Kuji Media Corporation Ltd.

By Ted Bridis, The Associated Press Apr 29 2003 2:08PM
British authorities arrested a man Tuesday believed to head a group of hackers known as “Fluffi Bunni,” which used a stuffed pink rabbit to mark attacks that humiliated some of the world’s premier computer security organizations.

Fluffi Bunni captured the attention of the FBI just days after the Sept. 11 terror attacks, when thousands of commercial Web sites were vandalized with a single break-in that included the message, “Fluffi Bunni Goes Jihad.”

The FBI characterized the act in a November 2001 report as an anti-American cyberprotest against the war on terrorism.

Lynn Htun, 24, was arrested by Scotland Yard detectives on outstanding forgery charges while attending a prominent trade show in London for computer security professionals, InfoSecurity Europe 2003, authorities said.

British authorities did not mention of Htun’s alleged hacking. A U.S. official, speaking on condition of anonymity, said Htun is wanted in America in connection with a series of high-profile hacking cases blamed on Fluffi Bunni. Investigators believe Htun was the group’s leader and referred to himself as Fluffi Bunni, the official said.

Authorities in London indicated they would release more information Wednesday about Htun’s arrest, although the continuing investigation into Fluffi Bunni hackers was sensitive and other arrests could be possible.

Fluffi Bunni embarrassed leading Internet security organizations by breaking into their own computers and replacing Web pages with a message that “Fluffi Bunni ownz you” and a digital photograph of a pink rabbit at a keyboard. The attacks, which began in June 2000, lasted about 18 months, then stopped mysteriously and created one of the Internet’s most significant hacker whodunits in years.

“I thought he’d never be caught,” said Jay Dyson, a consultant who formerly helped run one of the victim Web sites. “He was clever and had the patience of a saint. The targets he chose were ones that were really high profile, and ones you’d think would be above reproach when it comes to issues of security.”

Victims have included the Washington-based SANS Institute, which offers security training for technology professionals; Security Focus, now owned by Symantec Corp.; and Attrition.org, a site run by experts who formerly tracked computer break-ins. Other victims included McDonald’s Corp. and the online security department for Exodus Communications Inc., now part of London-based Cable & Wireless plc.

“The guy was playing a game of `gotcha.’ He wanted to prove that even firms that specialize in security can be hacked,” said Mark Rasch, chief security counsel for Solutionary Inc. and a former Justice Department cybercrime prosecutor. “It’s like someone who robs banks to prove that banks can be robbed.”

Brian Martin, who ran the Attrition site with Dyson and others, said Fluffi Bunni quickly generated a fearsome reputation across the underground because of the group’s choice of targets. Martin determined that a hacker broke into another user’s computer, allowing him to assume that person’s digital identity and briefly take over the Attrition site with a Fluffi Bunni message.

“He would break into companies that are there to secure you,” said Martin, who never reported the crime to the FBI. “It’s a challenge, and there’s some irony behind it.”

Targets frequently were attacked indirectly. Instead of trying to break into the heavily protected Security Focus Web site, someone hacked an outside computer that displayed advertisements on the site. The ads were replaced with taunting messages and images of the pink rabbit at the keyboard.

Copyright 2003 Associated Press. All rights reserved.
This material may not be published, broadcast, rewritten, or redistributed.

http://www.securityfocus.com/news/4320

By TED BRIDIS
Associated Press Writer

WASHINGTON – Federal authorities have cracked the case of an international hacker who broke into roughly 100 unclassified U.S. military networks over the past year, officials said Monday.

Officials declined to identify the hacker, a British citizen, but said he could be indicted as early as Tuesday in federal courts in northern Virginia and New Jersey. Those U.S. court jurisdictions include the Pentagon in Virginia and Picatiny Arsenal in New Jersey, one of the Army’s premier research facilities.

The officials declined Monday to say whether this person was already in custody, but one familiar with the investigation, who spoke only on condition of anonymity, said investigators consider the break-ins the work of a professional rather than a recreational hacker.

Authorities planned to announce details of the investigation Tuesday afternoon.

Officials said U.S. authorities were weighing whether to seek the hacker’s extradition from England, a move that would be exceedingly rare among international computer crime investigations.

Officials said this hacker case has been a priority among Army and Navy investigators for at least one year. One person familiar with the investigation said the hacker broke into roughly 100 U.S. military networks, none of them classified. Another person said the indictments were being drafted to reflect break-ins to a “large number” of military networks.

In England, officials from the Crown Prosecution Service, Scotland Yard and the Home Office declined comment Monday.

A civilian Internet security expert, Chris Wysopal, said that a less-skilled, recreational hacker might be able to break into a single military network, but it would be unlikely that same person could mount attacks against dozens of separate networks.

“Whenever it’s a multistage attack, it’s definitely a more sophisticated attacker,” said Chris Wysopal, a founding member of AtStake Inc., a security firm in Cambridge, Mass. “That’s a huge investigation.”

The cyber-security of U.S. military networks is considered fair, compared to other parts of government and many private companies and organizations. But until heightened security concerns after the Sept. 11 attacks, the Defense Department operated thousands of publicly accessible Web sites. Each represented possible entry-points from the Internet into military systems unless they were kept secured and monitored regularly.

It would be very unusual for U.S. officials to seek extradition. In previous major cyber-crimes, such as the release of the “Love Bug” virus in May 2000 by a Filipino computer student and attacks in February 2000 by a Canadian youth against major American e-commerce Web sites, U.S. authorities have waived interest in extraditing hacker suspects to stand trial here.

Once, the FBI tricked two Russian computer experts, Vasily Gorshkov and Alexey Ivanov, into traveling to the United States so they could be arrested rather than extradited. The Russians were indicted in April 2001 on charges they hacked into dozens of U.S. banks and e-commerce sites, and then demanding money for not publicizing the break-ins.

FBI agents, posing as potential customers from a mock company called Invita Computer Security, lured the Russians to Seattle and asked the pair for a hacking demonstration, then arrested them. Gorshkov was sentenced to three years in prison; Ivanov has pleaded guilty but hasn’t been sentenced.

But the Bush administration has toughened anti-hacking laws since Sept. 11 and increasingly lobbied foreign governments to cooperate in international computer-crime investigations. The United States and England were among 26 nations that last year signed the Council of Europe Convention on Cybercrime, an international treaty that provides for hacker extraditions even among countries without other formal extradition agreements.

There have been other, high-profile hacker intrusions into U.S. military systems.

In one long-running operation, the subject of a U.S. spy investigations dubbed “Storm Cloud” and “Moonlight Maze,” hackers traced back to Russia were found to have been quietly downloading millions of pages of sensitive data, including one colonel’s e-mail inbox. During three years, most recently in April 2001, government computer operators watched as reams of electronic documents flowed from Defense Department computers, among others.

In 1994, two young hackers known as “Kuji” and “Datastream Cowboy” were arrested in England on charges they broke into the U.S. Air Force’s Rome Laboratory. They planted eavesdropping software that allowed them to monitor e-mails and other sensitive information.

(Copyright 2002 by The Associated Press. All Rights Reserved.)

Pia Landergren, IDG News Service\London Bureau
June 18, 2001, 06:09

With the rapid increase in security breaches leaving law enforcement struggling to keep up, some organizations are taking the law into their own hands and punishing hackers themselves.

Striking back at hackers with, for example, denial of service attacks is a sensitive subject, since doing so is illegal in most countries. However, security experts say the U.S. Department of Defense has used these methods. In addition, private companies use special firewalls and other counteroffensive software that can be set to automatically strike back at hackers, according to U.K. Internet security consultant and ex- hacker Mathew Bevan, among others.

Conxion Corp., an ISP (Internet service provider) based in Santa Clara, California, is one private company that acknowledges having reversed a denial of service attack on a group of hackers. When asked if giving hackers a dose of their own medicine is company policy, spokeswoman Megan O’Reilly-Lewis said, “We deal with it on a case-by-case basis.”

The World Trade Organization’s (WTO) Web site, which was being hosted by Conxion, was hacked into in late 1999. An organization called Electrohippies, or E-Hippies, bombarded the WTO Web page with download requests, which caused the Web service to slow down but not to crash completely.

“What our security staff did was to quickly write a script to reverse the traffic. Then they followed up with some more sophisticated methods,” said O’Reilly-Lewis. “It seemed to work fine,” she added.

“If they had been sophisticated hackers they would have easily avoided” the reverse attack, she said.

Hack attacks are clearly on the increase, and so are companies that specialize in tracking down the hackers.

“There’s a spectrum of things that we do,” said Bob Ayers, U.K. vice president of Para-Protect Ltd., headquartered in the U.S. The company uses an intrusion detection device with which it keeps tabs on a customer’s IT system. Ayers, a former U.S. military intelligence officer, described some of the actions companies can take when they discover an intrusion: “Disabling an account. Terminating the network link. We can go to the ISP and ask them to step in and take action.”

A company can also go beyond the e-mail address and find the person behind the crime. “You go pay him a visit,” said Ayers. “You talk to him and let him know that you’re not happy with what he is doing.” It might work, depending on your powers of persuasion, he added.

When asked if his company launches denial of service attacks on hackers on behalf of its customers, Ayers said, “I really don’t want to answer that question one way or another. All I can say is that the technology is there and how it is used is something I cannot predict.”

Both Ayers and another security expert, Winn Schwartau, president of IT security company Interpact Inc. in Seminole, Florida, and founder of security Web service Infowar.com, said that the U.S. Department of Defense has at least on one occasion launched a denial of service attack on hackers.

“Absolutely they have,” Schwartau said. “There was a group of pro-Mexicans (the Electronic Disturbance Theater) and they announced they were going to attack the Pentagon,” he said. “The Pentagon (the building that houses the department) knew about it. The Pentagon started shooting back, which was the right thing to do. However, it was illegal,” Schwartau said.

Not surprisingly, the Pentagon denies ever having used these methods.

“I am not aware that we have struck back at anyone with a denial of service attack,” said Susan Hansen, a spokeswoman at the Department of Defense. “We don’t discuss our specific security” measures, she added.

The number of malicious break-ins into companies’ computer systems is becoming alarming. The U.S. Federal Bureau of Investigation (FBI) found in a recent study that 85 percent of respondents had detected computer security breaches during the past year. The survey was based on responses from 538 security experts in various U.S. corporations and government agencies. Sixty-four percent suffered financial losses due to security breaches, and 186 respondents reported a total loss of almost $378 million. Thirty-eight percent of respondents detected denial of service attacks, compared to 27 percent last year.

According to a survey done by Schwartau, about one third of surveyed companies in the U.S. have already, or plan to, develop strike-back capabilities for possible hack attacks.

“Follow-up surveys in England found corresponding responses while an Australian survey found an even higher percentage of that country’s companies to be willing to strike back,” Schwartau said.

Hackers often make use of several computers along the way to their target, which makes it difficult for companies to launch a direct attack on the computer system the attack originated from. If someone has hacked into several computers, a vigilante may even end up striking back at an innocent bystander, whose computer has simply been used by the hacker. A sophisticated hacker can also make it look like an attack is coming from, for example, a company’s competitor.

One type of intrusion-detection equipment is a so-called honeypot, a machine that is set up to look like a network. It has false information, such as databases, installed to lure hackers to spend as much time as possible “inside” the machine. The way in, for a hacker, can be to figure out someone’s password, and to get in through the Internet. The longer a hacker is inside, the easier it is for the system administrator to find out the hackers identity, or IP (Internet protocol) address. Once that is known, the system administrator can launch a counterattack.

A denial of service attack is usually caused by someone sending more traffic to a network address than the server can handle, which causes it to crash. This can result in a Web site going down or a particular service, such as e-mail, becoming unavailable.

One industry insider does not believe in giving hackers a dose of their own medicine.

“I don’t believe in striking back, it would only invite further attacks,” said Mike Graves, European marketing manager at Hewlett-Packard Co.’s Internet Security Solutions Division, and based in Bristol, U.K.

“You may find yourself getting some publicity you don’t want. You may become a beacon for new attacks.” Hackers know each other and look out for each other, he added.

Graves’ suspicions are confirmed by ex-hacker Bevan.

“If my machine crashed and I’ve been hacking, say I was hacking into Barclays Bank, I would not give up then. If hackers gave up so easily there wouldn’t be any hackers. It’s the challenge” that keeps hackers motivated to keep going, Bevan said.

Some years ago, Bevan hacked into the U.S. Department of Defense?s computer system, a British Airforce base as well as many major corporations’ systems. He was charged with conspiracy to cause unauthorized modification to computers operated by the U.S. military and the Lockheed Martin Corp. missile and space company in 1996. Eventually, all charges against him were dropped.

“They were pushing a conspiracy angle,” but couldn’t prove it, Bevan said.

Being a hacker who was never punished, Bevan can understand why companies would want to take the law into their own hands and strike back. However, he insists the method would not work as it would only make him more determined to break the system.

Despite this, finding your own hacker tracker is not difficult. Some victims of hack attacks prefer to take a less drastic action than striking back directly. They hire companies such as Swedish Defcom AB, who specialize in finding hackers and then doing the police’s work for them; collecting enough evidence against the hackers to present the police with a clear case.

Thomas Olofsson is chief operating officer and recently found a gang of professional hackers for a customer. “This was the largest operation we’ve done,” said Olofsson. “We tracked down a gang of hackers who had used computers in different countries to hide along the way.”

“They had used a computer in South Africa and another one in the U.S. At last we found the source, a gang of hackers in one of the Baltic countries,” Olofsson said.

But catching hackers is just one of the first steps in a long process of bringing them to justice.

“What happens if a hacker in the U.K. breaks into a system in South Africa, or in the U.S.?,” said Ayers. “Where did the crime happen? And who has jurisdiction? The police must cooperate across borders, and frankly the police are not very good at that.”

As Ayers says, the police just don’t have enough resources to catch all criminals and laws still haven’t caught up with Internet crime. Despite the efforts of hacker trackers, then, hacker vigilante methods are not likely to go away any time soon.

“If you’re a skilled computer (person) you ain’t gonna go work for the U.K. police force for 20K (20,000 pounds (US$27,800) a year).” You’re going into the private sector, he said, adding, “It’s riskier to walk across Clapham Common (in London) at night than it is to enter into cyber crime.”

Para-Protect, headquartered in Centreville, Virginia, can be contacted online at http://www.para-protect.com/. Conxion, in Santa Clara, California, can be contacted at http://www.conxion.com/. HP, in Palo Alto, California, can be reached at http://www.hp.com/. Interpact is at http://www.interpactinc.com/.

Friday, 27 October, 2000, 17:57 GMT 18:57 UK
Hacking: A history

The ILOVEYOU virus as victims saw it

By BBC News Online internet reporter Mark Ward

Great hacks of our time

The original meaning of the word “hack” was born at MIT, and originally meant an elegant, witty or inspired way of doing almost anything.

Many early hacks took the form of elaborate practical jokes. In 1994, MIT students put a convincing replica of a campus police car on top of the Institute’s Great Dome.

Now the meaning has changed to become something of a portmanteau term associated with the breaking into or harming of any kind of computer or telecommunications system.

Purists claim that those who break into computer systems should be properly called “crackers” and those targeting phones should be known as “phreaks”.

1969

Arpanet, the forerunner of the internet, is founded. The first network has only four nodes.

1971

First e-mail program written by Ray Tomlinson and used on Arpanet which now has 64 nodes.

1972

John Draper, also known as Captain Crunch, finds that a toy whistle given away in the cereal with the same name could be used to mimic the 2600 hertz tones phone lines used to set up long distance calls.

1980

In October, Arpanet comes to a crashing halt thanks to the accidental distribution of a virus.

1983

The internet is formed when Arpanet is split into military and civilian sections.

Wargames, a film that glamorises hacking, is released. Many hackers later claim it inspired them to start playing around with computers and networks.

1986

In August, while following up a 75 cent accounting error in the computer logs at the Lawrence Berkeley Lab at the University of California, Berkeley, network manager Clifford Stoll uncovers evidence of hackers at work. A year-long investigation results in the arrest of the five German hackers responsible.

1988

Robert Morris, a graduate student at Cornell University, sets off an internet worm program that quickly replicates itself to over 6,000 hosts bringing almost the whole network to a halt. Morris is arrested soon afterwards and is punished by being fined $10,000, sentenced to three years on probation and ordered to do 400 hours of community service.

1989

Kevin Mitnick: Arrested
twice for hacking
Kevin Mitnick is
convicted of stealing software from Digital Equipment and codes for long-distance lines from US telephone company MCI. He is the first person convicted under a new law against gaining access to an interstate computer network for criminal purposes. He serves a one-year prison term.

At the Cern laboratory for research in high- energy physics in Geneva, Tim Berners-Lee and Robert Cailliau develop the protocols that will become the world wide web.

1993

Kevin Poulsen, Ronald Austin and Justin Peterson are charged with conspiring to rig a radio phone-in competition to win prizes. The trio seized control of phone lines to the radio station ensuring only their calls got through. The group allegedly netted two Porsches, $20,000 in cash and holidays in Hawaii.

1994

A 16-year-old music student called Richard Pryce, better known by the hacker alias Datastream Cowboy, is arrested and charged with breaking into hundreds of computers including those at the Griffiths Air Force base, Nasa and the Korean Atomic Research Institute. His online mentor, “Kuji”, is never found.

Also this year, a group directed by Russian hackers breaks into the computers of Citibank and transfers more than $10 million from customers’ accounts. Eventually, Citibank recovered all but $400,000 of the pilfered money.

1995

In February, Kevin Mitnick is arrested for a second time. He is charged with stealing 20,000 credit card numbers. He eventually spends four years in jail and on his release his parole conditions demand that he avoid contact with computers and mobile phones.

On November 15, Christopher Pile becomes the first person to be jailed for writing and distributing a computer virus. Mr Pile, who called himself the Black Baron, was sentenced to 18 months in jail.

The US General Accounting Office reveals that US Defense Department computers sustained 250,000 attacks in 1995.

1996

Popular websites are attacked and defaced in an attempt to protest about the treatment of Kevin Mitnick.

The internet now has over 16 million hosts and is growing rapidly.

1999

David Smith: Creator of
the Melissa virus
In March, the Melissa
virus goes on the rampage and wreaks havoc with computers worldwide. After a short investigation, the FBI tracks down and arrests the writer of the virus, a 29-year- old New Jersey computer programmer, David L Smith.

2000

In February, some of the most popular websites in the world such as Amazon and Yahoo are almost overwhelmed by being flooded with bogus requests for data.

In May, the ILOVEYOU virus is unleashed and clogs computers worldwide. Over the coming months, variants of the virus are released that manage to catch out companies that didn’t do enough to protect themselves.

In October, Microsoft admits that its corporate network has been hacked and source code for future Windows products has been seen.

EuroKom IT Security Seminar

Thursday 18th October, 2001

CEO’s and IT Managers from over fifty companies and organisations attended the EuroKom IT security seminar, which was held on 17 October in Citywest, Dublin. The seminar was opened by Noel Treacy, TD Minister for Science and Technology who told the attendees that ‘Confidence in IT Security is crucial to the success of eBusiness.’ Minister Treacy went on to elaborate on the actions that the Government are taking as a pro-active approach to meeting the challenges and opportunities which the digital economy presents. (The full text of the Minister’s speech can be viewed here.)

Brian Lynch, EuroKom’s Sales and Marketing Director, announced a partnership with Celare Ltd, one of Northern Ireland’s leading providers of IT Security Services. Brian stated that through this collaboration with Celare, EuroKom could now offer a unique range of corporate communications and security solutions throughout Ireland.

Keynote speaker at the seminar was Matt Bevan, otherwise known as ‘Kuji’, a reformed hacker who was quoted by the FBI as having ‘?created more harm than the KGB.’ Kuji, then a computer student, is alleged to have penetrated the US Air Force computer systems in 1994. He did it in the back bedroom of his parent’s home near Cardiff in Wales using a computer that his parents had given him for his 16th birthday. Kuji is also alleged to have hacked into NATO and NASA computer systems. In one case, he is also said to have hacked into the US FLEX system (Force Level Execution) and had the power to fire a Peacekeeper missile with a payload of 150 kilotonnes. Newspaper headlines at the time claimed that he ” Could have Started World War 3″ and that he “Even knew Mel Gibson’s Credit card number”. To this day, he believes that his e-mail, ordinary mail and telephones are still monitored by the Pentagon. (In 1994, there were 38,000 intrusions into Pentagon computers of which only 900 were detected.)

Tangled Web:

Tales of Digital Crime from the Shadows of Cyberspace

Chapter Six

One of the greatest misconceptions among the many who hamper the defense of cyberspace is the idea that all hacking is done only by juvenile joy riders: i.e., youthful geniuses bent on embarrassing law enforcement and the military. Of course, one of the ways in which this misconception is spread is through the mainstream media. Most cases that reach the light of day usually do end up involving juvenile hackers.

Why? Well, cases involving true cyberterrorists, information warriors, intelligence agencies, and corporate spies slip below the surface of the headlines. They are lost in the murky waters of “classified operations” or are swept under thick corporate carpets. (You’ll read more about such cases in Chapter 10 and Chapter 12.)

Juvenile hackers or other “sport hackers” (a term used to describe hackers who break into systems for the same reasons but aren’t minors) end up in the newspapers because they get caught. They also end up in the headlines because they seek the limelight. Furthermore, acknowledging their activities doesn’t open a Pandora’s box for the government agency or the corporation that was hit. If a government agency acknowledged an intelligence operation conducted by another country, there could be serious diplomatic or even military consequences. If a major corporation acknowledged a hack attack in which trade secrets were compromised seemingly by another corporation, there would be a public relations debacle: for example, their stock could dive, lawsuits could get filed, etc.

Nevertheless, juvenile or sport hackers, or joy riders, have wreaked a lot of havoc and mayhem over the years.

Here are some of the details of three high-profile stories, stretching from 1994 to 1999, that illustrate some of the lessons learned and unlearned along the way.

The Rome Labs Case: Datastream Cowboy and Kuji Mix It Up with the U.S. Air Force

The Rome Air Development Center (Rome Labs), located at Griffiss Air Force Base (New York), is the U.S. Air Force’s premier command-and- control research facility.

Rome Lab researchers collaborate with universities, defense contractors, and commercial research institutions on projects involving artificial intelligence systems, radar guidance systems, and target detection and tracking systems.

On March 28, 1994, Rome Labs’s system administrators (sysadmins) noticed that a password sniffer, a hacking tool that gathers user’s login information, had been surreptitiously installed on a system linked to the Rome Labs network. The sniffer had collected so much information that it filled the disk and crashed the system, according to James Christy, who was director of Computer Crime Investigations for the Air Force Office of Special Investigations.

The sysadmins informed the Defense Information Systems Agency (DISA) that the Rome Labs network had been hacked into by an as yet unknown perpetrator. The DISA Computer Emergency Response Team (CERT), in turn, informed the Air Force Office of Special Investigations (AFOSI) of the report of an intrusion. The AFOSI, in turn, informed the Air Force Information Warfare Center (AFIWC), headquartered in San Antonio, Texas.

An AFOSI team of cybercrime investigators and security experts was dispatched to Rome Labs. They reviewed audit trails and interviewed the sysadmins. The conclusions that they reached in their preliminary investigation were very disturbing.

Two hackers had broken into seven different computers on the Rome Labs network. They had gained unlimited access, downloaded data files, and secreted sniffers on every one of them. The seven sniffers had compromised a total of 30 of Rome Labs’s systems.

These systems contain sensitive research and development data.

System security logs disclosed that Rome Labs’s systems had been actually been hacked into for the first time on March 23, five days before the discovery made on March 28.

The investigation went on to disclose that the seven sniffers had compromised the security of more than 100 more user accounts by capturing user logons and passwords. Users’ e-mail messages had been snooped, duplicated, and deleted. Sensitive battlefield simulation program data had been pursued and purloined. Furthermore, the perpetrators had used Rome Labs’s systems as a jumping-off point for a series of hack attacks on other military, government, and research targets around the world. They broke into user accounts, planted sniffer programs, and downloaded massive quantities of data from these systems as well.

The investigators offered the Rome Labs commanding officer the option of either securing all the systems that had been hacked or leaving one or more of them open to attack. If they left a few systems open, they could monitor the comings and goings of the attackers in the hope of following them back to the their point of origination and identifying them.

The commander opted to leave some of the systems open to lay a trap for the intruders.

Investigators Wrestle with Legal Issues and Technical Limitations

Using standard software and computer systems commands, the attacks were initially traced back one leg of their path. The majority of the attacks were traced back to two commercial Internet service providers, cyberspace.com, in Seattle, Washington and mindvox.phantom.com, in New York City.

Newspaper articles indicated that the individuals who provided mindvox.phantom.com’s computer security described themselves as “two former East Coast Legion of Doom members.”

The Legion of Doom (LoD) was a loose-knit computer hacker group that had several members convicted for intrusions into corporate telephone switches in 1990 and 1991. Because the agents did not know whether the owners of the New York Internet service provider were willing participants or merely a transit point for the break-ins at Rome Labs, they decided not to approach them. Instead, they simply surveiled the victim computer systems at Rome Labs’s network to find out the extent of the intruders’ access and identify all the victims.

Following legal coordination and approval with Headquarters, AFOSI’s legal counsel, the Air Force General Counsel’s Office, and the Computer Crime Unit of the Department of Justice, real-time content monitoring was established on one of Rome Labs’s networks. Real-time content monitoring is analogous to performing a wiretap because it allows you to eavesdrop on communications, or in this case, text. The investigative team also began full keystroke monitoring at Rome. The team installed a sophisticated sniffer program to capture every keystroke performed remotely by any intruder who entered the Rome Labs.

This limited context monitoring consisted of subscribing to the commercial ISPs’ services and using only software commands and utilities the ISP authorized every subscriber to use. The team could trace the intruder’s path back only one leg. To determine the next leg of the intruder’s path required access to the next system on the hacker’s route. If the attacker was using telephone systems to access the ISP, a court-ordered “trap and trace” of telephone lines was required.

Due to time constraints involved in obtaining such an order, this was not a viable option. Furthermore, if the attackers changed their path, the trap and trace would not be fruitful. During the course of the intrusions, the investigative team monitored the hackers as they intruded on the system and attempted to trace the intruders back to their origin. They found the intruders were using the Internet and making fraudulent use of the telephone systems, or “phone phreaking.”

Because the intruders used multiple paths to launch their attacks, the investigative team was unable to trace back to the origin in real-time due to the difficulty in tracing back multiple systems in multiple countries.

In my interview with James Christy for this book, he provided fascinating insight into the deliberations over what capabilities could be used to pursue the investigation.

“The AFIWC worked the Rome Labs case with us,” Christy says. “They developed the Hackback tool right at Rome.” According to Christy, Hackback is a tool that does a finger back to the system the attack came from, then launches a scripted hack attack on that system, surveils the system, finds the next leg back, and then launches a scripted attack on that system. Hackback was designed to follow them all the way back over the Internet to their point of origination.

“Well, AFIWC developed this tool,” Christy continues, “but we told them, ‘Hey, you can’t use that ’cause it’s illegal. You’re doing the same thing as the hacker is doing: You’re breaking into systems.’ They said, General Minihan [who was at that time the head of the NSA] says, ‘We’re at war, we’re going to use it.’ My guys had to threaten to arrest them if they did. So we all said, ‘Let’s try something.’ ”

Christy tells me there was a big conference call involving the DoJ, the Secret Service, the FBI, AFOSI, and the guys that were up at Rome Labs. “We all claimed exigent circumstances, a hot pursuit. Scott Charney [who was at that time the head of DoJ’s computer crime unit] gave us the approval to go run Hackback one time. We did it, but it didn’t buy us anything. The hackers weren’t getting into those nodes via the Internet. They were getting in through telephone dial-ups. So it dead-ended where we already knew it was coming from.”

Datastream Cowboy’s Biggest Mistake

As the result of the monitoring, the investigators could determine that the hackers used the nicknames Datastream and Kuji. With this clue, AFOSI Computer Crime Investigators turned to their human intelligence network of informants that surf the Internet. The investigators levied their informants to identify the two hackers using the handles Datastream and Kuji.

“Our investigators went to their sources,” Christy recalls, “saying, ‘Help us out here, anybody know who these guys are?’ And a day and a half later, one of these sources came back and said, ‘Hey, I got this guy. Here’s his e-mail!'”

According to Christy, these informants have diverse motivations. Some of them want to be cops; some of them want to do the right thing; some of them simply find hacking exciting; some of them have pressure brought to bear on them because of their own illegal activities.

Indeed, whatever the motivation, on April 5, 1994, an informant told the investigators he had a conversation with a hacker who identified himself as Datastream Cowboy.

The conversation was via e-mail and the individual stated that he was from the United Kingdom. The on-line conversation had occurred three months earlier. In the e-mail provided by the informant, Datastream indicated he was a 16-year-old who liked to attack .mil sites because they were so insecure.

Datastream had even provided the informant with his home telephone number for his own hacker bulletin board systems he had established.

Bragging of his hacking feats, as Christy explains, was Datastream Cowboy’s big mistake.

“It was the only way we solved the case,” he said. “If we had to rely on surveillance alone, we never would have traced it back to them because of all the looping and weaving through South America. We would have been working with multiple countries.

“Did these South American countries have laws against hacking?” Christy continues. “No. Would the South Americans have been able to do a trap and trace? Maybe not. Remember, they were using telephone lines.”

The Air Force agents had previously established a liaison with New Scotland Yard who could identify the individuals living at the residence associated with Datastream’s telephone numbers.

New Scotland Yard had British Telecom initiate monitoring of the individual’s telephone lines with pen registers. A pen register records all the numbers dialed by the individuals at the residence. Almost immediately, monitoring disclosed that someone from the residence was phone phreaking through British Telecom, which is also illegal in the United Kingdom.

Within two days, Christy and the investigative team knew who Datastream Cowboy was. For the next 24 days, they monitored Datastream’s online activity and collected data.

During the 26-day period of attacks, the two hackers, Datastream Cowboy and Kuji, made more than 150 known intrusions.

Scotland Yard Closes in on Datastream Cowboy

New Scotland Yard found that every time an intrusion occurred at Rome Labs, the individual in the United Kingdom was phone-phreaking the telephone lines to make free telephone calls out of Britain. Originating from the United Kingdom, his path of attack was through systems in multiple countries in South America and Europe, and through Mexico and Hawaii; occasionally he would end up at Rome Labs. From Rome Labs, he was able to attack systems via the Internet at NASA’s Jet Propulsion Laboratory in California and its Goddard Space Flight Center in Greenbelt, Maryland.

Continued monitoring by the British and American authorities disclosed that on April 10, 1994, Datastream successfully penetrated an aerospace contractor’s home system. The attackers captured the contractor’s logon at Rome Labs with sniffer programs when the contractor logged on to home systems in California and Texas. The sniffers captured the addresses of the contractor’s home system, plus the logon and password for that home system. After the logon and password were compromised, the attackers could masquerade as that authorized user on the contractor’s home system. Four of the contractor’s systems were compromised in California and a fifth was compromised in Texas.

Datastream also used an Internet Scanning Software (ISS)1 attack on multiple systems belonging to this aerospace contractor. ISS is a hacker tool developed to gain intelligence about a system. It attempts to collect information on the type of operating system the computer is running and any other available information that could be used to assist the attacker in determining what attack tool might successfully break into that particular system. The software also tries to locate the password file for the system being scanned, and then tries to make a copy of that password file.

The significance of the theft of a password file is that, even though password files are usually stored encrypted, they are easily cracked. Several hacker “password cracker” programs are available on the Internet. If a password file is stolen or copied and cracked, the attacker can then log on to that system as what the systems perceive is a legitimate user.

Monitoring activity disclosed that, on April 12, Datastream initiated an ISS attack from Rome Labs against Brookhaven National Labs, Department of Energy, New York. Datastream also had a two-hour connection with the aerospace contractor’s system that was previously compromised.

Kuji Hacks into Goddard Space Flight Center

On April 14, 1994, remote monitoring activity of the Seattle ISP conducted by the Air Force indicated that Kuji had connected to the Goddard Space Flight Center through an ISP from Latvia. The monitoring disclosed that data was being transferred from Goddard Space Flight Center to the ISP. To prevent the loss of sensitive data, the monitoring team broke the connection. It is still not known whether the data being transferred from the NASA system was destined for Latvia. (Latvia as a destination for sensitive data was, of course, something that concerned investigators. After all, the small Baltic nation had only recently become independent of Russian domination. It had been a part of the former U.S.S.R.)

Further remote monitoring activity of cyberspace.com disclosed that Datastream was accessing the National Aero-Space Plane Joint Program Office, a joint project headed by NASA and the Air Force at Wright- Patterson Air Force Base, Ohio. Monitoring disclosed a transfer of data from Wright-Patterson traversing through cyberspace.com to Latvia.

Apparently, Kuji attacked and compromised a system in Latvia that was just being used as conduit to prevent identification. Kuji also initiated an ISS attack against Wright-Patterson from cyberspace.com the same day. He also tried to steal a password file from a computer system at Wright- Patterson Air Force Base.

Kuji Attempts to Hack NATO HQ

On April 15, real-time monitoring disclosed Kuji executing the ISS attack against NATO Headquarters in Brussels, Belgium, and Wright-Patterson from Rome Labs. Kuji did not appear to gain access to any NATO systems from this particular attack. However, when interviewed on April 19 by AFOSI, a systems administrator from NATO’s SHAPE Technical Center in the Hague, Netherlands, disclosed that Datastream had successfully attacked one of SHAPE’s computer systems from the ISP mindvox.phantom.com in New York.

After authorities confirmed the hacker’s identity and developed probable cause, New Scotland Yard requested and obtained a search warrant for the Datastream Cowboy’s residence. The plan was to wait until the individual was online at Rome Labs, and then execute the search warrant. The investigators wanted to catch Datastream online so that they could identify all the victims in the path between his residence and Rome Labs. After Datastream got online at Rome Labs, he accessed a system in Korea, downloaded all data stored on the Korean Atomic Research Institute system, and deposited it on Rome Labs’s system.

Initially, it was unclear whether the Korean system belonged to North or South Korea. Investigators were concerned that, if it did belong to North Korea, the North Koreans would think the logical transfer of the storage space was an intrusion by the U.S. Air Force, which could be perceived as an aggressive act of war. During this time frame, the United States was in sensitive negotiations with the North Koreans regarding their nuclear weapons program. Within hours, it was determined that Datastream had hacked into the South Korean Atomic Research Institute.

At this point, New Scotland Yard decided to expand its investigation, asked the Air Force to continue to monitor and collect evidence in support of its investigation, and postponed execution of the search warrant.

Scotland Yard Knocks on Datastream Cowboy’s Door

On May 12, investigators from New Scotland Yard executed their search warrant on Datastream’s residence. When they came through the door, 16- year-old Richard Pryce (a.k.a. Datastream Cowboy) curled up in the fetal position and wept.

The search disclosed that Datastream had launched his attacks with only a 25 MHz, 486 SX desktop computer with only a 170 megabyte hard drive. This is a modest system, with limited storage capacity. Datastream had numerous documents that contained references to Internet addresses, including six NASA systems and U.S. Army and U.S. Navy systems with instructions on how to loop through multiple systems to avoid detection.

At the time of the search, New Scotland Yard detectives arrested and interviewed Datastream. Detectives stated that Datastream had just logged out of a computer system when they entered his room. Datastream admitted to breaking into Rome Labs numerous times as well as multiple other Air Force systems (Hanscom Air Force Base, Massachusetts, and Wright-Patterson). (He was charged with crimes spelled out in Britain’s Computer Misuse Act of 1990.)

Datastream admitted to stealing a sensitive document containing research regarding an Air Force artificial intelligence program that dealt with Air Order of Battle. He added that he searched for the word missile, not to find missile data but to find information specifically about artificial intelligence. He further explained that one of the files he stole was a 3_4 megabyte file (approximately three to four million characters in size). He stored it at mindvox.phantom.com’s system in New York because it was too large to fit on his home system.

Datastream explained he paid for the ISP’s service with a fraudulent credit card number that was generated by a hacker program he had found on the Internet. Datastream was released on bail following the interview.

This investigation never revealed the identity of Kuji. From conduct observed through the investigators’ monitoring, Kuji was a far more sophisticated hacker than the teenage Datastream. Air Force investigators observed that Kuji would only stay on a telephone line for a short time, not long enough to be traced successfully. No informant information was available except that Computer Crime Investigators from the Victoria Police Department in Australia had seen the name Kuji on some of the hacker bulletin-board systems in Australia.

Unfortunately, Datastream provided a great deal of the information he stole to Kuji electronically. Furthermore, Kuji appears to have tutored Datastream on how to break into networks and on what information to obtain. During the monitoring, the investigative team could observe Datastream attack a system and fail to break in. Datastream would then get into an online chat session with Kuji, which the investigative team could not see due to the limited context monitoring at the Internet service providers. These chat sessions would last 20_40 minutes. Following the on-line conversation, the investigative team would then watch Datastream attack the same system he had previously failed to penetrate, but this time he would be successful.

Apparently Kuji assisted and mentored Datastream and, in return, received stolen information from Datastream. Datastream, when interviewed by New Scotland Yard’s Computer Crime Investigators, told them he had never physically met Kuji and only communicated with him through the Internet or on the telephone.

Kuji’s Identity Is Finally Revealed

In 1996, New Scotland Yard was starting to feel some pressure from the glare of publicity surrounding the upcoming hearings in the U.S. Senate, chaired by Sam Nunn (D-Georgia). Two years had passed since the arrest of the Datastream Cowboy, and yet Kuji was still at large.

New Scotland Yard investigators went back to take a closer look at the evidence they had seized and found a phone number that they hadn’t traced back to its origin. When they did trace it, they discovered Kuji’s true identity. Ten days after Jim Christy’s initial testimony concerning the Rome Lab intrusions, 21-year-old Matthew Bevan (a.k.a. Kuji) was finally apprehended.

In court, Pryce pleaded guilty to 12 hacking offenses and paid a nominal fine of 1,200 British pounds.

But Bevan, whose father was a police officer, “lawyered-up.”

After 20 hearings in which the defense challenged the Crown’s evidence, the prosecution made a “business decision” and dropped the charges.

Bevan is now a computer security consultant. His Web site, http:// www.bogus.net/, features an archive of news media coverage of the Rome Labs case, a timeline of his exasperating and successful legal maneuvers, photographs of his arresting officers, and scanned headlines from the London tabloids.

In my interview with Bevan, I asked him about the motivation in the attack on Rome.

“My quest,” he tells me, “was for any information I could find relating to a conspiracy or cover-up of the UFO phenomenon. I was young and interested in the UFO stuff that I had read and of course as I had the access to such machines that were broken (i.e., with poor security) it was a natural progression to seek out information.

“Also,” Bevan continues, “I was bullied almost every day of my school life; the hacking world was pure escapism. I could go to school, endure the day, come home, and log on to another world. Somewhere I could get respect, somewhere that I had friends.

“At school I may have been bullied but in the back of my mind was ‘Well, I hacked NASA last night, and what did you do?'”

I also asked Bevan if he wanted to set the record straight in regard to how authorities handled the case or how the media reported it.

“One of the biggest concerns that I have about the reporting of the case relates to the InfoWar aspect,” he says. “It is suggested that we were taken to the brink of WWIII because of an attack on the Korean nuclear research facility. A Secret Service agent here alleged that bombers were already on their way to Korea to do a preemptive strike as it was thought that when they discovered the attack, said to have come from a U.S. military computer, they would retaliate.

“In the evidence presented in the case,” Bevan says, “there was a snippet of a log that shows Datastream Cowboy logging into said facility with the user ID of ‘sync,’ and as the user has no Unix shell associated with it, the login is terminated. Nowhere else in the logs is any record of the intrusion being successful, and in my opinion the logs do not reflect that. Being called ‘the single biggest threat to world peace since Adolf Hitler’ is a tad annoying, but then even the layman can see that is just hype and propaganda.”

Who Can Find the Bottom Line?

A damage assessment of the intrusions into the Rome Labs’s systems was conducted on October 31, 1994. The assessment indicated a total loss to the United States Air Force of $211,722. This cost did not include the costs of the investigative effort or the recovery and monitoring team.

No other federal agencies that were victims of the hackers (for example, NASA) conducted damage assessments.

The General Accounting Office conducted an additional damage assessment at the request of Senator Nunn. (See GAO Report, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks [AIMD-96-84], May 22, 1996.)

Some aspects of this investigation remain unsolved:

The extent of the attack. The investigators believe they uncovered only a portion of the attack. They still don’t know whether the hackers attacked Rome Labs at previous times before the sniffer was discovered or whether the hackers attacked other systems where they were not detected.

The extent of the damage. Some costs can be attributed to the incident, such as the cost of repair and the cost of the investigative effort. The investigation, however, was unable to reveal what they downloaded from the networks or whether they tampered with any data. Given the sensitive information contained on the various computer networks (at Rome Labs, Goddard Space Flight Center, the Jet Propulsion Laboratory, Wright- Patterson AFB, or the National Aero-Space Plane Program), it is very difficult to quantify the loss from a national security perspective.

HotterthanMojaveinmyheart:2 The Case of Julio Cesar Ardita

On March 29, 1996, the U.S. Justice Department announced it had charged Julio Cesar Ardita (a.k.a. “El Griton”), a 21-year-old Argentine, with breaking into Harvard University’s computer network and using it as a staging platform for many other hacks into sites throughout cyberspace. Like Kuji and the Datastream Cowboy, Ardita targeted sites belonging to NASA, DoD, several American universities, and those in other countries (for example, Korea, Mexico, Taiwan, Chile, and Brazil). Like Kuji and the Datastream Cowboy, Ardita gained unauthorized access to important and sensitive information in his explorations. In Ardita’s case, the research information that was compromised involved satellites, radiation, and energy-related engineering.

Peter Garza of Evidentdata (Ranchero Cucamonga, California) was a special agent for the Naval Criminal Investigative Services. He led the digital manhunt that ended in Buenos Aires. Garza described Ardita as a dedicated hacker. “Ardita was no ordinary script kiddie,”

Garza tells me. “He didn’t run automated hacking scripts downloaded from someone else’s site. He did his hacking the old-fashioned way. He used a terminal emulator program, and he conducted manual hacks. He was prodigious. He had persistence and stamina. Indeed, I discovered records of ten thousand sessions on Ardita’s home computer after it was seized. During the technical interviews we did of Ardita in Argentina (after his arrest), he would describe all-night sessions hacking into systems all over the Internet.

“Early on in the investigation,” Garza adds, “I had guessed this would be a solvable case because of this persistence. I had guessed that because this was such a prolific hacker, he had to use the same file names, techniques, and hiding places just so that he would be able to remember where he left collected userids and passwords behind on the many hacked systems. Also, I hoped the hacker was keeping records to recall the hacked sites. Records that would help further the investigation if we were successful in tracking the hacker down. It was gratifying that I was right on both counts. Records on his seized computer, along with his detailed paper notes, helped us reconstruct much of what he had done.”

Like the investigation that led to the identification and arrest of the Rome Labs hackers, the pursuit that led to the identification and arrest of Ardita accelerated the learning curve of those responsible for tracking down cybercriminals and bringing them to justice.

The following account, drawn from my interview with Garza and the court affidavit written by Garza himself in support of the criminal complaint against Ardita, sheds light on the details of the investigations and the groundbreaking work that the case required.

How the Search for “El Griton” Began

Sysadmins at a U.S. Navy research center in San Diego detected that certain system files had been altered. Taking a closer look, they uncovered certain files, including a sniffer he left behind, the file that contained the passwords he was logging, and a couple programs he used to gain root access and cover up his tracks.

This evidence enabled Garza to construct a profile of the hacker.

Coincidentally, and fortuitously, Garza and other naval security experts happened to be at the San Diego facility for a conference on the day that the intrusion was detected.

They worked late into the night. They succeeded in tracking the as-yet- unidentified hacker to a host system administered by the Faculty of Arts and Sciences (FAS) at Harvard University, Cambridge, Massachusetts. The hacker was making unauthorized use of accounts on the FAS host and trying to access other systems connected to Harvard’s network via the Internet.

(As early as July 1995, host computers across the United States as well as in Mexico and the United Kingdom reported both successful and unsuccessful hacking attempts seeming to originate from the FAS Harvard host. But this U.S. Navy investigation that commenced in late August would lead to Ardita’s arrest.)

Although it was impossible at first to determine the hacker’s true identity because he was using the legitimate account holders’ identities as his aliases or covers, investigators could distinguish the hacker from other users of the FAS Harvard host and the Internet through certain distinctive patterns of illicit activity. But to track the hacker all the way back to his point of origination, Garza was going to need a court order for a wiretap.

“I called the U.S. Attorney’s office in Boston on a Thursday and asked if we could have the court order in place by Monday,” Garza recounts. “They laughed. Six months was considered the ‘speed of light’ for wiretap approval. But we started to put the affidavit together anyway, and got it okayed in only six weeks, which at that time was unheard of.

Cracking down on the outlaws of cyberspace Cybercop apprenticed in tough job
( USA TODAY )

What’s it take to be America’s top cybercop?

“I was a hockey referee, so I’m used to being beaten up,” suggests Jim Christy, who is among those most often mentioned for the title.

And he’s been at it for only a decade.

But it’s a decade that’s seen the Internet grow from 8,000 users to an expected 50 million at the end of this year. And it’s a decade that’s seen computer crime go from a Hollywood scriptwriter’s fantasy to a real- life threat to commerce.

As a result, it’s seen Christy trade a higher-paying post as a Pentagon computer programmer to become the military’s first full-time civilian computer crime investigator.

Today, with the weighty title of Chief of Computer Crime Investigations & Information Warfare, he is one of 68 computer investigators in the Air Force Office of Special Investigations (OSI).

At 44, Christy’s part-time career as a professional hockey official has ended after four knee operations and a bionic eye implant necessitated by a slap shot to the head.

What he misses most, he says, is that as a referee “you are judge, jury and executioner, and justice is immediate.”

In law enforcement, justice is dispensed slowly. Especially, he notes, in cyberspace.

Christy, a Baltimore native, stumbled into the computer field. After drawing No. 35 in the draft lottery of 1971 during the Vietnam War, he joined the Air Force rather than waiting to be drafted. The aptitude test noted computer skills. He spent the next four years as a computer key punch operator, followed by 13 years as a civilian working computers at the Pentagon.

When he moved to OSI, Christy largely ceased his hands-on involvement with computers and systems.

“There are a whole lot of people who do that stuff a lot better than me,” he says.

His role now is to guide investigations — how to track the cybercriminals, who to talk to, when to get a warrant.

Christy has more experience chasing outlaws through cyberspace than anyone else. To those knowledgeable about computer crime and hackers, his cases are legend:

– He was the first investigator to take seriously Cliff Stoll’ s complaints about a 75-cent accounting error that led to the discovery of a hacker mucking about in the University of California-Berkeley computer.

The 1986 investigation eventually led to Hanover, Germany, and a group of students who were hacking into U.S. military systems and selling what they found to the Soviet KGB. Stoll describes the case in the book, The Cuckoo’s Egg.

– Christy took part in the “Morris Worm” investigation, helping track Robert Morris, whose program moved across the Internet entering and disabling individual computers and network systems, causing millions of dollars in losses.
– Christy helped solve a 1991 murder by using cardboard and tape to reassemble two floppy disks.

On the disks were love letters between Air Force Sgt. Joe Snodgrass and a lover; a letter to a pair of hitmen paid to kill Snodgrass’ wife; and a letter increasing life insurance coverage for his wife to $450,000. Snodgrass pleaded guilty and is serving life in prison.

– Christy helped solve a 1991-92 case of an Air Force colonel who used America Online to exchange child pornography with 88 others. The case yielded the first cyberspace search warrants. The colonel was convicted and dismissed from the military; no jail time was imposed.
– Christy worked on the 1994 Rome Labs case, in which a British teen-age hacker, with the guidance of a still-unidentified accomplice, cracked the security at the Rome Air Force Base in New York. The base is a premier military research facility, and the unidentified accomplice is suspected of being a foreign agent.

After weighing a series of high-tech options for chasing the hackers through cyberspace, Christy found an informant in an on-line chat room who led him to the British hacker. Charges are pending.

Since last fall, Christy has been on temporary assignment to the Senate Permanent Subcommittee on Investigations, helping them examine security in cyberspace.

“I like working up on Capitol Hill, because you can make a difference, ” Christy says.

“It’s still anarchy and like the Wild West out there on the Internet, ” he continues. “But I feel much better now than I did just a year and a half ago, because the decision makers are starting to take notice. ”

Three landmark cases

In the brief history of computer crime, these three cases are regarded as landmarks:

CITIBANK BREAK-IN: Bank robbery by hackers still rare

In 1994, Citibank came under attack by a group of cyberspace thieves, led by a mathematician in St. Petersburg, Russia.

In response, the bank called SAIC, a leading international security firm in McLean, Va. SAIC eventually traced the funds to accounts in San Francisco; Amsterdam, the Netherlands; Germany; Finland; and Tel Aviv, Israel.

The attackers had worked at Citibank affiliates for up to three years before the thefts. They installed backdoors to the computer and entered when they were ready.

Eventually, all but $400,000 of the $10 million stolen was recovered, and the company tracked down the intruders. Only then was the case turned over to the FBI, which arrested Vladimir Levin and four accomplices.

It remains the only case of a computer theft reported by a bank, the FBI recently told Senate investigators.

SAIC, whose board of directors and executive offices are populated by former high-ranking members of the military and intelligence community, declined comment.

According to the FBI, Levin took advantage of accounts where clients had opted for a lower level of security. All Citibank clients are now required to use higher- level security. Levin is battling extradition to the USA.

When the case hit the media in 1995, 20 of Citibank’s largest clients were approached by other banks with claims of better security, according to a recent report by the Senate Permanent Subcommittee on Investigations.

“There’s a huge disincentive to reporting these crimes,” says Mark Rasch at SAIC’s Center for Information Protection.

ARGENTINE HACKER: A tap on the Net spreads a wide net

In an investigation this past winter, authorities obtained the first court-ordered cyberspace wiretap.

The case underscores the complexities of preserving privacy rights in cyberspace.

The case involved a hacker using a Harvard University computer to steal passwords and gain access to government computers.

The problem: how to track the hacker in Harvard’s computer without listening to all the system activity, up to 300 users at a time.

Unlike a traditional wiretap, where authorities listen to a single conversation on a single phone line, in cyberspace police must review all the traffic on a system to identify the intruder’s packet of digital information.

“It’s like putting a bug (listening device) on home plate at Yankee Stadium and listening to every conversation and having to parse out the one conversation you’re looking for,” says Donald Stern, U.S. Attorney in Boston.

Investigators were able to draw a distinct profile of the intruder, such as specialized software he used. Authorities used software that monitored the Harvard system looking for that profile, alerting agents when they had a near match.

Even so, investigators twice read unrelated conversations. Authorities concede a clear profile is needed to preserve privacy rights.

“There will be cases where, no matter what you do, you will be unable to get a clear enough profile of the intruder,” says Stephen Heymann, the deputy chief of the U.S. Attorney’s criminal division in Boston.

By late December 1995, authorities say, the intruder was traced to Buenos Aires, Argentina, and identified as Julio Cesar Ardita, a computer science student. He faces U.S. charges, but Argentina won’t make an arrest.

INTEL CHIP CASE: Pentium prosecution required creativity

One of the rare cases of economic espionage that ended with a prosecution was that of Guillermo “Bill” Gaede, who pleaded guilty in March to charges of stealing the specifications for Intel’s Pentium and 486 computer chips.

Court papers set the value of the theft at $10 million to $20 million; Intel says the value could go up to $300 million.

“This is as big a case as anything we’ve seen in the ’90s,” says Leland Altschuler, chief of the U.S. Attorney’s Office in San Jose, Calif.

The Gaede case, while unique in its dimensions, was typical in another respect: It was an “inside” job, pulled off by a trusted employee with access to the computer system.

As a senior engineer at Intel in 1993-94, Gaede was able to access Intel’s computer system from his home computer.

However, Intel’s security system prevented anyone from copying files.

So Gaede set up a video camera and taped the blueprints off his computer monitor.

He sent a copy of the videotape to an Intel competitor. Instead of paying Gaede, the competitor promptly sent the video back to Intel and alerted authorities.

Intel tracked Gaede to Argentina, where the company initiated legal action. In the USA, Intel worked with the Justice Department to produce indictments against Gaede.

Gaede was captured when he returned to the USA in September 1995 to visit relatives. But, because Gaede only made a videotape of a computer file and never really stole anything in the physical sense, authorities had trouble deciding how to charge him.

Gaede pleaded guilty to mail fraud and interstate transportation of stolen property. In June, he received a 33-month sentence.

Copyright 1996, USA TODAY, a division of Gannett Co., Inc.

M.J. Zuckerman, Cracking down on the outlaws of cyberspace Cybercop apprenticed in tough job., USA TODAY, 07-02-1996, pp 04B.

04/04/98 THE SCHOOLBOY SPY.

By Jonathan Ungoed-Thomas

The Americans called him their No 1 enemy, but he was only 16. Jonathan Ungoed-Thomas reveals one of the strangest stories of the cyber-age. On the evening of April 15, 1994, six American special agents sat in a concrete basement at a secret air force base patiently waiting for an attack. Their unseen and unknown enemy had for weeks been rampaging across the Pentagon network of computers, cracking security codes and downloading secret files.

Defence officials feared the infiltrator was a foreign agent. They were monitoring his movements in a desperate effort to trace him to his lair. He had first been spotted by a systems manager at the Rome Laboratory at the Griffiss air base in New York state, the premier command and control research facility in the United States. He had breached the security system and was using assumed computer identities from the air base to attack other sites, including Nasa, Wright-Patterson air force base – which monitors UFO sightings – and Hanscom air force base in Massachusetts. He was also planting “sniffer files” to pick up every password used in the system. This was a new type of warfare, a “cyber attack” at the heart of the most powerful military machine on earth. But the American military had been preparing for “cyber war” and it had a new breed of agent ready to fight back against the infiltrator. Computer specialists from the Air Force Office of Special Investigations (AFOSI) and the Air Force Information Warfare Centre in San Antonio, Texas, were dispatched to Rome Laboratory to catch the attacker.

By the end of the second week of their attempt to outwit him, their windowless basement room was a mess of food wrappers, sleeping bags and empty Coca-Cola cans. Sitting among the debris, the American cyber agents saw a silent alarm throb on one of the many terminals packed into the 30ft by 30ft room. Datastream Cowboy, as he called himself, was online again. They carefully tracked him on a computer screen as he used the access code of a high-ranking Pentagon employee to sign on. This gave him the power to delete files, copy secret information and even crash the system. As he sifted through battlefield simulation data, artificial intelligence files and reports on Gulf war weaponry, the agents worked frantically at their terminals, trying yet again to establish who he was and where he had come from. It was futile. Datastream Cowboy always bounced around the world before launching an attack and it was impossible even to establish in which country he was sitting.

Suddenly he left the Pentagon system. The agents rapidly checked the computer address of his new target and were chilled by the result: he was trying to get access to a nuclear facility somewhere in Korea. The shocked agents saw a terrible crisis coming. The United States was embroiled in tense negotiations with North Korea about its suspected nuclear weapons programme. The Clinton administration was publicly split between a faction that wanted to punish the Stalinist regime in Pyongyang for attempting to develop a nuclear bomb and State Department diplomats who insisted on a gentler approach.

If the paranoid North Koreans detected a computer attack on their nuclear facility from an American air base – because Datastream Cowboy had assumed an American military identity by routeing his assault through the Griffiss computer – they would be bound to believe that the hawks had won and this was an act of war. Senior defence officials were hurriedly briefed as the agents attempted to establish the exact location in Korea of the computer that Datastream Cowboy was trying to crack.

After several tense hours, they had their answer. His target was in South Korea, not North. The security alert was over, but the damage meted out by Datastream Cowboy was not. In the space of a few weeks he had caused more harm than the KGB, in the view of the American military, and was the “No 1 threat to US security”.

What made Datastream Cowboy so dangerous, in the view of the Americans, was that he was not alone; he was working with a more sophisticated hacker who used the “handle” of Kuji. The agents repeatedly watched Datastream Cowboy unsuccessfully attack a military site and retreat for an e-mail briefing from Kuji. He would then return and successfully hack into the site. Both Datastream Cowboy and Kuji were untraceable. They were weaving a path through computer systems in South Africa, Mexico and Europe before launching their attacks. Over 26 days, Datastream Cowboy and Kuji broke into the Rome Laboratory more than 150 times. Kuji was also monitored attempting an assault on the computers at Nato headquarters near Brussels. It was only three years after the final collapse of Soviet communism, but there was already a strong fear within the American government that the United States had become vulnerable to a new military threat: electronic and computer warfare.

Both America’s superpower military arsenal and its huge civilian economy had become reliant on microchips and in the words of Jamie Gorelick, a deputy attorney-general: “Some day we will wake up to find that the electronic equivalent of Pearl Harbor has crippled our computer networks and caused more chaos than a well placed nuclear strike. We do not want to wait for that wake-up call.”

What made the American military so vulnerable was that the Internet – the computer communications system that had been developed by Pentagon scientists as a tool for survival after nuclear war – was opening up in 1994 to anyone in the world who had access to a cheap and powerful personal computer.

The Internet automatically brought hackers to the very gates of the Pentagon’s most secret files – and it could not be policed, as it had been deliberately set up without controls to ensure ease of access for nuclear survivors.

According to official American figures, the Pentagon’s military computers are now suffering cyber attacks at the rate of 250,000 a year and it is retaliating with a $3.6bn programme of computer protection to key systems. THE attacks by Datastream Cowboy and Kuji were the opening shots in this barrage, and the Pentagon generals insisted that they had to be found and put out of action. It would have been relatively simple to shut them out of the Pentagon network, but they would survive to attack again – and their identities and the information they had already stolen would have remained unknown. The American cyber agents were ordered to continue chasing them through the electronic maze.

But how? They used a process called “fingering” in which they tried to detect every computer that Datastream Cowboy had used as stepping stones before attacking them. A computer on the Internet gives its own address in the first few bytes of any communication and the agents tried to trace Datastream Cowboy’s path backwards. The process can often be hit and miss because of the vast amount of traffic on the Internet and the hacker’s path was simply too long and circuitous to follow to its end. The agents almost gave up hope. Then old-fashioned police work was brought to bear. In the cyber age, where do hackers hang out? On the Internet, of course. They “chat” with each other through their screens.

The agents had informants who cruised the Internet and one of these made the breakthrough. He found that Datastream Cowboy hung out at Cyberspace, an Internet “service provider” based in Seattle. Moreover, he was a particularly chatty individual who was eager to engage other hackers in e-mail conversation. Naive, too. Before long, the informant had established that Datastream Cowboy lived in the United Kingdom. He even gave out his home telephone number.

Jubilant, a senior AFOSI agent contacted the computer crime unit in Scotland Yard for assistance. Datastream Cowboy’s number was traced to a house in a cul-de-sac in Colindale, part of the anonymous north London suburbs. In cold war days it would have been a classic address for a spy’s hideaway.

Telephone line checks revealed that the hacker was first dialling into Bogota, the Colombian capital, and then using a free phone line from there to hack his way into the sensitive military sites.

American agents flew to London and staked out the address with British police officers. Detectives were cautious, however, about making an immediate arrest because they wanted Datastream Cowboy to be online when they entered the house, so that he would be caught in the act.

At 8pm on May 12, 1994, four unmarked cars were parked outside the Colindale house. Inside one of them, a detective’s mobile phone rang. An agent from the Rome Laboratory was on the other end: Datastream Cowboy was online. Officers made a second call to British Telecom in Milton Keynes and established that a free phone call was being made to South America. Posing as a courier, one of the officers knocked on the door. As it was opened by a middle-aged man, eight policemen silently appeared and swept into the house. The officers quietly searched the downstairs and first floor. Then, creeping up the stairs to a loft-room, they saw a teenager hunched in his chair tapping frantically away on the keyboard of his ?700 PC World computer. They had found Datastream Cowboy.

One of the detectives walked up silently behind the young suspect and gently removed his hands from the computer. For 16-year-old Richard Pryce, a music student, it was the shock of his life. He looked at the policemen as they prepared to arrest him and collapsed on the floor in tears.

“They thought they were going to find a super-criminal and they just found me, a teenager playing around on his computer,” says Pryce now. “My mother had noticed people sitting outside our house for a few days beforehand, but I didn’t think much of it. I never thought I would get caught and it was very disturbing when I did.

“It had just been a game or a challenge from which I had got a real buzz. It was unbelievable because the computers were so easy to hack, like painting by numbers.”

Pryce, who was then a pupil at The Purcell School in Harrow, Middlesex, was arrested at his home but released on police bail the same evening. Five stolen files, including a battle simulation program, were discovered on the hard disk of his computer. Another stolen file, which dealt with artificial intelligence and the American Air Order of Battle, was too large to fit on to his desktop computer. So he had placed it in his own storage space at an Internet service provider that he used in New York, accessing it with a personal password.

During the subsequent police interviews, one pressing question remained unanswered: who was Kuji? Pryce claimed he had only talked with his hacking mentor on the Internet and did not know where he lived. American investigators regarded Kuji as a far more sophisticated hacker than Datastream. He would only stay on a telephone for a short time, not long enough to be traced successfully. “Kuji assisted and mentored Datastream and in return received from Datastream stolen information…Nobody knows what Kuji did with this information or why it was being collected,” agents reported.

Mark Morris, who was then a detective sergeant with Scotland Yard’s computer crime unit, was one of the investigating officers on the case. “It was awesome that Pryce, who was just one teenager with a computer, could cause so much havoc, but the greater worry in the US was about Kuji,” says Morris. “The fear was that he could be a spy working for a hostile foreign power. The job was then to find him.”

Pryce did give detectives one telephone number, but it was a red herring: a school library in Surrey. During the next two years of compiling evidence in Britain and America in the case against Pryce, British detectives and American agents failed to turn up any evidence that might lead to Kuji. Their break finally came in June 1996 when the computer crime unit decided to sift once again through the mass of information on the hard disk of Pryce’s computer.

Morris took on the job. “I was at home with my laptop and went through every bit of that hard disk, which was a huge task.” It took him three weeks. If all the files had been printed out they would have filled 40 filing cabinets.

At last he found what he wanted. “At the bottom of a file in the DOS directory I saw the name Kuji. Next to the name was a telephone number. Pryce might not have even known it was on his system because he downloaded so much information.”

For American agents hoping to catch a superspy, Kuji’s telephone number was a grave disappointment. He was based in Cardiff. A team of officers drove up to his address, a terraced house, and finally discovered Kuji’s identity. He was 21-year-old Mathew Bevan, a soft-spoken computer worker with a fascination for science fiction. His bedroom wall was covered with posters from The X Files and one of his consuming interests was the Roswell incident, the alleged crash of a UFO near Roswell, New Mexico, in July 1947. He was arrested on June 21, 1996, at the offices of Admiral Insurance where he worked.

“I would never have been caught if it wasn’t for Pryce and even then they took two years to find me,” Bevan says now. “And the only reason Pryce got caught was that he gave his number to a secret service informant.” Bevan, the son of a police officer, said he had not even been alarmed when Datastream Cowboy disappeared from the Internet. “Everyone was joking with me on the e-mail that he must have been arrested, but I didn’t believe it. It wasn’t until a year later that a friend phoned me and said: ‘Have you seen the papers? They think you’re a spy’.”

However, Bevan became confident that he had escaped detection and was stunned when he was arrested. “I was told to go and check the managing director’s computer. I went in and there were seven or eight of them in suits and I was arrested.” He was charged the next day with two counts of conspiracy under the Criminal Law Act 1997. He was later charged with three offences under the Computer Misuse Act 1990.

Pryce had been charged in June 1995, about 13 months after his arrest, with 12 offences under Section 1 of the Computer Misuse Act 1990. He was also charged with conspiracy three days before Bevan’s arrest. At the culmination of one of the biggest ever international computer crime investigations and after a massive security scare in the United States, law enforcers were left with a meagre and faintly embarrassing prize: two young hackers who in their spare time, from the comfort of their bedrooms, had penetrated what should have been the most secure defence network in the world. To rub salt into the wounds, their credentials were hardly impressive. Pryce had scraped a D grade in computer studies at A-level and Bevan had dropped out of an HND course in computer science.

Pryce’s father, Nick, who restores musical instruments, said: “They said Richard was a No 1 security threat and I think that was just rubbish. They had overreacted and when they found out it was just a teenager, they still wanted to try to make an example of him. I never knew what he was doing at the time; I just thought he was in his bedroom playing on his computer. When I found out, I never thought he had done anything particularly wrong and neither did our friends. He just showed how bad security was on those computers.”

But how did two rather ordinary young men manage to penetrate the Pentagon computer system and spark such a massive security alert? Both were bright and articulate, but there was nothing in their backgrounds to suggest a computer wizardry that would outwit the American military. Their success was based on a mixture of persistence and good luck, which was abetted by crude security mistakes in the Pentagon computer system. Pryce had had a musical upbringing with his two sisters, Sally and Katie, and had a passion for playing the double bass. He was bought his computer when he was 15 to help him in his studies. He would spend his spare time linked up to a bulletin board on the Internet, where computer users traded information and chatted. It was here that he got his first introduction to hacking.

“I used to get software off the bulletin boards and from one of them I got a ‘bluebox’, which could recreate the various frequencies to get free phonecalls,” he said. “I would phone South America and this software would make noises which would make the operator think I had hung up. I could then make calls anywhere in the world for free.”

Now 20 and in his third year at the Royal College of Music in London, Pryce said: “I would get on to the Internet and there would be hackers’ forums where I learnt the techniques and picked up the software I needed. You also get text files explaining what you can do to different types of computer. “It was just a game, a challenge. I was amazed at how good I got at it. It escalated very quickly from being able to hack a low-profile computer like a university to being able to hack a military system. The name Datastream Cowboy just came to me in a flash of inspiration.”

The attack on Rome Laboratory, his greatest success, relied on a ferret called Carmen. Pryce easily gained low-level security access to the Rome computer using a default guest password. Once inside the system, he retrieved the password file and downloaded it on to his computer. He then set up a program to bombard the password file with 50,000 words a second. “I just left the computer running overnight until it cracked it,” he explained.

If all the air force officers with access to the computer had followed orders and used passwords with a mixture of numerals and letters, his attack would have been foiled; but luck was on his side.

Morris, who has since left Scotland Yard’s computer crime unit and now works in London for Computer Forensic Investigations, a private company, revealed: “He managed to crack the file because a lieutenant in the USAF had used the password Carmen. It was the name of his pet ferret. Once Pryce had got that, he was free to roam the system. There was information there that was deemed classified and highly confidential and he was able to see it.”

Once he was in the system, Pryce kept getting access to higher levels in his aim to become a “root user”, which gives the hacker total control of the computer with the power to shut out other users and command the entire system.

“I was interested in Rome Labs because I knew they developed stuff for the military. I just wanted to find out what they were doing. I read that UFO material was being kept at Wright Patterson base and I thought it would also be a laugh to get in there. I also hacked into a Nasa site,” he said. “Rome Labs was my main project. I got the programming code for an artificial intelligence project. I downloaded files so I could view them at leisure at home.

“I know there was a big fuss when I tried to hack into a computer in Korea, but there was nothing sinister about it. I just fancied having a go at a different sort of computer and I happened to be on the Rome Laboratory computer. I just tapped in the address for the Korean research computer, but I didn’t hack into it. It never went further than that.” During an intensive three months of hacking, Pryce sent e- mails at least twice a week to the fellow hacker he knew as Kuji, without knowing his real name was Mathew Bevan.

Bevan, who is now 23, was more of a loner than Pryce and would spend up to 30 hours without a break on his computer. He claims the fraternity of hackers gave him the friendship that he had failed to find during his childhood. “I was bullied at school and I found my little community and interaction through my computer,” he said. “The hackers would all egg each other on. There wasn’t anything malicious about it. If there was, I could have downed as many computer systems as I wanted. I was just really looking for anything about UFOs. It was like war games; I just couldn’t believe what we could get into. I wasn’t tutoring Pryce, but the Americans made out I was because they thought I was some kind of east European masterspy.” Pryce agrees: “We embarrassed them by showing how lax their security was and that’s why they made out we had been a huge security threat. I’m now amazed by what I did, but I wasn’t surprised at the time. It was just my hobby. Some people watched television for six hours a day, I hacked computers.”

The first time Pryce and Bevan met in person was in July 1996 when they appeared at Bow Street magistrates court jointly charged with conspiracy and offences under the Computer Misuse Act. “He was at the back of the court when I went in and his mother said: ‘You’d better say hello’, which he did. We didn’t even have a chat,” said Bevan.

Conspiracy charges against both Pryce and Bevan were later dropped, but in March last year Pryce was fined ?1,200 after admitting 12 offences under the Computer Misuse Act. His lawyers said in mitigation that there had been some exaggeration when the Senate armed services committee had been told in 1996 that the Datastream Cowboy had caused more harm than the KGB and was the “No 1 threat to US security”. The remaining charges against Bevan were dropped in November after the Crown Prosecution Service decided it was not in the public interest to pursue the case.

Nevertheless, the case of Datastream Cowboy and Kuji remains one of the most notorious in American cyber history. The two young men are living this down in different ways. Pryce’s computer was confiscated, to his initial dismay. “After I had my computer taken away it was quite difficult because I had been doing it every night for a year,” he said. “If they hadn’t caught me, I would have carried on.” Now he thinks hacking was a waste of time and insists he will never do it again. He does not even own a computer any more.

Bevan, however, has put his notoriety to good use: he is now employed testing the computer security of private companies.Targeting the Pentagon United States defence computers have for years been one of the most covetedtargets for hacking addicts inspired by the film War Games, which showed a boy cracking an American defence network and nearly starting the third world war.

One of the pioneers of this craze was Kevin Mitnick, who repeatedly hacked into Pentagon computers in the mid-1980s. He was jailed in 1989 but continued his exploits on his release and was arrested again after a two-year hunt by the FBI. The number of cyber attacks on the Pentagon is estimated by Washington officials as 250,000 annually, but the incidents the public hears about are only the few where hackers get caught. In 1996 six Danes who hacked into Pentagon computers were given sentences of up to three months. The same year, special agents tracked down three teenage hackers in Croatia who had also succeeded in penetrating Pentagon computers.

They were never identified or charged, however, as there is no law against computer hacking in Croatia. Last month there was a spectacular example of the hackers’ work when American defence officials revealed that the Pentagon computer network had been subjected to a relentless two-month attack. CIA agents were reportedly anxious that the hackers might be the agents of Saddam Hussein.

FBI agents blamed a secret convention of hackers believed to be held in New York. A few days ago, the real culprit gave himself up. Ehud Tenenbaum, an Israeli teenager who dubbed himself The Analyser, had worked with two young hackers in California. Under house arrest in Tel Aviv, he said the attacks were not malicious. He had concentrated on American government sites because he hated organisations. “Chaos, I think it is a nice idea,” he said.

(c) Times Newspapers Ltd, 1998.

SUNDAY TIMES 29/03/98

Infowar.Com & Interpact, Inc. WebWarrior@Infowar.Com

Submit articles to: infowar@infowar.com
Voice: 813.393.6600 Fax: 813.393.6361

Last modified: Sun, 03 Jan 1999 00:04:46 GMT

Cyber Terrorism – American Banker
Mon, Sep 08 1997

Thanksgiving dinner last November. William Marlow is just pushing back from the family table when the phone rings. One of his clients, an unnamed Midwestern financial institution, thinks it’s under cyber- attack. For Marlow, the next few days are all long, filled with pizza.

Marlow is a svp at McLean, VA-based Science Applications International Corp. (SCI), which operates a computer security team headed by Marlow and Dr. Mark Rasch, formerly U.S. Attorney for Computer Crime at the Department of Justice. The team has 47 bank clients worldwide, including, they say, three of the nation’s largest.

When the call came, the computer security team assembled in their war room in McLean, established a secure link with their client’s network, and began systematically securing the client’s computer operations while metaphorically patrolling the walls, looking for anything from a simple mistake that might have accidentally set off the alarms, to a sophisticated timing attack, designed to distract the firewall while intruders slip into the system. “What the client was afraid of was that a Trojan horse had been introduced,” says Marlow. A Trojan horse is a program that enters the computer network disguised as a harmless message, then opens a so- called “back door” for the attackers. “While we were doing that, we received a message from two individuals that was an extortion demandowe’re talking significant dollars, enough to alter our fee structure,” says Marlow.

The Federal Bureau of Investigation (FBI) was brought in by the client, and the two teams, working together, tracked down the perpetrators. Marlow and his team built a chain of custody of evidence for the prosecution under Rasch’s supervision, while the FBI pounded the pavement, locating and arresting the criminals, who are reportedly awaiting trial.

At press time, the FBI said it needed more specific information before it could comment on Marlow’s experience.

Marlow’s client got off easy. Last year, The Times of London a publication not known for its sensational has reported that several London financial institutions had paid up to $400 million to fend off extortionists who used logic bombs (software programs that cause systematic errors) to demonstrate their ability to destroy those institution’s global operations. At least one of the attacks sent the proceeds to Russia, according to The Times story, which ran on the front page of its June 2, 1996 edition. Other journalists have confirmed the report, although officials steadfastly deny it. Both these incidents were probably more a matter of cyber- gangsterism than anything elseojust a new way to hold up banks. But in today’s strange new world, they could as easily have been perpetrated for kicks by a kid in Cedar Rapids, for money by a former programmer from the Soviet Ministry of Defense working for the Russian Mafiya, or, more dangerously, by a politically motivated terrorist trained by the CIA in Afghanistan, working in the Sudan with financing from a Saudi billionaire and intending to harm America by attacking its lifeblood.

Every Country for Itself?

And therein lies the rub: Once a bank is under cyber attack, it doesn’t much matter whether the enemy wants your money or your life; the lines between mere criminality and political action are blurred by the anonymity of the attack. And since in cyberspace national boundaries aren’t even lines on a map, computer attacks don’t always yield to tidy legalistic solutions, even if the computer that launched the attack can be traced and happens to be in a nation with laws against themoby no means a universal condition. Monaco, for instance, has no laws covering computer crime.

The result for America’s banks is a sort of medieval world in which anything can happen, law is nonexistent, and everyone needs strongholds and armed escorts when traveling from one world to the other. And because the world is filled with persons who consider America’s role as the citadel of democratic capitalism, and the exemplar of modern scientific civilization to be fundamental attacks on their way of life, a cyber attack on one bank could as easily be a first step in a plan to crash the international payments system as an attempted robbery.

And examples of cyber terrorismoor at least how vulnerable we are to themodo exist, though no official will admit to a cyber terrorist attack on a U.S. bank.

In 1994, for instance, according to 1996 Congressional testimony, two hackers named Datastream Cowboy and Kuji crashed the computer systems at Rome Air Force Base in Rome, NY, for 18 days. Rome AFB works on very sensitive defense projects; according to the testimony, not only were sensitive files stolen, but successful attacks were launched from the Rome computers to NASA’s Goddard Space Flight Center, Wright- Patterson AFB, and defense contractors around the country.

Datastream Cowboy was eventually arrested in England and convicted there of telecommunications theft. Kuji is still at large; no one knows what happened to the stolen data.

The same testimony disclosed not only that the Defense Information Systems Agency’s internal testing successfully penetrates Defense Department systems 65 percent of the time, but also that it estimates Defense systems are attacked about 250,000 times a year. It doesn’t take much to see that if a Defense Department computer system can be penetrated, so can a bank’s.

This is no secret to Admiral J. Mike McConnell, a Booz, Allen & Hamilton partner who recently retired as director of the once super- secret National Security Agency. “Banks talk about their systems as though (they have) no external connections,” he says. “What most people don’t appreciate today is that most banks today, when they are communicating, are traveling on the public switch networkothe phone system structure. When people say they’re using the Internet, all they really mean is that they’re riding around on the public switch network. That induces a certain amount of vulnerability.”

Downloading Attack Tools

Banks will tell you they have “leased lines” between their branches, he says. “But they don’t really have a physical lineothey have a restoral priority; it means they’ll get service, but they don’t know whether it’ll go through New Orleans or Chicago. So the point is, that opens you to potential vulnerabilities.

“Now you can encrypt that message, and it will be more difficult to interfere with anything; and a bank can have certain kinds of defensesofirewalls and whatnotobut once you understand and appreciate them, there are ways to attack them. Nothing is 100 percent guaranteed impenetrable. In my experience, when you are testing something to see if there is a vulnerability, you most always find a vulnerability.”

Added to that, says McConnell, is that on the Internet, all the attack tools can be downloaded; there is a “tremendous, richly robust hacker group that shares all these techniques” used for system penetrations, while readily available Silicon Graphics workstations make very capable platforms for cyber attacks.

Today, with all our networking, the vulnerability does not end with the transmission (of data), McConnell cautions. “It’s gone from worrying about data in motion to also worrying about data at rest,” because much information is stored on hard drives. “That’s where the vulnerability is,” he says.

Luckily, bankers are a paranoid lotosafes and vaults were more or less invented for themoand banking systems are on the whole among the most secure around. This was well demonstrated during the recent “war game” simulations conducted in June and July by McConnell in his McLean, VA, offices for the President’s Commission for Critical Infrastructure Protection (PCCIP).

Global Ops Riskier

After two and a half days simulating escalating problems that began as apparently unconnected events and eventually manifested themselves as a full-scale cyber attack on the United States in which truck bombs were exploding at airports, the water supply was compromised, and attempts were made to penetrate FedWire and CHIPs, only the banking and nuclear power systems were left intactoevery other critical infrastructure had been forced to request government help. Among those with poor marks: law enforcement and intelligence, which didn’t share information.

The PCCIP was created last year by President Clinton to address the fact that most of the computer networks in this country are interrelated and vulnerable to cyber attack both by terrorists, who may or may not be state-sponsored, as well as attacks by state- sponsored groups.

This vulnerability is only magnified, say PCCIP officials, by the fact that corporate outsourcing has created concentrations of services in a few hands, disruptions of which could create significant vulnerabilities within whole industries, including financial services. And modern business models built around the Internet only worsen those problems. “You’re looking at an emerging business model in an emerging (global) economy that is very different from the old one, where you had manufacturing on the bottom floor and management on the top floor,” says Peter Daly, a PCCIP commissioner and U.S. Treasury official. “Now you’ve got a CEO in Baltimore, his manufacturing is in China, his software is written in India, his telemarketing is in Irelandothe Internet enables that, and that’s what we’re focusing on. The infrastructure is the carrier of commerce now, and there are important new kinds of risks there.”

It was stimuli like these, say officials at the General Accounting Office (GAO), that led it this year to begin testing the financial system for potential weaknesses. The testing is occurring now; first it will try to penetrate banks, and then it will try to penetrate FedWire. The effort is being conducted out of the GAO’s San Francisco office.

At the level at which the PCCIP is working, say officials, the worry is less about computer attacks on individual banks than it is about attacks on major computer centers that support the nation’s financial infrastructureothe problem being that at a certain level, the two are virtually identical and that a simple truck bomb, like those exploded at the World Trade Center or in Oklahoma City, could cause significant damage to, say, the New York Stock Exchange or Brussels-based Society for Worldwide Interbank Financial Telecommunication (S.W.I.F.T)., while taking down the telecommunications system with logic bombs would obviously affect the financial system along with the rest of the country.

How to Fight Attacks

But there are also high-tech attacks to worry about. Some attacks, like exploding a microwave or flux generator bomb outside the Richmond Federal Reserve, potentially taking down FedWire by destroying its computer system, require substantial resources and are impractical; both sorts of bombs are very large and would have to be delivered by truck, requiring the same sort of industrial base needed to build nuclear weapons. A flux generator bomb is capable of throwing an enormous magnetic field around a building, crashing all the systems within.

But there are lower tech attacks that even small banks need to worry about, since they could be used in smaller-scale extortion. A HERF, or high energy radio frequency, gun, for instance, is a small, futuristic device that sends an energy “spike” through a metal system, frying it.

These devices, which police forces are considering issuing to some of their personnel as a means of stopping escaping vehicles, are basically ray guns, right out of Buck Rogers. The technology, which is nowhere near as sophisticated as a flux generator bomb, could easily move from law enforcement to the criminal and terrorist population as it becomes more widespread. Tazers, readily available today, can also be used to attack and disrupt computer networks.

But these, at least, are not tough to defend against, according to a paper written by Carlo Kopp, an Australian computer scientist. Since a HERF or Tazer attack made against a LAN is an electrical attack in which a power spike does the damage, he says, simply replacing the copper- based LAN with fiber-optic cable provides a practical defense. More advanced measures advocated by Kopp start with isolating the computer power system from the main power supply with an old-fashioned motor- generator power isolator, and go as far as building the sort of copper- mesh “Faraday Cage,” sometimes put around a clean computer room, around an entire building.

Cost of Protection

But there’s a price to be paid for upping the security ante, says an official at Washington, D.C.-based American Bankers Association, who requested anonymity. “(A determined group) can always kidnap somebody’s family and make them do what they want, so I’m not sure how far you want to go” he says. “The thing you’ve got to remember is that these days, you’ve got guys carrying bombs with toggle switches instead of timers.” Toggle switches are manual triggering devices used by suicide bombers.

“Low probability events are things banks have to deal with when they’re catastrophic, and when they can be reasonably managed,” he continues. “The thing is, we’ve got tremendous measures in place already, and the only other things (we could do) is to do full-field investigations (of employees) so not only do we know who our guys are, but that the government knows who our guys are, so they’d be more willing to tell our guys what’s going on.”

That cooperation could become far-reaching. Because the implications of cyber attack are transnational, and the interpenetration of terrorism and plain criminality has become so complete, many are calling for international police efforts. “We’re totally behind the eight-ball, and everybody’s stymied by this brick wall called national sovereignty, which the bad guys laugh about,” says Arnaud de Borchgrave, who was Newsweek’s chief foreign correspondent for 30 years, and who now heads the Center for Strategic and International Studies, based in Washington. “Any thinking person knows that the traditional prerogatives of national sovereignty have not only been overtaken by the information revolution, but that things like logic bombs and worms are the new arsenal in a new geopolitical calculus that enables the non-states, and even individuals, to take on a superpower. That’s the sort of world we’re living in, and our leaders don’t want to face up to it.

“You need laws that enable you to operate beyond (national) borders,” he adds. “Right now, if the Pentagon is attacked, they don’t have the right to retaliate, even when they know the source of attack. We’re a long way from an international SWAT team or teams, which is what I’m thinking about.”

As things stand, meanwhile, most large banks have either contracted with companies like SAI, or maintain their own computer security teams, generally denying to the public that they face any real dangers and, it’s widely assumed, leaving their own computer security crises unreported. This is exactly the wrong way to handle it, says Senator John Kerry, of Massachusetts. Senator Kerry’s recently published book, The New War: The Web of Crime that Threatens America’s Security, highlights the increasing incidents of money laundering facilitated, in part, by computer- savvy criminals. “It goes to their overall attitude to the whole thing,” he says. “You have to put this thing out there; people have to know and understand it. The longer they’re quiet and the longer these guys can operate without a sense of public outrage and concern, the harder it’s going to be to marshal the forces to change the situation.”

Making Attacks Public

“They’ll need government help to fight these incursions from the Net,” he says. “But acting on their own can’t be adequate. You can do certain things, but if you keep this thing covert, you’ll never summon the kind of clout you need to have a legitimate cure.

“That legitimate cure will involve some kind of understanding about how you’re dealing with encryption, with how you’re dealing with secrecy, of how privacy rights and access rights are going to exist, and of course law enforcement’s rights with respect to all this,” Kerry says. “It’ll have to be a cooperative effort, and will involve some public law.”

INTERNET POSES GREATER RISK

Serious cyber attacks on banks are still not common: SAI estimates they see only about five serious attempts on banks in any year. But a 1994 study by the RAND Corporation points out that as a simple matter of statistics, the danger of attacks on institutions of all sorts, including financial institutions, is bound to grow in tandem with the spread of computer use and the growth of the Internet.

Statistics on computer incidents reported to CERT, a computer security information clearing house and research facility located at Pittsburgh’s Carnegie-Mellon University and financed by the Defense Advanced Research Projects Agency (DARPA), grew about ten-fold between 1990 and 1996. An apparent leveling off of reported incidents since 1994, says a spokesman, is more probably due to a multiplying of places to report such incidents than a slackening in hacker activity. An incident can affect one computer or, on a LAN, 1,000. CERT began life in 1988 as DARPA’s computer emergency response team.

And a 1997 study by San Francisco’s Computer Security Institute, conducted in association with the FBI, says that the 249 organizations who replied to their survey reported losses totaling $100,119,555. System penetration, fraud, sabotage, theft of proprietary information and virus attacks accounted for $65,623,700. Financial services companies, including banks, accounted for 18.77 percent of responses.

CSI officials say the average loss to financial fraud was $957,384, while losses to system penetration averaged $132,250. In comparison, losses from Internet abuse by employees totaled about $1 million.

HISTORY-INDUCED TERROR

Ironically, it was our triumph in the Cold War that set the stage for our present problems. The United States won the Cold War. But Russia was not occupied.

This historic anomaly loosened control over both the former KGB and its clients in the world of terror. The result is less actual terroroviolent attacks on civilians by trained, politically motivated peopleobut more trained people left to shift for themselves. “The collapse of the Soviet Union has obviously let loose a tremendous amount of human capital and talent that has a lot of abilities that would normally be used for legitimate business purposes or purposes of the State, but now does not have an outlet,” says Francis Fukuyama, noted author of The End of History. “A lot of that is going to come out in illegitimate activities, including things like cyber terrorism.”

And in any event, Russia today is only partly what Americans think of as a nation, says Ambassador L. Paul Bremer, managing director at New York’s Kissinger & Associates and former Roving Ambassador for Counterterrorism in the second Reagan Administration. “It’s a bit of a combination of both,” he says. “It is in a sense a country in that you’ve got 145 million people who mostly speak the same language, who have all grown up under a central rule from Moscow, who use a common currency, and who are more or less defended by a common army. But there is a lot of warlordism; you do have governors and other satraps out there who have a lot of authority. I don’t think the last chapter is written yet; it could go either way in Russia.”

(Copyright American Banker Inc. – Bond Buyer 1997)

_____via IntellX_____

Copyright 1997, American Banker. All rights reserved. Republication and redistribution of American Banker content is expressly prohibited without the prior written consent of American Banker. American Banker shall not be liable for errors or delays in the content, or for any actions taken in reliance thereon.

Infowar.Com & Interpact, Inc. WebWarrior@Infowar.Com

Submit articles to: infowar@infowar.com
Voice: 813.393.6600 Fax: 813.393.6361
Last modified: Sun, 03 Jan 1999 00:05:20 GMT

Hackers pillaged US files to sell secrets to Saddam
By Tim Reid

HUNDREDS of military secrets, including troop movements and missile capability, were stolen from American government computers and offered to Saddam Hussein during the Gulf war, a former US security expert has admitted.

Computer hackers in the Netherlands used the Internet to steal enough top-secret information potentially to change the course of the war. Luckily for the Allies, the Iraqis ignored the data, probably fearing a hoax, according to intelligence experts.

Dr Eugene Schultz, former head of computer security at the US Department of Energy, has disclosed for the first time how he and colleagues sat helpless as the Dutch hackers pillaged the files across 34 US military sites in the months leading up to the 1991 conflict.

His revelations, to be screened on BBC 2’s Sci Files programme tomorrow, come after the conviction on Friday of a London Teenager for gaining unauthorised access to American defence and missile secrets. Using equipment that cost £750 from local shops, Richard Pryce, 19, broke into computer files of the US Air Force and the Lockheed aerospace company. US military intelligence officials claimed he had caused “more harm than the KGB”. Pryce, of Colindale, north London, who was 16 at the time, was fined £1,200.

Dr Schultz, who was also responsible for protecting the computers of US nuclear weapons sites, told the BBC that the Americans learnt for certain in October 1990 that the information was being offered to Baghdad. Working with the FBI, he pinpointed the source of the attacks to Eindhoven.

The leakage of data was certainly alarming. The Dutch hackers learnt about the exact locations of US troops and the types of weapons they had. They gained information about the Patriot missile’s capability and the movement of American warships in the region.

“We realised that these files should not have been stored on Internet-capable machines,” Dr Schultz said. “They related to our military systems, they related to Operation Desert Shield at the time, and later Operation Desert Storm. This was a huge mistake.”

Once the Dutch hackers had gained access to a military computer site, they simply kept guessing different passwords until the system let them in. Once inside, they could pick and choose the exact information they wanted. The attacks lasted for months.

“We couldn’t do anything about it,” Dr Schultz said. “If we had shut down one machine that they had been getting into, they would have found others to launch the attacks from.”

The full story of Iraqi involvement in this episode is still classified. The CIA will neither confirm nor deny that the hackers tried to sell military secrets to Iraq.