a day. On an IBM PC, maybe a month. A Cray supercomputer might take an hour.
But according to Marv, this guy less did it in three weeks. So he wasn’t using a little home computer. He must be running the password cracker on a Vax or a Sun workstation. I had to be careful about this conclusion, though. He might use a faster algorithm or have waited a few days after cracking Marv’s password.
Still, I patted myself on the back. Just by noticing that he’d been cracking passwords, I knew what type of computer he was using. Remote-control detective work.
This explained why he’d always copied our password files to his system. He was cracking our passwords in Germany.
Even one guessed password was dangerous. Now, if I erased Sventek’s account, he could sneak in on someone else’s account. Good thing that I’d not closed the door on him. What I’d thought to be bulletproof—my passwords—turned out to be riddled with holes.
Password cracking. I’d not come across it before, but I suppose that experts had. Well, what do the experts say about it? I called Bob Morris, the big shot I’d met at NSA. He’d invented the Unix password encryption system.
“I think the hacker’s cracking my passwords,” I told Bob.
“Eh?” Bob was obviously interested. “Is he using a dictionary or has he actually reversed the data encryption algorithm?”
“A dictionary, I think.”
“Big deal. Why, I’ve got three good password cracking programs. One of them will pre-compute the passwords, so it runs a couple hundred times faster. Want a copy?”
Egads, he was offering me a copy of a password-cracking program! “Uh, no, I don’t think so,” I said. “If I ever need to decrypt passwords, though, I’ll call you. Say, how long have people known about password cracking?”
“This kind of brute force stuff? Oh maybe five or ten years. It’s child’s play.”
Cracking passwords as a game? What kind of a guy is this?
Bob continued. “Guessing won’t work when you choose good passwords. Our real concern is with the encryption programs. If someone figures out a way to reverse that software, we’re in deep trouble.”
&
nbsp; I now understood what he meant. The program that translated “Messiah” into “p3kqznqiewe” is a one-way street. It needs just a second to encrypt your password. But if someone found a way to crank that sausage machine backwards—a way to convert “p3kqznqiewe” into “Messiah,” then they could figure out every password, without guessing.
Well, I’d at least told the NSA. Maybe they’d known these techniques for years, but now they officially knew that someone else was using them. Would they publicize it? Come to think of it, if NSA had known of this for ten years, why hadn’t they publicized it already?
Systems designers needed to know about this problem—to build stronger operating systems. Computer managers ought to know, too. And every person who used a password should be warned. It’s a simple rule: don’t pick passwords that might show up in a dictionary. Why hadn’t anyone told me?
The National Computer Security Center didn’t seem interested in real-world problems of thousands of Unix computers out in the field. I wanted to know about weaknesses in my Unix system. What problems had been reported? Before, I’d discovered a bug in the Gnu-Emacs editor. A widespread security hole. I’d dutifully reported it to the National Computer Security Center. But they never told anyone about it. Now, I’d discovered that passwords that appeared in dictionaries weren’t safe.
How many other security holes were lurking in my system?
The NCSC might know, but they weren’t saying.
NSA’s motto, “Never Say Anything,” seemed to come into play. Yet by keeping silent about these computer security problems, they hurt us all. I could see that the hackers had long ago discovered and exploited these holes. Why wasn’t someone telling the good guys?
“It’s not our bailiwick,” Bob Morris said. “We collect this information so as to better design future computers.”
Somewhere, somehow, something was wrong here. The guys in black hats knew the combinations to our vaults. But the white hats were silent. Well, forget the NSA for now. What more could I do? It was time to prod the other agencies.