Tangled Web:
Tales of Digital Crime from the Shadows of Cyberspace
Chapter Six
One of the greatest misconceptions among the many who hamper the defense
of cyberspace is the idea that all hacking is done only by juvenile joy riders:
i.e., youthful geniuses bent on embarrassing law enforcement and the military.
Of course, one of the ways in which this misconception is spread is through
the mainstream media. Most cases that reach the light of day usually do end
up involving juvenile hackers.
Why? Well, cases involving true cyberterrorists, information warriors,
intelligence agencies, and corporate spies slip below the surface of the headlines.
They are lost in the murky waters of "classified operations" or are swept under
thick corporate carpets. (You'll read more about such cases in Chapter 10 and
Chapter 12.)
Juvenile hackers or other "sport hackers" (a term used to describe hackers
who break into systems for the same reasons but aren't minors) end up in the
newspapers because they get caught. They also end up in the headlines because
they seek the limelight. Furthermore, acknowledging their activities doesn't
open a Pandora's box for the government agency or the corporation that was hit.
If a government agency acknowledged an intelligence operation conducted by another
country, there could be serious diplomatic or even military consequences. If
a major corporation acknowledged a hack attack in which trade secrets were compromised
seemingly by another corporation, there would be a public relations debacle:
for example, their stock could dive, lawsuits could get filed, etc.
Nevertheless, juvenile or sport hackers, or joy riders, have wreaked a lot
of havoc and mayhem over the years.
Here are some of the details of three high-profile stories, stretching from
1994 to 1999, that illustrate some of the lessons learned and unlearned along
the way.
The Rome Labs Case: Datastream Cowboy and Kuji Mix It Up
with the U.S. Air Force
The Rome Air Development Center (Rome Labs), located at Griffiss Air Force
Base (New York), is the U.S. Air Force's premier command-and-control research
facility.
Rome Lab researchers collaborate with universities, defense contractors, and
commercial research institutions on projects involving artificial intelligence
systems, radar guidance systems, and target detection and tracking systems.
On March 28, 1994, Rome Labs's system administrators (sysadmins) noticed that
a password sniffer, a hacking tool that gathers user's login information, had
been surreptitiously installed on a system linked to the Rome Labs network.
The sniffer had collected so much information that it filled the disk and crashed
the system, according to James Christy, who was director of Computer Crime Investigations
for the Air Force Office of Special Investigations.
The sysadmins informed the Defense Information Systems Agency (DISA) that the
Rome Labs network had been hacked into by an as yet unknown perpetrator. The
DISA Computer Emergency Response Team (CERT), in turn, informed the Air Force
Office of Special Investigations (AFOSI) of the report of an intrusion. The
AFOSI, in turn, informed the Air Force Information Warfare Center (AFIWC), headquartered
in San Antonio, Texas.
An AFOSI team of cybercrime investigators and security experts was dispatched
to Rome Labs. They reviewed audit trails and interviewed the sysadmins. The
conclusions that they reached in their preliminary investigation were very disturbing.
Two hackers had broken into seven different computers on the Rome Labs network.
They had gained unlimited access, downloaded data files, and secreted sniffers
on every one of them. The seven sniffers had compromised a total of 30 of Rome
Labs's systems.
These systems contain sensitive research and development data.
System security logs disclosed that Rome Labs's systems had been actually been
hacked into for the first time on March 23, five days before the discovery made
on March 28.
The investigation went on to disclose that the seven sniffers had compromised
the security of more than 100 more user accounts by capturing user logons and
passwords. Users' e-mail messages had been snooped, duplicated, and deleted.
Sensitive battlefield simulation program data had been pursued and purloined.
Furthermore, the perpetrators had used Rome Labs's systems as a jumping-off
point for a series of hack attacks on other military, government, and research
targets around the world. They broke into user accounts, planted sniffer programs,
and downloaded massive quantities of data from these systems as well.
The investigators offered the Rome Labs commanding officer the option of either
securing all the systems that had been hacked or leaving one or more of them
open to attack. If they left a few systems open, they could monitor the comings
and goings of the attackers in the hope of following them back to the their
point of origination and identifying them.
The commander opted to leave some of the systems open to lay a trap for the
intruders.
Investigators Wrestle with Legal Issues and Technical Limitations
Using standard software and computer systems commands, the attacks were initially
traced back one leg of their path. The majority of the attacks were traced back
to two commercial Internet service providers, cyberspace.com, in Seattle, Washington
and mindvox.phantom.com, in New York City.
Newspaper articles indicated that the individuals who provided mindvox.phantom.com's
computer security described themselves as "two former East Coast Legion of Doom
members."
The Legion of Doom (LoD) was a loose-knit computer hacker group that had several
members convicted for intrusions into corporate telephone switches in 1990 and
1991. Because the agents did not know whether the owners of the New York Internet
service provider were willing participants or merely a transit point for the
break-ins at Rome Labs, they decided not to approach them. Instead, they simply
surveiled the victim computer systems at Rome Labs's network to find out the
extent of the intruders' access and identify all the victims.
Following legal coordination and approval with Headquarters, AFOSI's legal
counsel, the Air Force General Counsel's Office, and the Computer Crime Unit
of the Department of Justice, real-time content monitoring was established on
one of Rome Labs's networks. Real-time content monitoring is analogous to performing
a wiretap because it allows you to eavesdrop on communications, or in this case,
text. The investigative team also began full keystroke monitoring at Rome. The
team installed a sophisticated sniffer program to capture every keystroke performed
remotely by any intruder who entered the Rome Labs.
This limited context monitoring consisted of subscribing to the commercial
ISPs' services and using only software commands and utilities the ISP authorized
every subscriber to use. The team could trace the intruder's path back only
one leg. To determine the next leg of the intruder's path required access to
the next system on the hacker's route. If the attacker was using telephone systems
to access the ISP, a court-ordered "trap and trace" of telephone lines was required.
Due to time constraints involved in obtaining such an order, this was not a
viable option. Furthermore, if the attackers changed their path, the trap and
trace would not be fruitful. During the course of the intrusions, the investigative
team monitored the hackers as they intruded on the system and attempted to trace
the intruders back to their origin. They found the intruders were using the
Internet and making fraudulent use of the telephone systems, or "phone phreaking."
Because the intruders used multiple paths to launch their attacks, the investigative
team was unable to trace back to the origin in real-time due to the difficulty
in tracing back multiple systems in multiple countries.
In my interview with James Christy for this book, he provided fascinating insight
into the deliberations over what capabilities could be used to pursue the investigation.
"The AFIWC worked the Rome Labs case with us," Christy says. "They developed
the Hackback tool right at Rome." According to Christy, Hackback is a tool that
does a finger back to the system the attack came from, then launches a scripted
hack attack on that system, surveils the system, finds the next leg back, and
then launches a scripted attack on that system. Hackback was designed to follow
them all the way back over the Internet to their point of origination.
"Well, AFIWC developed this tool," Christy continues, "but we told them, 'Hey,
you can't use that 'cause it's illegal. You're doing the same thing as the hacker
is doing: You're breaking into systems.' They said, General Minihan [who was
at that time the head of the NSA] says, 'We're at war, we're going to use it.'
My guys had to threaten to arrest them if they did. So we all said, 'Let's try
something.' "
Christy tells me there was a big conference call involving the DoJ, the Secret
Service, the FBI, AFOSI, and the guys that were up at Rome Labs. "We all claimed
exigent circumstances, a hot pursuit. Scott Charney [who was at that time the
head of DoJ's computer crime unit] gave us the approval to go run Hackback one
time. We did it, but it didn't buy us anything. The hackers weren't getting
into those nodes via the Internet. They were getting in through telephone dial-ups.
So it dead-ended where we already knew it was coming from."
Datastream Cowboy's Biggest Mistake
As the result of the monitoring, the investigators could determine that the
hackers used the nicknames Datastream and Kuji. With this clue, AFOSI Computer
Crime Investigators turned to their human intelligence network of informants
that surf the Internet. The investigators levied their informants to identify
the two hackers using the handles Datastream and Kuji.
"Our investigators went to their sources," Christy recalls, "saying, 'Help
us out here, anybody know who these guys are?' And a day and a half later, one
of these sources came back and said, 'Hey, I got this guy. Here's his e-mail!'"
According to Christy, these informants have diverse motivations. Some of them
want to be cops; some of them want to do the right thing; some of them simply
find hacking exciting; some of them have pressure brought to bear on them because
of their own illegal activities.
Indeed, whatever the motivation, on April 5, 1994, an informant told the investigators
he had a conversation with a hacker who identified himself as Datastream Cowboy.
The conversation was via e-mail and the individual stated that he was from
the United Kingdom. The on-line conversation had occurred three months earlier.
In the e-mail provided by the informant, Datastream indicated he was a 16-year-old
who liked to attack .mil sites because they were so insecure.
Datastream had even provided the informant with his home telephone number for
his own hacker bulletin board systems he had established.
Bragging of his hacking feats, as Christy explains, was Datastream Cowboy's
big mistake.
"It was the only way we solved the case," he said. "If we had to rely on surveillance
alone, we never would have traced it back to them because of all the looping
and weaving through South America. We would have been working with multiple
countries.
"Did these South American countries have laws against hacking?" Christy continues.
"No. Would the South Americans have been able to do a trap and trace? Maybe
not. Remember, they were using telephone lines."
The Air Force agents had previously established a liaison with New Scotland
Yard who could identify the individuals living at the residence associated with
Datastream's telephone numbers.
New Scotland Yard had British Telecom initiate monitoring of the individual's
telephone lines with pen registers. A pen register records all the numbers dialed
by the individuals at the residence. Almost immediately, monitoring disclosed
that someone from the residence was phone phreaking through British Telecom,
which is also illegal in the United Kingdom.
Within two days, Christy and the investigative team knew who Datastream Cowboy
was. For the next 24 days, they monitored Datastream's online activity and collected
data.
During the 26-day period of attacks, the two hackers, Datastream Cowboy and
Kuji, made more than 150 known intrusions.
Scotland Yard Closes in on Datastream Cowboy
New Scotland Yard found that every time an intrusion occurred at Rome Labs,
the individual in the United Kingdom was phone-phreaking the telephone lines
to make free telephone calls out of Britain. Originating from the United Kingdom,
his path of attack was through systems in multiple countries in South America
and Europe, and through Mexico and Hawaii; occasionally he would end up at Rome
Labs. From Rome Labs, he was able to attack systems via the Internet at NASA's
Jet Propulsion Laboratory in California and its Goddard Space Flight Center
in Greenbelt, Maryland.
Continued monitoring by the British and American authorities disclosed that
on April 10, 1994, Datastream successfully penetrated an aerospace contractor's
home system. The attackers captured the contractor's logon at Rome Labs with
sniffer programs when the contractor logged on to home systems in California
and Texas. The sniffers captured the addresses of the contractor's home system,
plus the logon and password for that home system. After the logon and password
were compromised, the attackers could masquerade as that authorized user on
the contractor's home system. Four of the contractor's systems were compromised
in California and a fifth was compromised in Texas.
Datastream also used an Internet Scanning Software (ISS)1 attack on multiple
systems belonging to this aerospace contractor. ISS is a hacker tool developed
to gain intelligence about a system. It attempts to collect information on the
type of operating system the computer is running and any other available information
that could be used to assist the attacker in determining what attack tool might
successfully break into that particular system. The software also tries to locate
the password file for the system being scanned, and then tries to make a copy
of that password file.
The significance of the theft of a password file is that, even though password
files are usually stored encrypted, they are easily cracked. Several hacker
"password cracker" programs are available on the Internet. If a password file
is stolen or copied and cracked, the attacker can then log on to that system
as what the systems perceive is a legitimate user.
Monitoring activity disclosed that, on April 12, Datastream initiated an ISS
attack from Rome Labs against Brookhaven National Labs, Department of Energy,
New York. Datastream also had a two-hour connection with the aerospace contractor's
system that was previously compromised.
Kuji Hacks into Goddard Space Flight Center
On April 14, 1994, remote monitoring activity of the Seattle ISP conducted
by the Air Force indicated that Kuji had connected to the Goddard Space Flight
Center through an ISP from Latvia. The monitoring disclosed that data was being
transferred from Goddard Space Flight Center to the ISP. To prevent the loss
of sensitive data, the monitoring team broke the connection. It is still not
known whether the data being transferred from the NASA system was destined for
Latvia. (Latvia as a destination for sensitive data was, of course, something
that concerned investigators. After all, the small Baltic nation had only recently
become independent of Russian domination. It had been a part of the former U.S.S.R.)
Further remote monitoring activity of cyberspace.com disclosed that Datastream
was accessing the National Aero-Space Plane Joint Program Office, a joint project
headed by NASA and the Air Force at Wright-Patterson Air Force Base, Ohio. Monitoring
disclosed a transfer of data from Wright-Patterson traversing through cyberspace.com
to Latvia.
Apparently, Kuji attacked and compromised a system in Latvia that was just
being used as conduit to prevent identification. Kuji also initiated an ISS
attack against Wright-Patterson from cyberspace.com the same day. He also tried
to steal a password file from a computer system at Wright-Patterson Air Force
Base.
Kuji Attempts to Hack NATO HQ
On April 15, real-time monitoring disclosed Kuji executing the ISS attack against
NATO Headquarters in Brussels, Belgium, and Wright-Patterson from Rome Labs.
Kuji did not appear to gain access to any NATO systems from this particular
attack. However, when interviewed on April 19 by AFOSI, a systems administrator
from NATO's SHAPE Technical Center in the Hague, Netherlands, disclosed that
Datastream had successfully attacked one of SHAPE's computer systems from the
ISP mindvox.phantom.com in New York.
After authorities confirmed the hacker's identity and developed probable cause,
New Scotland Yard requested and obtained a search warrant for the Datastream
Cowboy's residence. The plan was to wait until the individual was online at
Rome Labs, and then execute the search warrant. The investigators wanted to
catch Datastream online so that they could identify all the victims in the path
between his residence and Rome Labs. After Datastream got online at Rome Labs,
he accessed a system in Korea, downloaded all data stored on the Korean Atomic
Research Institute system, and deposited it on Rome Labs's system.
Initially, it was unclear whether the Korean system belonged to North or South
Korea. Investigators were concerned that, if it did belong to North Korea, the
North Koreans would think the logical transfer of the storage space was an intrusion
by the U.S. Air Force, which could be perceived as an aggressive act of war.
During this time frame, the United States was in sensitive negotiations with
the North Koreans regarding their nuclear weapons program. Within hours, it
was determined that Datastream had hacked into the South Korean Atomic Research
Institute.
At this point, New Scotland Yard decided to expand its investigation, asked
the Air Force to continue to monitor and collect evidence in support of its
investigation, and postponed execution of the search warrant.
Scotland Yard Knocks on Datastream Cowboy's Door
On May 12, investigators from New Scotland Yard executed their search warrant
on Datastream's residence. When they came through the door, 16-year-old Richard
Pryce (a.k.a. Datastream Cowboy) curled up in the fetal position and wept.
The search disclosed that Datastream had launched his attacks with only a 25
MHz, 486 SX desktop computer with only a 170 megabyte hard drive. This is a
modest system, with limited storage capacity. Datastream had numerous documents
that contained references to Internet addresses, including six NASA systems
and U.S. Army and U.S. Navy systems with instructions on how to loop through
multiple systems to avoid detection.
At the time of the search, New Scotland Yard detectives arrested and interviewed
Datastream. Detectives stated that Datastream had just logged out of a computer
system when they entered his room. Datastream admitted to breaking into Rome
Labs numerous times as well as multiple other Air Force systems (Hanscom Air
Force Base, Massachusetts, and Wright-Patterson). (He was charged with crimes
spelled out in Britain's Computer Misuse Act of 1990.)
Datastream admitted to stealing a sensitive document containing research regarding
an Air Force artificial intelligence program that dealt with Air Order of Battle.
He added that he searched for the word missile, not to find missile data but
to find information specifically about artificial intelligence. He further explained
that one of the files he stole was a 3_4 megabyte file (approximately three
to four million characters in size). He stored it at mindvox.phantom.com's system
in New York because it was too large to fit on his home system.
Datastream explained he paid for the ISP's service with a fraudulent credit
card number that was generated by a hacker program he had found on the Internet.
Datastream was released on bail following the interview.
This investigation never revealed the identity of Kuji. From conduct observed
through the investigators' monitoring, Kuji was a far more sophisticated hacker
than the teenage Datastream. Air Force investigators observed that Kuji would
only stay on a telephone line for a short time, not long enough to be traced
successfully. No informant information was available except that Computer Crime
Investigators from the Victoria Police Department in Australia had seen the
name Kuji on some of the hacker bulletin-board systems in Australia.
Unfortunately, Datastream provided a great deal of the information he stole
to Kuji electronically. Furthermore, Kuji appears to have tutored Datastream
on how to break into networks and on what information to obtain. During the
monitoring, the investigative team could observe Datastream attack a system
and fail to break in. Datastream would then get into an online chat session
with Kuji, which the investigative team could not see due to the limited context
monitoring at the Internet service providers. These chat sessions would last
20_40 minutes. Following the on-line conversation, the investigative team would
then watch Datastream attack the same system he had previously failed to penetrate,
but this time he would be successful.
Apparently Kuji assisted and mentored Datastream and, in return, received stolen
information from Datastream. Datastream, when interviewed by New Scotland Yard's
Computer Crime Investigators, told them he had never physically met Kuji and
only communicated with him through the Internet or on the telephone.
Kuji's Identity Is Finally Revealed
In 1996, New Scotland Yard was starting to feel some pressure from the glare
of publicity surrounding the upcoming hearings in the U.S. Senate, chaired by
Sam Nunn (D-Georgia). Two years had passed since the arrest of the Datastream
Cowboy, and yet Kuji was still at large.
New Scotland Yard investigators went back to take a closer look at the evidence
they had seized and found a phone number that they hadn't traced back to its
origin. When they did trace it, they discovered Kuji's true identity. Ten days
after Jim Christy's initial testimony concerning the Rome Lab intrusions, 21-year-old
Matthew Bevan (a.k.a. Kuji) was finally apprehended.
In court, Pryce pleaded guilty to 12 hacking offenses and paid a nominal fine
of 1,200 British pounds.
But Bevan, whose father was a police officer, "lawyered-up."
After 20 hearings in which the defense challenged the Crown's evidence, the
prosecution made a "business decision" and dropped the charges.
Bevan is now a computer security consultant. His Web site, http://www.bogus.net/,
features an archive of news media coverage of the Rome Labs case, a timeline
of his exasperating and successful legal maneuvers, photographs of his arresting
officers, and scanned headlines from the London tabloids.
In my interview with Bevan, I asked him about the motivation in the attack
on Rome.
"My quest," he tells me, "was for any information I could find relating to
a conspiracy or cover-up of the UFO phenomenon. I was young and interested in
the UFO stuff that I had read and of course as I had the access to such machines
that were broken (i.e., with poor security) it was a natural progression to
seek out information.
"Also," Bevan continues, "I was bullied almost every day of my school life;
the hacking world was pure escapism. I could go to school, endure the day, come
home, and log on to another world. Somewhere I could get respect, somewhere
that I had friends.
"At school I may have been bullied but in the back of my mind was 'Well, I
hacked NASA last night, and what did you do?'"
I also asked Bevan if he wanted to set the record straight in regard to how
authorities handled the case or how the media reported it.
"One of the biggest concerns that I have about the reporting of the case relates
to the InfoWar aspect," he says. "It is suggested that we were taken to the
brink of WWIII because of an attack on the Korean nuclear research facility.
A Secret Service agent here alleged that bombers were already on their way to
Korea to do a preemptive strike as it was thought that when they discovered
the attack, said to have come from a U.S. military computer, they would retaliate.
"In the evidence presented in the case," Bevan says, "there was a snippet of
a log that shows Datastream Cowboy logging into said facility with the user
ID of 'sync,' and as the user has no Unix shell associated with it, the login
is terminated. Nowhere else in the logs is any record of the intrusion being
successful, and in my opinion the logs do not reflect that. Being called 'the
single biggest threat to world peace since Adolf Hitler' is a tad annoying,
but then even the layman can see that is just hype and propaganda."
Who Can Find the Bottom Line?
A damage assessment of the intrusions into the Rome Labs's systems was conducted
on October 31, 1994. The assessment indicated a total loss to the United States
Air Force of $211,722. This cost did not include the costs of the investigative
effort or the recovery and monitoring team.
No other federal agencies that were victims of the hackers (for example, NASA)
conducted damage assessments.
The General Accounting Office conducted an additional damage assessment at
the request of Senator Nunn. (See GAO Report, Information Security: Computer
Attacks at Department of Defense Pose Increasing Risks [AIMD-96-84], May 22,
1996.)
Some aspects of this investigation remain unsolved:
The extent of the attack. The investigators believe they uncovered only a portion
of the attack. They still don't know whether the hackers attacked Rome Labs
at previous times before the sniffer was discovered or whether the hackers attacked
other systems where they were not detected.
The extent of the damage. Some costs can be attributed to the incident, such
as the cost of repair and the cost of the investigative effort. The investigation,
however, was unable to reveal what they downloaded from the networks or whether
they tampered with any data. Given the sensitive information contained on the
various computer networks (at Rome Labs, Goddard Space Flight Center, the Jet
Propulsion Laboratory, Wright-Patterson AFB, or the National Aero-Space Plane
Program), it is very difficult to quantify the loss from a national security
perspective.
HotterthanMojaveinmyheart:2 The Case of Julio Cesar Ardita
On March 29, 1996, the U.S. Justice Department announced it had charged Julio
Cesar Ardita (a.k.a. "El Griton"), a 21-year-old Argentine, with breaking into
Harvard University's computer network and using it as a staging platform for
many other hacks into sites throughout cyberspace. Like Kuji and the Datastream
Cowboy, Ardita targeted sites belonging to NASA, DoD, several American universities,
and those in other countries (for example, Korea, Mexico, Taiwan, Chile, and
Brazil). Like Kuji and the Datastream Cowboy, Ardita gained unauthorized access
to important and sensitive information in his explorations. In Ardita's case,
the research information that was compromised involved satellites, radiation,
and energy-related engineering.
Peter Garza of Evidentdata (Ranchero Cucamonga, California) was a special agent
for the Naval Criminal Investigative Services. He led the digital manhunt that
ended in Buenos Aires. Garza described Ardita as a dedicated hacker. "Ardita
was no ordinary script kiddie,"
Garza tells me. "He didn't run automated hacking scripts downloaded from someone
else's site. He did his hacking the old-fashioned way. He used a terminal emulator
program, and he conducted manual hacks. He was prodigious. He had persistence
and stamina. Indeed, I discovered records of ten thousand sessions on Ardita's
home computer after it was seized. During the technical interviews we did of
Ardita in Argentina (after his arrest), he would describe all-night sessions
hacking into systems all over the Internet.
"Early on in the investigation," Garza adds, "I had guessed this would be a
solvable case because of this persistence. I had guessed that because this was
such a prolific hacker, he had to use the same file names, techniques, and hiding
places just so that he would be able to remember where he left collected userids
and passwords behind on the many hacked systems. Also, I hoped the hacker was
keeping records to recall the hacked sites. Records that would help further
the investigation if we were successful in tracking the hacker down. It was
gratifying that I was right on both counts. Records on his seized computer,
along with his detailed paper notes, helped us reconstruct much of what he had
done."
Like the investigation that led to the identification and arrest of the Rome
Labs hackers, the pursuit that led to the identification and arrest of Ardita
accelerated the learning curve of those responsible for tracking down cybercriminals
and bringing them to justice.
The following account, drawn from my interview with Garza and the court affidavit
written by Garza himself in support of the criminal complaint against Ardita,
sheds light on the details of the investigations and the groundbreaking work
that the case required.
How the Search for "El Griton" Began
Sysadmins at a U.S. Navy research center in San Diego detected that certain
system files had been altered. Taking a closer look, they uncovered certain
files, including a sniffer he left behind, the file that contained the passwords
he was logging, and a couple programs he used to gain root access and cover
up his tracks.
This evidence enabled Garza to construct a profile of the hacker.
Coincidentally, and fortuitously, Garza and other naval security experts happened
to be at the San Diego facility for a conference on the day that the intrusion
was detected.
They worked late into the night. They succeeded in tracking the as-yet-unidentified
hacker to a host system administered by the Faculty of Arts and Sciences (FAS)
at Harvard University, Cambridge, Massachusetts. The hacker was making unauthorized
use of accounts on the FAS host and trying to access other systems connected
to Harvard's network via the Internet.
(As early as July 1995, host computers across the United States as well as
in Mexico and the United Kingdom reported both successful and unsuccessful hacking
attempts seeming to originate from the FAS Harvard host. But this U.S. Navy
investigation that commenced in late August would lead to Ardita's arrest.)
Although it was impossible at first to determine the hacker's true identity
because he was using the legitimate account holders' identities as his aliases
or covers, investigators could distinguish the hacker from other users of the
FAS Harvard host and the Internet through certain distinctive patterns of illicit
activity. But to track the hacker all the way back to his point of origination,
Garza was going to need a court order for a wiretap.
"I called the U.S. Attorney's office in Boston on a Thursday and asked if we
could have the court order in place by Monday," Garza recounts. "They laughed.
Six months was considered the 'speed of light' for wiretap approval. But we
started to put the affidavit together anyway, and got it okayed in only six
weeks, which at that time was unheard of."
Indeed, the work of Garza and the others to obtain a wiretap in the 1995 Ardita
case laid a lot of the groundwork that made it possible for investigators in
the 1999 "Solar Sunrise" case (which I describe later in this chapter) to obtain
wiretap approval in one day.
Ardita's Biggest Mistake
By the end of September, as Garza explains, the investigators detected a change
in the hacker's behavior. "He had been dialing into the Harvard network via
telephone lines. But by September, he had stopped dialing in, yet he was still
active on the network. Our investigation revealed that in the beginning, he
had been breaking into a PBX of an off-shore company, located in Argentina,
and from there dialing into Harvard, and then from Harvard hacking elsewhere
around the Internet. The change came when he broke into Telecom Argentina to
get free Internet access. He would telnet from there to Harvard and then from
Harvard keep hacking other sites.
"We were able to look at where he was coming from on the Internet," he explains,
"and we saw a cluster of connections from different universities and other organizations
in Argentina. We hadn't tracked it back to his residence yet, but at least we
knew he was either coming in through Argentina or he actually was someone living
in Argentina."
Breaking into Telecom Argentina turned out to be Ardita's biggest mistake.
"We had been trying to get the phone company down there to do a phone trace
because we follow the trail to a bunch of dial-ups," Garza tells me. "But each
one we tracked back to Argentina ended up in a modem pool, so we needed somebody
down there to trace it the next step back. We couldn't get them to act fast
enough until he broke into the phone system, then they acted because they were
afraid of what he could do. So, in just a couple of days, they got a court order
and traced the calls back to Ardita's residence."
The investigation had begun in August; Ardita was identified as the suspect
in December.
On December 28, 1995, acting on information supplied by Telecom Argentina,
Argentine law enforcement seized Ardita's computer files and equipment at his
home in Buenos Aires.
No Ordinary Wiretap
"This is a case of cyber-sleuthing, a glimpse of what computer crime fighting
will look like in the coming years," said U.S. Attorney Donald K. Stern in the
official U.S. DoJ statement announcing the criminal charges filed against Ardita.
"We have made enormous strides in developing the investigative tools to track
down individuals who misuse these vital computer networks."
He was not indulging in hyperbole. The wiretap used in the Ardita was no ordinary
wiretap. Intruder Watch was a specialized module of a Network Intrusion Detector,
developed at Lawrence Livermore Lab in California. And, as Garza explains, it
was the first of its kind.
"There had been four other wiretaps on a computer crime case," Garza says,
"but they weren't tapping the network, they were tapping a modem line. In that
instance, what was captured had to be manually reviewed and filtered, then only
what was relevant to the case agents."
But with a thousand users online simultaneously, Garza insisted, they just
couldn't do it that way. Practicality demanded that they quickly filter what
was happening on the network. Legal considerations demanded that they minimize
the intrusion on the privacy of authorized users.
Intruder Watch provided the answer to the dilemma. It intercepted only those
communications that fit the patterns identified as the hacker's. "Even when
communications contained the identifying patterns of the intruder," Stern observed,
"we limited our initial examination to 80 characters around the tell-tale sign
to further protect the privacy of innocent communications."
Although Ardita's hack of Telecom Argentina had identified him without evidence
supplied through Intruder Watch, the breakthrough wiretap provided plenty of
evidence on his activities. For example, as Garza recollects, Ardita got online
with some of his hacker buddies on what turned out to be a bulletin board near
Carnegie Mellon and gave them the phone number to his bulletin board down in
Argentina.
Debriefing "El Griton"
Tracking down Ardita, and putting an end to his hacking adventures, took four
months. But, as Garza relates, almost an entire year passed before U.S. investigators
could actually interview the now-infamous young man.
"It took us a while to go through the mutual legal assistance treaty process,"
Garza explains. "Hacking wasn't illegal in Argentina. Interruption of telecommunications
was, however, illegal under their penal code. So we went with that, and they
agreed to hold all of his computers and everything until we got down there.
But it took a while to go through our State Department and their equivalent.
We finally got down there in October 1996."
Garza and other U.S. officials conducted six sessions with Ardita going into
detail about his activities. These in-depth discussions allowed Garza to size
up "El Griton."
"He claimed, as many hackers do, that he was doing it simply because he could,"
Garza tells me. "He said he was inquisitive. He claimed he was researching security.
He kept insisting that he was just hacking for the good of mankind. But we walked
him through what he had done. He had been phone-phreaking from the PBX of that
multinational corporation. He was making calls to his girlfriend. He was making
calls into Harvard. To the tune of approximately $15,000.
"We asked him, 'Isn't that just plain theft?' It had shattered his self-image
of the 'White Hat Hacker.' He broke down in tears. I didn't get the sense from
talking to him that he was very sophisticated people-wise. He wasn't a genius
either, he was just talented and very persistent."
Of course, there is a lingering question in the minds of some regarding the
Ardita case because his father just happened to be a retired Argentine military
colonel "assigned" to the Argentine legislature. Could "El Griton" have been
the pawn of some larger online intelligence-gathering operation? No such evidence
has been produced. But it's one of those "coincidences" that just kind of gnaws
at you.
In December 1997 (yes, another year later), the Ardita case was finally brought
to conclusion. Because hacking wasn't a crime in Argentina, it wasn't covered
under the existing extradition treaty with Argentina. But Ardita agreed to waive
extradition. His father, after all, was in the Argentine military, and the case
was probably something of an embarrassment.
He voluntarily traveled to the United States and pleaded guilty. The agreement
worked out between the U.S. Attorney's office in Boston and Mario Crespo, Ardita's
lawyer, recommended that Ardita receive a three-year probation and a fine of
$5,000.
Considering the resources that went into the case, Garza acknowledges, "Ardita
got off with pretty light sentence. There was criticism. But the U.S. prosecutors
felt that in this case, since they could not extradite him, the stalemate would
have just dragged on."
The Solar Sunrise Case: Mak, Stimpy, and Analyzer Give the
DoD a Run for Its Money
In January 1998, tensions between the United States, the United Nations, and
Iraq were on the rise. Saddam Hussein had expelled the UN weapons inspectors,
dominating the headlines, precipitating an international crisis, and pushing
the United States to the brink of renewed military action in the Persian Gulf.
On February 3, the Automated Security Incident Monitors (ASIM), the USAF's
intrusion detection system, detected a root-level compromise on an Air National
Guard computer system located at Andrews Air Force Base in Maryland.
On February 4, the Air Force's Computer Emergency Response Team (AFCERT) at
Kelly Air Force Base in Texas detected additional compromises of systems at
other Air Force Bases including Kirtland in New Mexico, Lackland in Texas, and
Columbus in Mississippi.
The intruders would gain entrance to a site with tools from some .edu site
(often a DNS server), and then obtain root access using the statd vulnerability.
After they gained root access, the intruders would install a sniffer program
to collect user passwords and create a backdoor to get back into the system.
Intriguingly, the intruders would then eradicate the statd vulnerability (see
CERT Advisory CA-97.26) by downloading a patch and exit the system without exploring
any further.
Although the targeted systems were not classified, they were all involved in
the military build-up being undertaken in regard to the Iraqi weapons inspection
crisis. If the targeted systems were damaged, it could impede the flow of transportation,
personnel, and medical supplies. If the Iraqis were gathering, aggregating,
and analyzing the data from the targeted systems, they could use it to surmise
the U.S. military's plans.
Could these intrusions be the first indications of impending information warfare
with the Iraqis? Clearly, the intrusions had to be taken seriously.
Martha Stansell-Gamm, head of the U.S. Department of Justice's Computer Crime
and Intellectual Property (CCIP) section, provides some insight into the ensuing
probe.
"One of the singular aspects of Solar Sunrise was that it was such a multi-agency
investigation," she says. "The Ardita case, for example, involved both the Navy
and the FBI, but the Navy quite clearly took the lead. In the Rome Labs case,
it was the Air Force that drove the investigation. But Solar Sunrise involved
Army, Navy, Air Force, FBI, NASA, CIA, NSA, and others.
"Everybody was working on different pieces of it," Stansell-Gamm adds. "Everybody
agreed to meet around our kitchen table at CCIP to figure out what we had, then
come up with a plan and coordinate the effort. We didn't do it because somebody
said so; we did it because it just made sense to everybody to do it that way.
Everybody learned something whenever we got together. It was one way for us
at CCIP to make sure that the needs of the investigators were being met. It
was simply the most efficient way to go as far and as fast as possible and it
just sort of happened."
The unprecedented interagency cooperation bore fruit.
They obtained 19 court orders in fewer than 10 days. And amazingly, a Title
III wiretap was written, approved by DoJ, and sworn to in one day.
The intruders in the Solar Sunrise case didn't turn out to be Iraqi information
warriors on a some kind of cyber-Jihad after all. Like Datastream Cowboy, Kuji,
and El Griton, they turned out to be youthful joy riders.
The big mistake that led to the identification and capture of the intruders
was a doozy. They had ftp'd sniffer output (i.e., user names and passwords)
from the hacked system at Andrews AFB directly to Sonic.net, an ISP in Northern
California. Then they ftp'd the purloined data to their own user accounts at
Sonic using their own home PCs.
"They" turned out to be two 16-year-olds (a.k.a. Stimpy and Mak). Indeed, they
had already come to the attention of the ISP's sysadmin. Harvard and MIT had
complained about attempted intrusions by the two hackers.
Authorities put a wiretap in place to capture Stimpy's keystrokes after the
two logged on to their accounts at Sonic. A pen register verified that calls
were being made to Sonic from Stimpy's home phone line at the same time that
the accounts were being accessed. Furthermore, physical surveillance at Mak's
residence identified the occupants of the house at the time of the connection.
The evidence had to show guilt beyond a reasonable doubt. Without the confirmation
provided by correlating the evidence from the wiretaps, the pen registers, and
the physical surveillance, the accused might have argued that someone else had
hacked into their accounts and used them to undertake the attacks.
The investigation had been going well, but a serious problem developed. John
Hamre, an undersecretary of defense, blundered in a briefing with reporters.
He let it slip out that the suspects were kids living in Northern California.
That meant investigators had to race to execute their search warrants before
Mak and Stimpy were tipped off by hearing about themselves on the evening news.
The time difference between the coasts proved helpful as search warrants were
executed early that evening.
Special Agent Chris Beeson of the San Francisco FBI Computer intrusion squad,
armed and wearing a bulletproof vest (standard operating procedure), was the
first law enforcement officer through the door of Stimpy's bedroom. Stimpy was
on-line at the time. The kid simply looked up at Beeson and kept typing on the
keyboard until he was pulled away from the computer. "Their rooms were a mess,"
Beeson recounts.
"They were actually cleaner after we left then when we got there. The scene
was typical of teenagers. Pepsi cans. Half-eaten cheeseburgers. It is not like
what you see on TV. We don't turn everything upside down. When we do a search,
we take pictures when we get there and pictures when we leave. After we go through
everything, we put it all in nice neat piles."
In Mak's room, the investigators found a fictional essay he had written.
About two days ago, one of my friends was raided by the FBI and they
were working up to an arrest. Apparently, he hacked NASA. The Feds. Why they
bother to messing with us, I don't know. But if I could get a chance I would
go to the informer's house and politely knock on his door. When he answered
I would kindly say "hello," then I would put a .45 to his head and tell him
to get on the ground.
I would have the political prisoners and other friends rig a ten block
radius with explosives and then call the FBI and order the release of our friend
and a helicopter to fly us to the nearest jet strip. Their problem would be
the ten house radius around, if any agent entered, they would blow and above
the house I would have mercenaries that would report by radio every five minutes.
If the government didn't comply one person each hour would be shot.
I guess I am going to have to be satisfied with flooding all known government
agencies and rendering their capabilities useful.
Mak's teacher had written some comments on the sheet of paper.
Work on fade in and out of daydream. Write as if you are actually doing
this. By the way, this is disturbing.
Both youths were arrested and interviewed. Their true identities, of course,
were not disclosed because of their age.
Investigators shared a gut feeling all along that the intruders were indeed
adventurous kids, but they had to assume the worst. The stakes were simply too
high to take anything for granted. It was a time of international crisis and
impending military action. Until proven otherwise, it had to be viewed as a
threat to national security.
Meanwhile, a third Solar Sunrise hacker was still unidentified and at large.
This third suspect was coming in over the Internet from Israel and launching
his attacks against DoD targets from Maroon.com, a Web page hosting service
in College Station, Texas. The AFOSI had set up consensual monitoring at Maroon.
The wiretap on Stimpy revealed IRC chats with the third hacker, known to Stimpy
as Analyzer. Analyzer was Stimpy's mentor who coached him in hacking.
Analyzer had chutzpah. Two days after the arrest of Mak and Stimpy, he participated
in an on-line interview with AntiOnline, a fascinating hacker news Web site,
in which he claimed to have hacked 400 DoD sites and provided lists of dozens
of logins and passwords for .mil sites.
On March 18, CNN's Jerusalem office posted the following story, with a headline
that proclaimed, "Master hacker 'Analyzer' held in Israel":
Israeli police spokeswoman Linda Menuchin said the 18-year-old suspect and
two alleged accomplices were arrested Wednesday, in part based on information
supplied by American authorities. U.S. Justice Department officials in Washington
identified the ringleader as Ehud Tenebaum, an Israeli citizen, and said he
has been charged with illegally accessing hundreds of computer systems.
The suspects were questioned for several hours at a police station in Bat Yam,
a suburb of Tel Aviv, then put under house arrest, Menuchin said. Police confiscated
their passports and forbade contact between them.
In an interview with AntiOnline, an online magazine that deals with Internet
security issues, one of the teens, nicknamed "Makaveli," gave this explanation
for what he and his cohorts had done: "It's power, dude. You know, power," he
said.
He said he began hacking as a challenge and concentrated on U.S. government
sites because "I hate organizations."
Though he mused in his interview that "chaos" was a "nice idea," the Analyzer
claimed that his intrusions were actually innocent and that he even helped targets
by "patching" weaknesses in their systems to prevent future intrusions.
He admitted teaching other hackers how to target U.S. military systems.
"Since I was going to retire, I was going to teach someone of my knowledge
and guide him," the Analyzer said.3
The swift and committed assistance of Israeli law enforcement was essential
to the success of the effort to bring Analyzer to justice.
Ehud Tennebaum, 19, and several other Israeli hackers (members of an Israeli
hacker group that called itself "The Enforcers") were charged with hacking the
computer systems of the Pentagon and NASA. They pleaded innocent.
Tennebaum's lawyer said his client broke no law when he penetrated the Internet
sites of American and Israeli institutions, including the Knesset, because there
was no notice on the sites declaring them off-limits.
Conclusion
The true cost of these three capers will never be adequately tabulated. Some
questions will remain unanswered. Certainly, they amounted to an extraordinary
series of shakedown cruises for investigators in law enforcement and the military.
Along the way, they broke new ground and cultivated it. For example, they honed
their investigative skills, developed new forensic tools, and established protocols
for handling multi-agency and multi-country investigations. But perhaps the
most striking common denominator in all three cases is that the juvenile hackers
involved used known vulnerabilities for which CERT advisories had been issued
and patches were available.
What's the point? Law enforcement and the military are clearly getting better
at investigating, making arrests, and prosecuting such crimes, but the organizations
targeted are not getting any better at preventing them. In Chapters 15, 17,
and 18, I will discuss some of the reasons for this strange state of affairs.
ISS is now a multimillion dollar company that sells ID Software. The company
denies its hacker roots and that it hires hackers. During Ardita's hacks, he
created two script files that he named Hotterthanthemojaveinmyheart and InfamousAngel.
These filenames were taken from the songs of Iris Dement. For more information
on her work, go to http://www.irisdement.com/.
"Master hacker 'Analyzer' held in Israel," CNN, March 18, 1998.
? Copyright Macmillan USA. All rights reserved. ?
