Hacking: A history

Posted by Kuji on June 26th, 2008

Friday, 27 October, 2000, 17:57 GMT 18:57 UK
Hacking: A history

The ILOVEYOU virus as victims saw it

By BBC News Online internet reporter Mark Ward

Great hacks of our time

The original meaning of the word “hack” was born at MIT, and originally meant an elegant, witty or inspired way of doing almost anything.

Many early hacks took the form of elaborate practical jokes. In 1994, MIT students put a convincing replica of a campus police car on top of the Institute’s Great Dome.

Now the meaning has changed to become something of a portmanteau term associated with the breaking into or harming of any kind of computer or telecommunications system.

Purists claim that those who break into computer systems should be properly called “crackers” and those targeting phones should be known as “phreaks”.

1969

Arpanet, the forerunner of the internet, is founded. The first network has only four nodes.

1971

First e-mail program written by Ray Tomlinson and used on Arpanet which now has 64 nodes.

1972

John Draper, also known as Captain Crunch, finds that a toy whistle given away in the cereal with the same name could be used to mimic the 2600 hertz tones phone lines used to set up long distance calls.

1980

In October, Arpanet comes to a crashing halt thanks to the accidental distribution of a virus.

1983

The internet is formed when Arpanet is split into military and civilian sections.

Wargames, a film that glamorises hacking, is released. Many hackers later claim it inspired them to start playing around with computers and networks.

1986

In August, while following up a 75 cent accounting error in the computer logs at the Lawrence Berkeley Lab at the University of California, Berkeley, network manager Clifford Stoll uncovers evidence of hackers at work. A year-long investigation results in the arrest of the five German hackers responsible.

1988

Robert Morris, a graduate student at Cornell University, sets off an internet worm program that quickly replicates itself to over 6,000 hosts bringing almost the whole network to a halt. Morris is arrested soon afterwards and is punished by being fined $10,000, sentenced to three years on probation and ordered to do 400 hours of community service.

1989

Kevin Mitnick: Arrested
twice for hacking
Kevin Mitnick is
convicted of stealing software from Digital Equipment and codes for long-distance lines from US telephone company MCI. He is the first person convicted under a new law against gaining access to an interstate computer network for criminal purposes. He serves a one-year prison term.

At the Cern laboratory for research in high- energy physics in Geneva, Tim Berners-Lee and Robert Cailliau develop the protocols that will become the world wide web.

1993

Kevin Poulsen, Ronald Austin and Justin Peterson are charged with conspiring to rig a radio phone-in competition to win prizes. The trio seized control of phone lines to the radio station ensuring only their calls got through. The group allegedly netted two Porsches, $20,000 in cash and holidays in Hawaii.

1994

A 16-year-old music student called Richard Pryce, better known by the hacker alias Datastream Cowboy, is arrested and charged with breaking into hundreds of computers including those at the Griffiths Air Force base, Nasa and the Korean Atomic Research Institute. His online mentor, “Kuji”, is never found.

Also this year, a group directed by Russian hackers breaks into the computers of Citibank and transfers more than $10 million from customers’ accounts. Eventually, Citibank recovered all but $400,000 of the pilfered money.

1995

In February, Kevin Mitnick is arrested for a second time. He is charged with stealing 20,000 credit card numbers. He eventually spends four years in jail and on his release his parole conditions demand that he avoid contact with computers and mobile phones.

On November 15, Christopher Pile becomes the first person to be jailed for writing and distributing a computer virus. Mr Pile, who called himself the Black Baron, was sentenced to 18 months in jail.

The US General Accounting Office reveals that US Defense Department computers sustained 250,000 attacks in 1995.

1996

Popular websites are attacked and defaced in an attempt to protest about the treatment of Kevin Mitnick.

The internet now has over 16 million hosts and is growing rapidly.

1999

David Smith: Creator of
the Melissa virus
In March, the Melissa
virus goes on the rampage and wreaks havoc with computers worldwide. After a short investigation, the FBI tracks down and arrests the writer of the virus, a 29-year- old New Jersey computer programmer, David L Smith.

2000

In February, some of the most popular websites in the world such as Amazon and Yahoo are almost overwhelmed by being flooded with bogus requests for data.

In May, the ILOVEYOU virus is unleashed and clogs computers worldwide. Over the coming months, variants of the virus are released that manage to catch out companies that didn’t do enough to protect themselves.

In October, Microsoft admits that its corporate network has been hacked and source code for future Windows products has been seen.

Inside the Tory ‘hacking’ claims

Posted by Kuji on June 26th, 2008

Inside the Tory ‘hacking’ claims

Net crime fears prompted bank to postpone e-banking

Stories about the alleged “hacking” into the Conservatives bank account bring to mind images of a lone young male – probably a social misfit – sitting in his basement, huddled over his computer.

The reality is probably somewhat more anodyne.

Think instead of a disgruntled Labour- supporting bank employee with a mean eye for a story and you probably have something closer to the truth.

Hands on: Bank employees may be to blame
Ross Anderson,
professor of computing at Cambridge University, told BBC News Online: “Twenty years ago, if you wanted to find out the details of a bank account you would have to get the ledger in the bank branch – which would probably mean bribing or sleeping with the person who had the keys to the safe.

“When the banks computerised it meant that every one of its 70,000 or so tellers could see every customer’s account.

“Insecurity of data increases with the number of people who have access to it.”

Mathew Bevan, a computer security consultant and former computer hacker, backed Prof Anderson’s theory.

All banks are pretty much insecure
– Former hacker Mathew Bevan
“The information could have come from a call centre or from within the bank. All banks are pretty much insecure,” he told BBC News Online.

“It takes a lot of talent to hack into a bank’s computer and I don’t think a hacker could be bothered without any financial reward.

“And aside from the embarrassment, it’s not going to stop the Tories winning the next election.”

The Royal Bank of Scotland – where the Conservatives have their account – said it has “complete confidence” in all its security systems.

If someone has been hacked, they usually keep it secret -Dr Chris Thornton

Dr Chris Thornton, Sussex University computing science lecturer, said: “If someone has been hacked, they usually keep it secret.

“Anyone who makes it public usually has an ulterior motive.”

But the Conservatives say the information could not have come from their London headquarters.

The problems have emerged amid concern in the computer industry that the hackers may be exposing new security flaws as fast as the big software companies, such as Bill Gates’s Microsoft, can repair them.

The hackers are also switching tactics. Instead of attacking banks directly – as they did in one of the few publicised cases when $400,000 (?240,000) was stolen from Citibank in America – security experts believe they are targeting people’s home computers and their personal accounts.

By leaving viruses scattered across the internet, hackers have discovered they can seize control of home computers and steal people’s legal identities.

These can be used to attack bank accounts, lift phone records, electronic shopping accounts and private business information.

Hacker infiltrates military satellite

Posted by Kuji on June 26th, 2008

Hacker infiltrates military satellite
By Sean Fleming
Posted: 01/03/1999 at 16:42 GMT

The UK Ministry of Defence has come under attack from a hacker who is allegedly threatening to target military satellites unless a £3 million ransom is handed over.

According to a story in today?s Daily Mail, the hacker has already seized control of one satellite, altering its course. The satellite in question is said to be involved in co- ordinating bombing raids on Iraq. Other targets for the hacker have been GCHQ – the spying operation that listens in on telephone calls and other communications – and a number of UK operations overseas. Officers from the Metropolitan Police Computer Crime Unit are said to be engaged in tracking down the source of the attacks. The authorities are said to have been so concerned about the attack on the satellite that the prime minister, Tony Blair, was informed. High profile hackings are becoming more common. One of the most well known was involved two UK hackers, Datastream Cowboy (Richard Pryce) and Kuji (Mathew Bevan), who caught the CIA’s attention in 1994 after the Pentagon?s computer was broken into. The South Korean atomic research institute was also hacked, provoking fears that World War III might be started by a teenage computer hacker sitting in his bedroom.

Insecurity in a wireless world

Posted by Kuji on June 26th, 2008

Insecurity in a wireless world

Guy Matthews, Network News [14-03-2001]

The emerging world of wireless connectivity presents multiple security threats to corporate IT infrastructures, says researcher Gartner.

The level of such threats is going to rise as companies link their infrastructures into the wireless world, rendering themselves vulnerable to attacks on Wap gateways, in the form of mobile spam and even viruses on mobile phones.

The silver lining in the cloud, says Gartner, is that wireless systems are inherently robust, reducing the scope for Denial of Service attacks.

John Pescatore, Gartner vice-president in the US, said a “fundamental lack of security will not slow adoption” of wireless technology. He added that security professionals need to focus on limiting the gap between desired and achieved levels of control, recognising that achieving business goals involves taking risks.

According to Gartner research, the pace at which network connection and content distribution methods are evolving is outstripping the ability of companies to securely support them, leaving firms in a state of constant risk.

Complex protocol stacks, weak encryption, shared keys, user confusion, and bandwidth and device restrictions are encouraging suppliers to take shortcuts with emerging mobile devices and services.

Viruses on the move

For example, as mobile phones become smarter, attacks through software updates and simple scripting will come to the fore.

However, Gartner believes the emergence of phone viruses will not be an issue until 2005. At that time service providers will need to have in place anti-virus protection at the server level, because protection for individual mobile phones will probably be ineffective.

Corporate users should brace themselves for mobile spamming, cookie stealing, file stealing and malicious content with each improvement in mobile phone functionality.

Matthew Bevan, former hacker turned security consultant at Kuji Media Corporation, also believes a whole new wave of assaults on infrastructure could be around the corner.

“Any new technology has a level of vulnerability attached to it, especially if it’s been insufficiently checked,” he said. “There’s nothing about Wap that enables enterprises to say ‘we’re secure’. At the moment, it’s a bit too expensive for hackers to get involved with, but as the technology gets more applicable and available, the more it will be deemed worthwhile.”

Bevan believes that network managers ought to be concerned about almost any data that does not travel via a fixed link. “Everyone knows how insecure pagers and mobile phones are. A Wap device is really just a mini- computer that anyone can hack into if they can write code small enough. Denial of Service attacks on Wap devices and gateways are only a matter of time.”

Pescatore said end-to-end wireless security will not reach the level of that obtained over the internet until the first half of 2004, mainly because of the insecurity of Wap gateways.

A major target for hackers will be the Wap gateway, attacks on which can be mounted from anywhere on the internet. In particular, the Wap gateways of service providers will act as ‘hacker magnets’ and are likely to be of insufficient strength for web transaction services, although good enough for email.

Gartner also predicts that attackers will target WTLS (wireless transport layer security) in proof of concept attacks. The analyst recommends that to guard against these problems, companies should look to securely host Wap servers and employ available third-party software tools.

Shielding software

Meanwhile, Nokia has teamed up with anti-virus software vendor McAfee to launch WebShield, which allows anti- virus software to be installed on its Nokia Network Application Platform, which is sold to enterprises and service providers.

Bob Brace, vice-president of global marketing at Nokia, said: “Both companies are working together to prevent the high damage caused by viruses.”

Brace claimed that the combination of Nokia’s network security infrastructure expertise and McAfee’s anti-virus systems will “inevitably lead to innovations”. He said the millions of pounds of damage caused by the Love Bug virus showed the market needed new developments in network security.

The two companies will develop network security hardware and software as one offering. “With a network, you need a firewall and anti-virus equipment,” said Brace.

The alliance is working to prevent viruses being brought in by mobile workers using networks via laptops. “A laptop out of the office it is under threat from viruses,” said Brace. “The virus check should be put on the edge of a network, at the gateway.”

The companies’ products will not be available until after Christmas.

Hacker turns to vendors as IT PI

Posted by Kuji on June 26th, 2008

Hacker turns to vendors as IT PI

Steve Masters [05-12-1997]

One of the two hackers accused of almost starting World War III from his bedroom in the UK walked free from court on 21 November because the law is not set up to deal with cases like his, writes Sean Fleming.

In an interview with Computing, Matthew Bevan announced he is now considering a career in IT security.

Bevan was arrested on 21 June 1996 and charged with intent to secure access to computer systems belonging to the US Air Force and defence manufacturer Lockheed. His accusers maintained he knew that such access would be unauthorised.

More than three years and 14 court appearances later, the case has been dropped. The prosecution declared it would not be in the public interest to pursue the matter.

Bevan, who used the name Kuji, and Richard Pryce – known as Datastream Cowboy – stood accused of hacking into a research centre at Griffiss Air Force base in New York state. It took two years for the US authorities to admit the break-in had taken place.

In a statement to the court, US Air Force investigator Jim Christy said the incident cost the US Air Force $211,722 (#124,000) – exclusive of the cost of their investigations.

Christy outlined the events that almost brought East and West to the brink of war. He described how Datastream Cowboy (aged 16 at the time) hacked his way into a research facility in Korea. The US authorities became aware of this when they realised that the contents of the Korean Atomic Research Institute’s database had been deposited on USAF’s New York system.

‘Initially it was unclear whether the system belonged to North Korea or South Korea,’ Christy said. ‘The concern was that if it was North Korea, they would think the transfer of data was an intrusion by the US Air Force.’

It turned out to be South Korean data, but it is not hard to imagine the potential outcome had the 16-year-old found his way into North Korea’s system. The US press referred to Bevan and Pryce as ‘digital delinquents’.

Pryce walked out of court this summer with a #1,200 fine – not much of a slap on the wrists for actions that might have sparked a war. The lenience of his sentence was the key to Bevan escaping punishment altogether.

Simon Evenden, Bevan’s solicitor, told Computing why the prosecution chose not pursue his client. He stressed that in court, judge Jeffrey Rivlin QC made it clear that he felt the prosecution had in no way done anything wrong when preparing its case.

‘The case collapsed simply because it was not economically viable to take it forward. It would have cost hundreds of thousands of pounds to bring witnesses over from the US and because of what happened to Pryce, Matthew would probably only have been fined or given community service. So it was agreed that it was not in the public interests to continue.’

Had the case continued, getting the prosecution evidence to stand up in court could have proved problematic. It is unlikely the court would have accepted any evidence stored on a computer, unless it could satisfy itself it had not been tampered with. The US authorities were happy to supply copies of emails plus records showing times and dates at which computers were hacked into, but they would not allow the court access to original information.

In the light of the Bevan case, the defence and prosecution teams are to come together in an attempt to plug some of the gaps in the law. They will be arguing for changes to a system that is clearly finding it hard to keep pace with technological change.

From the horse’s mouth Interview with Matthew Bevan

Offered the choice between pleading guilty in the hope of the court being lenient or fighting it out, Matthew Bevan plumped for the latter. He explained why to Computing. ‘As far as I was concerned, I was charged with conspiracy, which was not true, and charged with working with Richard Pryce, which was not true. As well as having to prove that I did it, the prosecution would have had to prove there had been intent. I was accused of putting a sniffer on one of the computers. The point of a sniffer is to sit undetected on a computer monitoring who’s using it and copying their passwords. It’s not there to impair the performance of the computer. So, even if they could have proved I put it there, they couldn’t prove intent to cause damage.’ Bevan is now considering a career in IT security. ‘If I can find a job where I can get paid for doing the same sort of thing as hacking, I won’t complain,’ he said.

Hacker finds his skills in demand – VnuNet

Posted by Kuji on June 26th, 2008

Hacker finds his skills in demand

By Steve Masters [25-02-1998]

Reformed saboteur warns easy PC access will lead to rising tide of cyber terrorism

It was a case of poacher turned gamekeeper last week when Mathew Bevan, the hacker formerly known as Kuji, found a respectable job as a hacker, writes Sean Fleming.

Bevan was accused of breaking into US military computer systems but walked free from Woolwich Crown Court last November after the case was dropped.

He will work as a member of a team of six reformed saboteurs launching surprise attacks on customers of London-based Tiger Computer Security.

Once weve signed a client up, we tell them to expect an attack within the next six months, but we dont tell them exactly when.

It would defeat the purpose if they were watching out for us, he explained.

Bevan whose job title will be Chief Tiger said the incidence of cyber terrorism will increase over the next five years.

I was 11 when I got my first computer and 14 by the time I had a modem.

You’ve now got kids of eight or nine with PCs at home that have good processing power and Internet access. They will become mature in the use of computers long before they are mature in the wider sense the whole situation could go bananas, he warned.

Hacked off: Court frees Air Force one – VnuNet

Posted by Kuji on June 26th, 2008

Hacked off: Court frees Air Force one

By Steve Masters [26-11-1997]

A hacker charged with breaking into the US Air Force’s command and control centres walked free from court last week

A hacker charged with breaking into the US Air Force’s command and control centres walked free from court last week, writes Sean Fleming.

The Crown Prosecution Service (CPU) said a costly court case would not be in the interests of the public.

Matthew Bevan, known as Kuji, was one of two hackers alleged to have accessed US military intelligence centres in 1994. Richard Pryce was fined #1,200 earlier this year.

Bevan has said that he was searching the US Air Force’s command and control centre for evidence of encounters with UFOs.

US Air Force investigator Jim Christy revealed that the hackers had also accessed the South Korean Atomic Research Institute, copied all the data and placed it on the US Air Force system.

Christy pointed out that the US was concerned this would be misinterpreted by the Koreans as an act of US aggression.

Confessions of a hacker by Mathew Bevan

Posted by Kuji on June 26th, 2008

Taken from “The Sunday Business Post Online” www.sbpost.ie
Cib Cover Story Confessions of a hacker
Dublin , Ireland, April 1, 2001

Mathew Bevan was known as Kuji, hacker extraordinaire, probing everything from company ceo’s files to US military bases. The Pentagon described him as “the number one threat to US security”. One day men in dark suits arrested him and he faced charges that might have sent him to jail for 15 years

This, in his own words, is his story.

I cannot help being a hacker. I have always been clever and resourceful. Later on, I became addicted to the adrenaline of electronically rifling a chief executive’s files or looking at the latest space station plans at NASA. In the months leading up to my arrest, I was described by a Pentagon official as “possibly the single biggest threat to world peace since Adolf Hitler”. Then, I faced 15 years in prison.

But first I would like to tell you about my background. I believe it will help you understand why I became what I am. This is my story.
I was 12 when I first got a computer. I was given a Sinclair ZX81 and a subscription to some computing magazines.

When I was 12, I was a nerd. I was beaten and bullied almost every day of my young school life. Through my latter school years the physical abuse was replaced with name-calling and other mental abuse.

Later on, I realised that it was this time in my life which proved the precursor to my hacking.
Like most nerds, I upgraded my machine as often as I could. At the age of 15, I bought an Amiga 500. To me, the Amiga was a piece of computing genius. Not only did it have better graphics than any PC, but also had four channel stereo sound, something that would prove useful in the months to come.

My first revelation was in discovering bulletin boards. A bulletin board was what would be described as a usenet chat forum today. Except it was much more basic. And much less regulated. My friend gave me his 2,400 baud modem and, for a month, I called every BBS (Bulletin Board) number I could get my hands on.

At the end of the month, my mother showed me a ?400 phone bill. She said she never wanted to see a phone bill like that again. From that point onwards, she never did.

I began learning about manipulation of the phone system. Not only could I make free calls, but I could obfuscate call origin. Like every aspiring hacker, I wanted to be anonymous. I found I could do so by diverting the call through several countries before reaching my destination.

I had the ability to call anywhere in the world for free and be untraceable. I was given the number to a bulletin board in Belgium called Sin City. It was a hangout for electronic deviants. I met people on that bulletin boards who were interested in the skills I had accumulated on the phone system. As a trade for that information they gave me documents, files and other information to break into computers.

Then, hackers were free with their information and less wary of the law. Then, there was no such thing as a Computer Misuse Act (British legislation) and hackers could see no harm in anything they were doing. (Today, we face longer prison sentences than those who have committed the most heinous of crimes. We can now be dealt with under the new [British] anti-terrorist laws putting our crimes above that of murder.)

So I began to make friends. I was able for the first time to interact with people all across the globe. These people wanted nothing more than to share interests and as a result we became good friends, even though I would only ever actually meet a handful of them in person. Here, in the computer realm, I was strong and fearless, even if I felt scared and powerless in real life. I would get up and go to school, hate it, return home and get on the internet until about 4am or 5am. Then I would sleep for an hour or two and repeat the cycle.

I began taking the path of the computer mis-user very quickly, and it was not long before I was breaking into all sorts of machines, big and small. I did it purely because I could. One way of describing it is in relation to the curiosity that a parent feels when they find their child’s diary. They know it is wrong to read it, but something inside is just too inquisitive.

Hacking is like that in many ways. You know it’s wrong but the excitement, the rush of being in a powerful institution’s files is overwhelming. That is where the addictive nature of hacking can take hold. You feel the rush once — you want it again. And again. And again.

I cannot actually remember the first; I hacked so many machines in quick succession that the specifics elude me for all but the most memorable.
But this was soon to come.

I hacked everything I could, but there was something lacking; I wanted a direction. I found that needed direction on a bulletin board based in Australia. The bulletin board was called Destiny Stone and was run by a phone phreaker called Ripmax. A phone phreaker is a term for someone who hacks at systems using a phone connection. Ripmax had ended up on the wrong side of the law. What I found on his system were hundreds of documents about UFOs, government cover-ups and conspiracy theories.

I became interested. At that time, a hacker publication called PHRACK released a story about the alleged disappearance of 40 hackers. They had been targeting military systems to try an uncover the truth.

PHRACK printed the names of the bases that were thought to have been the targets by the missing group. I noted all of the military bases that were named in the various UFO documents I had downloaded.

I then began a systematic attack on each of the ones I could find with online equivalents. I had many jump-off points with which to attack these military bases. I thought I was safe.

I had already broken so many other systems, corporate, educational, and government contractors that it would be easy to find routes into the systems.

I was naive. While I was penetrating the different bases, four thousand miles away a group of high-ranking military personnel from the Air Force Office of Special Investigations (AFOSI) and Air Force Information Warfare Centre (AFIWAC) were gathered around a few computer terminals at Griffiss Air Force Base in Rome, New York.
This group, I learned from later reports (and three subsequent US Senate enquiries), were `hacker trackers’. They monitored all activity including keystrokes within the network and they were watching a particular chain of events closely. Over the preceding days, they had been following the activities of two hackers, Datastream Cowboy and Kuji, who had penetrated numerous sensitive computer systems belonging to the army and Air Force.

They discovered via an informant on an Internet chat system, IRC, that Datastream Cowboy was a 15 year old English boy. Shortly afterwards, a boy, Richard Pryce was arrested by the Metropolitan Computer Crime Unit, in England.
For legal reasons, I must be careful now about how I continue. The other hacker was deemed more elusive and wily and the only thing the group had to go on was his handle Kuji. Little was known about this hacker. Kuji had been spotted on an Australian bulletin board by investigators but that is where information ran dry. Investigators said that Kuji would stay online for only short periods of time, never long enough to be traced successfully.

The investigators said that while Datastream Cowboy made mistakes, Kuji seemes flawless in his technique. They would observe what they believed to be Datastream Cowboy attempting to attack a site, fail, talk to Kuji and a minute later successfully get in.

They concluded that Kuji was far more sophisticated and had financial motives. They decided that Kuji was a spy, tutoring the younger Datastream Cowboy in exchange for military secrets. It did not occur to them that the culprit could be an 18 year old kid living in Cardiff with very little stashed under the floorboards.
In the following year, Kuji became the subject of unprecedented comment and speculation. The story of the hacking broke. US Senate enquiries ensued. One pentagon official described Kuji as “possibly the single biggest threat to world peace since Adolf Hitler”.

One year later, a year after Pryce’s arrest (he was later fined ?1,200), a tip-off to the police identified ‘Kuji’ and subsequently I was arrested at work.

At the time, I was working in the IT department of an Insurance company and was fixing the MD’s computer. A group of dark suited men walked into the office. I was read my rights and arrested for various computer crimes against NATO, NASA, the US Air Force and other military installations.
I had a suspicion they might find me, but believed that due to them looking for a spy the chances were slim. My reaction was one of calm. I had read reports of Pryce’s arrest and was aware that he had broken down in tears. Reports had claimed that he began shouting “God, what have I done”. I did not want that to be held against me.

I was taken to the local police station for questioning and charged with conspiracy under the (British) Computer Misuse Act.
For the next 18 months I was prosecuted and underwent preparation for a trial which could have sent me to prison for 15 years.
I maintained throughout that any hacking I had done was on my own. There was no conspiracy. My argument was that I was in competition. As such I refused to accept any deals with which the prosecution offered based upon conspiracy.
In addition, conflicting information regarding sensitive information held on the sites and various other technical faults affected the prosecution’s case.

By the time the prosecution realised there was no conspiracy, they had run out of time to charge me with the other original offence, unauthorised access. This left them with only three more serious offences including unauthorised access with intent to impair the operation of the computer. This was nonsense. I would never wish to impair a machine I am having fun using to attack other machines.

The case was finally decided before going to trial with the prosecution offering no evidence. That meant a full acquittal with not guilty verdicts recorded. The British Crown Prosecution Service held that it was not in the public interest to prosecute me. They estimated the cost of a four month trial at ?10,000 a day plus the cost of bringing high ranking military personnel from America.

Looking back, I now believe that my case was not about hacking, but an exercise in propaganda. In the same year that a handful of hackers were caught, there was an estimated 250,000 attacks on computers in the US Department of Defence.
It was a prime target. I believe it was no coincidence that when the Senate was being asked for money to fund protection against Information Warfare, a case study appearing to proving their point fell in their laps.

But I am not bitter. I have respect, now. I am not bullied anymore. I will not attack your company anymore. I now work on the right side of the law as a computer consultant, mainly work performing penetration tests. I also volunteer my time and technical ability to www.antichildporn.org.

But I am still a hacker.

Mathew Bevan can be reached at hacker@kujimedia.com or www.kujimedia.com

EuroKom IT Security Seminar

Posted by Kuji on June 26th, 2008

EuroKom IT Security Seminar

Thursday 18th October, 2001

CEO’s and IT Managers from over fifty companies and organisations attended the EuroKom IT security seminar, which was held on 17 October in Citywest, Dublin. The seminar was opened by Noel Treacy, TD Minister for Science and Technology who told the attendees that ‘Confidence in IT Security is crucial to the success of eBusiness.’ Minister Treacy went on to elaborate on the actions that the Government are taking as a pro-active approach to meeting the challenges and opportunities which the digital economy presents. (The full text of the Minister’s speech can be viewed here.)

Brian Lynch, EuroKom’s Sales and Marketing Director, announced a partnership with Celare Ltd, one of Northern Ireland’s leading providers of IT Security Services. Brian stated that through this collaboration with Celare, EuroKom could now offer a unique range of corporate communications and security solutions throughout Ireland.

Keynote speaker at the seminar was Matt Bevan, otherwise known as ‘Kuji’, a reformed hacker who was quoted by the FBI as having ‘?created more harm than the KGB.’ Kuji, then a computer student, is alleged to have penetrated the US Air Force computer systems in 1994. He did it in the back bedroom of his parent’s home near Cardiff in Wales using a computer that his parents had given him for his 16th birthday. Kuji is also alleged to have hacked into NATO and NASA computer systems. In one case, he is also said to have hacked into the US FLEX system (Force Level Execution) and had the power to fire a Peacekeeper missile with a payload of 150 kilotonnes. Newspaper headlines at the time claimed that he ” Could have Started World War 3″ and that he “Even knew Mel Gibson’s Credit card number”. To this day, he believes that his e-mail, ordinary mail and telephones are still monitored by the Pentagon. (In 1994, there were 38,000 intrusions into Pentagon computers of which only 900 were detected.)

Tales of Digital Crime from the Shadows of Cyberspace – Chapter Six

Posted by Kuji on June 26th, 2008

Tangled Web:

Tales of Digital Crime from the Shadows of Cyberspace

Chapter Six

One of the greatest misconceptions among the many who hamper the defense of cyberspace is the idea that all hacking is done only by juvenile joy riders: i.e., youthful geniuses bent on embarrassing law enforcement and the military. Of course, one of the ways in which this misconception is spread is through the mainstream media. Most cases that reach the light of day usually do end up involving juvenile hackers.

Why? Well, cases involving true cyberterrorists, information warriors, intelligence agencies, and corporate spies slip below the surface of the headlines. They are lost in the murky waters of “classified operations” or are swept under thick corporate carpets. (You’ll read more about such cases in Chapter 10 and Chapter 12.)

Juvenile hackers or other “sport hackers” (a term used to describe hackers who break into systems for the same reasons but aren’t minors) end up in the newspapers because they get caught. They also end up in the headlines because they seek the limelight. Furthermore, acknowledging their activities doesn’t open a Pandora’s box for the government agency or the corporation that was hit. If a government agency acknowledged an intelligence operation conducted by another country, there could be serious diplomatic or even military consequences. If a major corporation acknowledged a hack attack in which trade secrets were compromised seemingly by another corporation, there would be a public relations debacle: for example, their stock could dive, lawsuits could get filed, etc.

Nevertheless, juvenile or sport hackers, or joy riders, have wreaked a lot of havoc and mayhem over the years.

Here are some of the details of three high-profile stories, stretching from 1994 to 1999, that illustrate some of the lessons learned and unlearned along the way.

The Rome Labs Case: Datastream Cowboy and Kuji Mix It Up with the U.S. Air Force

The Rome Air Development Center (Rome Labs), located at Griffiss Air Force Base (New York), is the U.S. Air Force’s premier command-and- control research facility.

Rome Lab researchers collaborate with universities, defense contractors, and commercial research institutions on projects involving artificial intelligence systems, radar guidance systems, and target detection and tracking systems.

On March 28, 1994, Rome Labs’s system administrators (sysadmins) noticed that a password sniffer, a hacking tool that gathers user’s login information, had been surreptitiously installed on a system linked to the Rome Labs network. The sniffer had collected so much information that it filled the disk and crashed the system, according to James Christy, who was director of Computer Crime Investigations for the Air Force Office of Special Investigations.

The sysadmins informed the Defense Information Systems Agency (DISA) that the Rome Labs network had been hacked into by an as yet unknown perpetrator. The DISA Computer Emergency Response Team (CERT), in turn, informed the Air Force Office of Special Investigations (AFOSI) of the report of an intrusion. The AFOSI, in turn, informed the Air Force Information Warfare Center (AFIWC), headquartered in San Antonio, Texas.

An AFOSI team of cybercrime investigators and security experts was dispatched to Rome Labs. They reviewed audit trails and interviewed the sysadmins. The conclusions that they reached in their preliminary investigation were very disturbing.

Two hackers had broken into seven different computers on the Rome Labs network. They had gained unlimited access, downloaded data files, and secreted sniffers on every one of them. The seven sniffers had compromised a total of 30 of Rome Labs’s systems.

These systems contain sensitive research and development data.

System security logs disclosed that Rome Labs’s systems had been actually been hacked into for the first time on March 23, five days before the discovery made on March 28.

The investigation went on to disclose that the seven sniffers had compromised the security of more than 100 more user accounts by capturing user logons and passwords. Users’ e-mail messages had been snooped, duplicated, and deleted. Sensitive battlefield simulation program data had been pursued and purloined. Furthermore, the perpetrators had used Rome Labs’s systems as a jumping-off point for a series of hack attacks on other military, government, and research targets around the world. They broke into user accounts, planted sniffer programs, and downloaded massive quantities of data from these systems as well.

The investigators offered the Rome Labs commanding officer the option of either securing all the systems that had been hacked or leaving one or more of them open to attack. If they left a few systems open, they could monitor the comings and goings of the attackers in the hope of following them back to the their point of origination and identifying them.

The commander opted to leave some of the systems open to lay a trap for the intruders.

Investigators Wrestle with Legal Issues and Technical Limitations

Using standard software and computer systems commands, the attacks were initially traced back one leg of their path. The majority of the attacks were traced back to two commercial Internet service providers, cyberspace.com, in Seattle, Washington and mindvox.phantom.com, in New York City.

Newspaper articles indicated that the individuals who provided mindvox.phantom.com’s computer security described themselves as “two former East Coast Legion of Doom members.”

The Legion of Doom (LoD) was a loose-knit computer hacker group that had several members convicted for intrusions into corporate telephone switches in 1990 and 1991. Because the agents did not know whether the owners of the New York Internet service provider were willing participants or merely a transit point for the break-ins at Rome Labs, they decided not to approach them. Instead, they simply surveiled the victim computer systems at Rome Labs’s network to find out the extent of the intruders’ access and identify all the victims.

Following legal coordination and approval with Headquarters, AFOSI’s legal counsel, the Air Force General Counsel’s Office, and the Computer Crime Unit of the Department of Justice, real-time content monitoring was established on one of Rome Labs’s networks. Real-time content monitoring is analogous to performing a wiretap because it allows you to eavesdrop on communications, or in this case, text. The investigative team also began full keystroke monitoring at Rome. The team installed a sophisticated sniffer program to capture every keystroke performed remotely by any intruder who entered the Rome Labs.

This limited context monitoring consisted of subscribing to the commercial ISPs’ services and using only software commands and utilities the ISP authorized every subscriber to use. The team could trace the intruder’s path back only one leg. To determine the next leg of the intruder’s path required access to the next system on the hacker’s route. If the attacker was using telephone systems to access the ISP, a court-ordered “trap and trace” of telephone lines was required.

Due to time constraints involved in obtaining such an order, this was not a viable option. Furthermore, if the attackers changed their path, the trap and trace would not be fruitful. During the course of the intrusions, the investigative team monitored the hackers as they intruded on the system and attempted to trace the intruders back to their origin. They found the intruders were using the Internet and making fraudulent use of the telephone systems, or “phone phreaking.”

Because the intruders used multiple paths to launch their attacks, the investigative team was unable to trace back to the origin in real-time due to the difficulty in tracing back multiple systems in multiple countries.

In my interview with James Christy for this book, he provided fascinating insight into the deliberations over what capabilities could be used to pursue the investigation.

“The AFIWC worked the Rome Labs case with us,” Christy says. “They developed the Hackback tool right at Rome.” According to Christy, Hackback is a tool that does a finger back to the system the attack came from, then launches a scripted hack attack on that system, surveils the system, finds the next leg back, and then launches a scripted attack on that system. Hackback was designed to follow them all the way back over the Internet to their point of origination.

“Well, AFIWC developed this tool,” Christy continues, “but we told them, ‘Hey, you can’t use that ’cause it’s illegal. You’re doing the same thing as the hacker is doing: You’re breaking into systems.’ They said, General Minihan [who was at that time the head of the NSA] says, ‘We’re at war, we’re going to use it.’ My guys had to threaten to arrest them if they did. So we all said, ‘Let’s try something.’ ”

Christy tells me there was a big conference call involving the DoJ, the Secret Service, the FBI, AFOSI, and the guys that were up at Rome Labs. “We all claimed exigent circumstances, a hot pursuit. Scott Charney [who was at that time the head of DoJ’s computer crime unit] gave us the approval to go run Hackback one time. We did it, but it didn’t buy us anything. The hackers weren’t getting into those nodes via the Internet. They were getting in through telephone dial-ups. So it dead-ended where we already knew it was coming from.”

Datastream Cowboy’s Biggest Mistake

As the result of the monitoring, the investigators could determine that the hackers used the nicknames Datastream and Kuji. With this clue, AFOSI Computer Crime Investigators turned to their human intelligence network of informants that surf the Internet. The investigators levied their informants to identify the two hackers using the handles Datastream and Kuji.

“Our investigators went to their sources,” Christy recalls, “saying, ‘Help us out here, anybody know who these guys are?’ And a day and a half later, one of these sources came back and said, ‘Hey, I got this guy. Here’s his e-mail!'”

According to Christy, these informants have diverse motivations. Some of them want to be cops; some of them want to do the right thing; some of them simply find hacking exciting; some of them have pressure brought to bear on them because of their own illegal activities.

Indeed, whatever the motivation, on April 5, 1994, an informant told the investigators he had a conversation with a hacker who identified himself as Datastream Cowboy.

The conversation was via e-mail and the individual stated that he was from the United Kingdom. The on-line conversation had occurred three months earlier. In the e-mail provided by the informant, Datastream indicated he was a 16-year-old who liked to attack .mil sites because they were so insecure.

Datastream had even provided the informant with his home telephone number for his own hacker bulletin board systems he had established.

Bragging of his hacking feats, as Christy explains, was Datastream Cowboy’s big mistake.

“It was the only way we solved the case,” he said. “If we had to rely on surveillance alone, we never would have traced it back to them because of all the looping and weaving through South America. We would have been working with multiple countries.

“Did these South American countries have laws against hacking?” Christy continues. “No. Would the South Americans have been able to do a trap and trace? Maybe not. Remember, they were using telephone lines.”

The Air Force agents had previously established a liaison with New Scotland Yard who could identify the individuals living at the residence associated with Datastream’s telephone numbers.

New Scotland Yard had British Telecom initiate monitoring of the individual’s telephone lines with pen registers. A pen register records all the numbers dialed by the individuals at the residence. Almost immediately, monitoring disclosed that someone from the residence was phone phreaking through British Telecom, which is also illegal in the United Kingdom.

Within two days, Christy and the investigative team knew who Datastream Cowboy was. For the next 24 days, they monitored Datastream’s online activity and collected data.

During the 26-day period of attacks, the two hackers, Datastream Cowboy and Kuji, made more than 150 known intrusions.

Scotland Yard Closes in on Datastream Cowboy

New Scotland Yard found that every time an intrusion occurred at Rome Labs, the individual in the United Kingdom was phone-phreaking the telephone lines to make free telephone calls out of Britain. Originating from the United Kingdom, his path of attack was through systems in multiple countries in South America and Europe, and through Mexico and Hawaii; occasionally he would end up at Rome Labs. From Rome Labs, he was able to attack systems via the Internet at NASA’s Jet Propulsion Laboratory in California and its Goddard Space Flight Center in Greenbelt, Maryland.

Continued monitoring by the British and American authorities disclosed that on April 10, 1994, Datastream successfully penetrated an aerospace contractor’s home system. The attackers captured the contractor’s logon at Rome Labs with sniffer programs when the contractor logged on to home systems in California and Texas. The sniffers captured the addresses of the contractor’s home system, plus the logon and password for that home system. After the logon and password were compromised, the attackers could masquerade as that authorized user on the contractor’s home system. Four of the contractor’s systems were compromised in California and a fifth was compromised in Texas.

Datastream also used an Internet Scanning Software (ISS)1 attack on multiple systems belonging to this aerospace contractor. ISS is a hacker tool developed to gain intelligence about a system. It attempts to collect information on the type of operating system the computer is running and any other available information that could be used to assist the attacker in determining what attack tool might successfully break into that particular system. The software also tries to locate the password file for the system being scanned, and then tries to make a copy of that password file.

The significance of the theft of a password file is that, even though password files are usually stored encrypted, they are easily cracked. Several hacker “password cracker” programs are available on the Internet. If a password file is stolen or copied and cracked, the attacker can then log on to that system as what the systems perceive is a legitimate user.

Monitoring activity disclosed that, on April 12, Datastream initiated an ISS attack from Rome Labs against Brookhaven National Labs, Department of Energy, New York. Datastream also had a two-hour connection with the aerospace contractor’s system that was previously compromised.

Kuji Hacks into Goddard Space Flight Center

On April 14, 1994, remote monitoring activity of the Seattle ISP conducted by the Air Force indicated that Kuji had connected to the Goddard Space Flight Center through an ISP from Latvia. The monitoring disclosed that data was being transferred from Goddard Space Flight Center to the ISP. To prevent the loss of sensitive data, the monitoring team broke the connection. It is still not known whether the data being transferred from the NASA system was destined for Latvia. (Latvia as a destination for sensitive data was, of course, something that concerned investigators. After all, the small Baltic nation had only recently become independent of Russian domination. It had been a part of the former U.S.S.R.)

Further remote monitoring activity of cyberspace.com disclosed that Datastream was accessing the National Aero-Space Plane Joint Program Office, a joint project headed by NASA and the Air Force at Wright- Patterson Air Force Base, Ohio. Monitoring disclosed a transfer of data from Wright-Patterson traversing through cyberspace.com to Latvia.

Apparently, Kuji attacked and compromised a system in Latvia that was just being used as conduit to prevent identification. Kuji also initiated an ISS attack against Wright-Patterson from cyberspace.com the same day. He also tried to steal a password file from a computer system at Wright- Patterson Air Force Base.

Kuji Attempts to Hack NATO HQ

On April 15, real-time monitoring disclosed Kuji executing the ISS attack against NATO Headquarters in Brussels, Belgium, and Wright-Patterson from Rome Labs. Kuji did not appear to gain access to any NATO systems from this particular attack. However, when interviewed on April 19 by AFOSI, a systems administrator from NATO’s SHAPE Technical Center in the Hague, Netherlands, disclosed that Datastream had successfully attacked one of SHAPE’s computer systems from the ISP mindvox.phantom.com in New York.

After authorities confirmed the hacker’s identity and developed probable cause, New Scotland Yard requested and obtained a search warrant for the Datastream Cowboy’s residence. The plan was to wait until the individual was online at Rome Labs, and then execute the search warrant. The investigators wanted to catch Datastream online so that they could identify all the victims in the path between his residence and Rome Labs. After Datastream got online at Rome Labs, he accessed a system in Korea, downloaded all data stored on the Korean Atomic Research Institute system, and deposited it on Rome Labs’s system.

Initially, it was unclear whether the Korean system belonged to North or South Korea. Investigators were concerned that, if it did belong to North Korea, the North Koreans would think the logical transfer of the storage space was an intrusion by the U.S. Air Force, which could be perceived as an aggressive act of war. During this time frame, the United States was in sensitive negotiations with the North Koreans regarding their nuclear weapons program. Within hours, it was determined that Datastream had hacked into the South Korean Atomic Research Institute.

At this point, New Scotland Yard decided to expand its investigation, asked the Air Force to continue to monitor and collect evidence in support of its investigation, and postponed execution of the search warrant.

Scotland Yard Knocks on Datastream Cowboy’s Door

On May 12, investigators from New Scotland Yard executed their search warrant on Datastream’s residence. When they came through the door, 16- year-old Richard Pryce (a.k.a. Datastream Cowboy) curled up in the fetal position and wept.

The search disclosed that Datastream had launched his attacks with only a 25 MHz, 486 SX desktop computer with only a 170 megabyte hard drive. This is a modest system, with limited storage capacity. Datastream had numerous documents that contained references to Internet addresses, including six NASA systems and U.S. Army and U.S. Navy systems with instructions on how to loop through multiple systems to avoid detection.

At the time of the search, New Scotland Yard detectives arrested and interviewed Datastream. Detectives stated that Datastream had just logged out of a computer system when they entered his room. Datastream admitted to breaking into Rome Labs numerous times as well as multiple other Air Force systems (Hanscom Air Force Base, Massachusetts, and Wright-Patterson). (He was charged with crimes spelled out in Britain’s Computer Misuse Act of 1990.)

Datastream admitted to stealing a sensitive document containing research regarding an Air Force artificial intelligence program that dealt with Air Order of Battle. He added that he searched for the word missile, not to find missile data but to find information specifically about artificial intelligence. He further explained that one of the files he stole was a 3_4 megabyte file (approximately three to four million characters in size). He stored it at mindvox.phantom.com’s system in New York because it was too large to fit on his home system.

Datastream explained he paid for the ISP’s service with a fraudulent credit card number that was generated by a hacker program he had found on the Internet. Datastream was released on bail following the interview.

This investigation never revealed the identity of Kuji. From conduct observed through the investigators’ monitoring, Kuji was a far more sophisticated hacker than the teenage Datastream. Air Force investigators observed that Kuji would only stay on a telephone line for a short time, not long enough to be traced successfully. No informant information was available except that Computer Crime Investigators from the Victoria Police Department in Australia had seen the name Kuji on some of the hacker bulletin-board systems in Australia.

Unfortunately, Datastream provided a great deal of the information he stole to Kuji electronically. Furthermore, Kuji appears to have tutored Datastream on how to break into networks and on what information to obtain. During the monitoring, the investigative team could observe Datastream attack a system and fail to break in. Datastream would then get into an online chat session with Kuji, which the investigative team could not see due to the limited context monitoring at the Internet service providers. These chat sessions would last 20_40 minutes. Following the on-line conversation, the investigative team would then watch Datastream attack the same system he had previously failed to penetrate, but this time he would be successful.

Apparently Kuji assisted and mentored Datastream and, in return, received stolen information from Datastream. Datastream, when interviewed by New Scotland Yard’s Computer Crime Investigators, told them he had never physically met Kuji and only communicated with him through the Internet or on the telephone.

Kuji’s Identity Is Finally Revealed

In 1996, New Scotland Yard was starting to feel some pressure from the glare of publicity surrounding the upcoming hearings in the U.S. Senate, chaired by Sam Nunn (D-Georgia). Two years had passed since the arrest of the Datastream Cowboy, and yet Kuji was still at large.

New Scotland Yard investigators went back to take a closer look at the evidence they had seized and found a phone number that they hadn’t traced back to its origin. When they did trace it, they discovered Kuji’s true identity. Ten days after Jim Christy’s initial testimony concerning the Rome Lab intrusions, 21-year-old Matthew Bevan (a.k.a. Kuji) was finally apprehended.

In court, Pryce pleaded guilty to 12 hacking offenses and paid a nominal fine of 1,200 British pounds.

But Bevan, whose father was a police officer, “lawyered-up.”

After 20 hearings in which the defense challenged the Crown’s evidence, the prosecution made a “business decision” and dropped the charges.

Bevan is now a computer security consultant. His Web site, http:// www.bogus.net/, features an archive of news media coverage of the Rome Labs case, a timeline of his exasperating and successful legal maneuvers, photographs of his arresting officers, and scanned headlines from the London tabloids.

In my interview with Bevan, I asked him about the motivation in the attack on Rome.

“My quest,” he tells me, “was for any information I could find relating to a conspiracy or cover-up of the UFO phenomenon. I was young and interested in the UFO stuff that I had read and of course as I had the access to such machines that were broken (i.e., with poor security) it was a natural progression to seek out information.

“Also,” Bevan continues, “I was bullied almost every day of my school life; the hacking world was pure escapism. I could go to school, endure the day, come home, and log on to another world. Somewhere I could get respect, somewhere that I had friends.

“At school I may have been bullied but in the back of my mind was ‘Well, I hacked NASA last night, and what did you do?'”

I also asked Bevan if he wanted to set the record straight in regard to how authorities handled the case or how the media reported it.

“One of the biggest concerns that I have about the reporting of the case relates to the InfoWar aspect,” he says. “It is suggested that we were taken to the brink of WWIII because of an attack on the Korean nuclear research facility. A Secret Service agent here alleged that bombers were already on their way to Korea to do a preemptive strike as it was thought that when they discovered the attack, said to have come from a U.S. military computer, they would retaliate.

“In the evidence presented in the case,” Bevan says, “there was a snippet of a log that shows Datastream Cowboy logging into said facility with the user ID of ‘sync,’ and as the user has no Unix shell associated with it, the login is terminated. Nowhere else in the logs is any record of the intrusion being successful, and in my opinion the logs do not reflect that. Being called ‘the single biggest threat to world peace since Adolf Hitler’ is a tad annoying, but then even the layman can see that is just hype and propaganda.”

Who Can Find the Bottom Line?

A damage assessment of the intrusions into the Rome Labs’s systems was conducted on October 31, 1994. The assessment indicated a total loss to the United States Air Force of $211,722. This cost did not include the costs of the investigative effort or the recovery and monitoring team.

No other federal agencies that were victims of the hackers (for example, NASA) conducted damage assessments.

The General Accounting Office conducted an additional damage assessment at the request of Senator Nunn. (See GAO Report, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks [AIMD-96-84], May 22, 1996.)

Some aspects of this investigation remain unsolved:

The extent of the attack. The investigators believe they uncovered only a portion of the attack. They still don’t know whether the hackers attacked Rome Labs at previous times before the sniffer was discovered or whether the hackers attacked other systems where they were not detected.

The extent of the damage. Some costs can be attributed to the incident, such as the cost of repair and the cost of the investigative effort. The investigation, however, was unable to reveal what they downloaded from the networks or whether they tampered with any data. Given the sensitive information contained on the various computer networks (at Rome Labs, Goddard Space Flight Center, the Jet Propulsion Laboratory, Wright- Patterson AFB, or the National Aero-Space Plane Program), it is very difficult to quantify the loss from a national security perspective.

HotterthanMojaveinmyheart:2 The Case of Julio Cesar Ardita

On March 29, 1996, the U.S. Justice Department announced it had charged Julio Cesar Ardita (a.k.a. “El Griton”), a 21-year-old Argentine, with breaking into Harvard University’s computer network and using it as a staging platform for many other hacks into sites throughout cyberspace. Like Kuji and the Datastream Cowboy, Ardita targeted sites belonging to NASA, DoD, several American universities, and those in other countries (for example, Korea, Mexico, Taiwan, Chile, and Brazil). Like Kuji and the Datastream Cowboy, Ardita gained unauthorized access to important and sensitive information in his explorations. In Ardita’s case, the research information that was compromised involved satellites, radiation, and energy-related engineering.

Peter Garza of Evidentdata (Ranchero Cucamonga, California) was a special agent for the Naval Criminal Investigative Services. He led the digital manhunt that ended in Buenos Aires. Garza described Ardita as a dedicated hacker. “Ardita was no ordinary script kiddie,”

Garza tells me. “He didn’t run automated hacking scripts downloaded from someone else’s site. He did his hacking the old-fashioned way. He used a terminal emulator program, and he conducted manual hacks. He was prodigious. He had persistence and stamina. Indeed, I discovered records of ten thousand sessions on Ardita’s home computer after it was seized. During the technical interviews we did of Ardita in Argentina (after his arrest), he would describe all-night sessions hacking into systems all over the Internet.

“Early on in the investigation,” Garza adds, “I had guessed this would be a solvable case because of this persistence. I had guessed that because this was such a prolific hacker, he had to use the same file names, techniques, and hiding places just so that he would be able to remember where he left collected userids and passwords behind on the many hacked systems. Also, I hoped the hacker was keeping records to recall the hacked sites. Records that would help further the investigation if we were successful in tracking the hacker down. It was gratifying that I was right on both counts. Records on his seized computer, along with his detailed paper notes, helped us reconstruct much of what he had done.”

Like the investigation that led to the identification and arrest of the Rome Labs hackers, the pursuit that led to the identification and arrest of Ardita accelerated the learning curve of those responsible for tracking down cybercriminals and bringing them to justice.

The following account, drawn from my interview with Garza and the court affidavit written by Garza himself in support of the criminal complaint against Ardita, sheds light on the details of the investigations and the groundbreaking work that the case required.

How the Search for “El Griton” Began

Sysadmins at a U.S. Navy research center in San Diego detected that certain system files had been altered. Taking a closer look, they uncovered certain files, including a sniffer he left behind, the file that contained the passwords he was logging, and a couple programs he used to gain root access and cover up his tracks.

This evidence enabled Garza to construct a profile of the hacker.

Coincidentally, and fortuitously, Garza and other naval security experts happened to be at the San Diego facility for a conference on the day that the intrusion was detected.

They worked late into the night. They succeeded in tracking the as-yet- unidentified hacker to a host system administered by the Faculty of Arts and Sciences (FAS) at Harvard University, Cambridge, Massachusetts. The hacker was making unauthorized use of accounts on the FAS host and trying to access other systems connected to Harvard’s network via the Internet.

(As early as July 1995, host computers across the United States as well as in Mexico and the United Kingdom reported both successful and unsuccessful hacking attempts seeming to originate from the FAS Harvard host. But this U.S. Navy investigation that commenced in late August would lead to Ardita’s arrest.)

Although it was impossible at first to determine the hacker’s true identity because he was using the legitimate account holders’ identities as his aliases or covers, investigators could distinguish the hacker from other users of the FAS Harvard host and the Internet through certain distinctive patterns of illicit activity. But to track the hacker all the way back to his point of origination, Garza was going to need a court order for a wiretap.

“I called the U.S. Attorney’s office in Boston on a Thursday and asked if we could have the court order in place by Monday,” Garza recounts. “They laughed. Six months was considered the ‘speed of light’ for wiretap approval. But we started to put the affidavit together anyway, and got it okayed in only six weeks, which at that time was unheard of.



Copyleft © 2007 - 2012+ Kuji Media Corporation Ltd.. All rights reserved.