Kuji Media Corporation Ltd.

Taken from “The Sunday Business Post Online” www.sbpost.ie
Cib Cover Story Confessions of a hacker
Dublin , Ireland, April 1, 2001

Mathew Bevan was known as Kuji, hacker extraordinaire, probing everything from company ceo’s files to US military bases. The Pentagon described him as “the number one threat to US security”. One day men in dark suits arrested him and he faced charges that might have sent him to jail for 15 years

This, in his own words, is his story.

I cannot help being a hacker. I have always been clever and resourceful. Later on, I became addicted to the adrenaline of electronically rifling a chief executive’s files or looking at the latest space station plans at NASA. In the months leading up to my arrest, I was described by a Pentagon official as “possibly the single biggest threat to world peace since Adolf Hitler”. Then, I faced 15 years in prison.

But first I would like to tell you about my background. I believe it will help you understand why I became what I am. This is my story.
I was 12 when I first got a computer. I was given a Sinclair ZX81 and a subscription to some computing magazines.

When I was 12, I was a nerd. I was beaten and bullied almost every day of my young school life. Through my latter school years the physical abuse was replaced with name-calling and other mental abuse.

Later on, I realised that it was this time in my life which proved the precursor to my hacking.
Like most nerds, I upgraded my machine as often as I could. At the age of 15, I bought an Amiga 500. To me, the Amiga was a piece of computing genius. Not only did it have better graphics than any PC, but also had four channel stereo sound, something that would prove useful in the months to come.

My first revelation was in discovering bulletin boards. A bulletin board was what would be described as a usenet chat forum today. Except it was much more basic. And much less regulated. My friend gave me his 2,400 baud modem and, for a month, I called every BBS (Bulletin Board) number I could get my hands on.

At the end of the month, my mother showed me a ?400 phone bill. She said she never wanted to see a phone bill like that again. From that point onwards, she never did.

I began learning about manipulation of the phone system. Not only could I make free calls, but I could obfuscate call origin. Like every aspiring hacker, I wanted to be anonymous. I found I could do so by diverting the call through several countries before reaching my destination.

I had the ability to call anywhere in the world for free and be untraceable. I was given the number to a bulletin board in Belgium called Sin City. It was a hangout for electronic deviants. I met people on that bulletin boards who were interested in the skills I had accumulated on the phone system. As a trade for that information they gave me documents, files and other information to break into computers.

Then, hackers were free with their information and less wary of the law. Then, there was no such thing as a Computer Misuse Act (British legislation) and hackers could see no harm in anything they were doing. (Today, we face longer prison sentences than those who have committed the most heinous of crimes. We can now be dealt with under the new [British] anti-terrorist laws putting our crimes above that of murder.)

So I began to make friends. I was able for the first time to interact with people all across the globe. These people wanted nothing more than to share interests and as a result we became good friends, even though I would only ever actually meet a handful of them in person. Here, in the computer realm, I was strong and fearless, even if I felt scared and powerless in real life. I would get up and go to school, hate it, return home and get on the internet until about 4am or 5am. Then I would sleep for an hour or two and repeat the cycle.

I began taking the path of the computer mis-user very quickly, and it was not long before I was breaking into all sorts of machines, big and small. I did it purely because I could. One way of describing it is in relation to the curiosity that a parent feels when they find their child’s diary. They know it is wrong to read it, but something inside is just too inquisitive.

Hacking is like that in many ways. You know it’s wrong but the excitement, the rush of being in a powerful institution’s files is overwhelming. That is where the addictive nature of hacking can take hold. You feel the rush once — you want it again. And again. And again.

I cannot actually remember the first; I hacked so many machines in quick succession that the specifics elude me for all but the most memorable.
But this was soon to come.

I hacked everything I could, but there was something lacking; I wanted a direction. I found that needed direction on a bulletin board based in Australia. The bulletin board was called Destiny Stone and was run by a phone phreaker called Ripmax. A phone phreaker is a term for someone who hacks at systems using a phone connection. Ripmax had ended up on the wrong side of the law. What I found on his system were hundreds of documents about UFOs, government cover-ups and conspiracy theories.

I became interested. At that time, a hacker publication called PHRACK released a story about the alleged disappearance of 40 hackers. They had been targeting military systems to try an uncover the truth.

PHRACK printed the names of the bases that were thought to have been the targets by the missing group. I noted all of the military bases that were named in the various UFO documents I had downloaded.

I then began a systematic attack on each of the ones I could find with online equivalents. I had many jump-off points with which to attack these military bases. I thought I was safe.

I had already broken so many other systems, corporate, educational, and government contractors that it would be easy to find routes into the systems.

I was naive. While I was penetrating the different bases, four thousand miles away a group of high-ranking military personnel from the Air Force Office of Special Investigations (AFOSI) and Air Force Information Warfare Centre (AFIWAC) were gathered around a few computer terminals at Griffiss Air Force Base in Rome, New York.
This group, I learned from later reports (and three subsequent US Senate enquiries), were `hacker trackers’. They monitored all activity including keystrokes within the network and they were watching a particular chain of events closely. Over the preceding days, they had been following the activities of two hackers, Datastream Cowboy and Kuji, who had penetrated numerous sensitive computer systems belonging to the army and Air Force.

They discovered via an informant on an Internet chat system, IRC, that Datastream Cowboy was a 15 year old English boy. Shortly afterwards, a boy, Richard Pryce was arrested by the Metropolitan Computer Crime Unit, in England.
For legal reasons, I must be careful now about how I continue. The other hacker was deemed more elusive and wily and the only thing the group had to go on was his handle Kuji. Little was known about this hacker. Kuji had been spotted on an Australian bulletin board by investigators but that is where information ran dry. Investigators said that Kuji would stay online for only short periods of time, never long enough to be traced successfully.

The investigators said that while Datastream Cowboy made mistakes, Kuji seemes flawless in his technique. They would observe what they believed to be Datastream Cowboy attempting to attack a site, fail, talk to Kuji and a minute later successfully get in.

They concluded that Kuji was far more sophisticated and had financial motives. They decided that Kuji was a spy, tutoring the younger Datastream Cowboy in exchange for military secrets. It did not occur to them that the culprit could be an 18 year old kid living in Cardiff with very little stashed under the floorboards.
In the following year, Kuji became the subject of unprecedented comment and speculation. The story of the hacking broke. US Senate enquiries ensued. One pentagon official described Kuji as “possibly the single biggest threat to world peace since Adolf Hitler”.

One year later, a year after Pryce’s arrest (he was later fined ?1,200), a tip-off to the police identified ‘Kuji’ and subsequently I was arrested at work.

At the time, I was working in the IT department of an Insurance company and was fixing the MD’s computer. A group of dark suited men walked into the office. I was read my rights and arrested for various computer crimes against NATO, NASA, the US Air Force and other military installations.
I had a suspicion they might find me, but believed that due to them looking for a spy the chances were slim. My reaction was one of calm. I had read reports of Pryce’s arrest and was aware that he had broken down in tears. Reports had claimed that he began shouting “God, what have I done”. I did not want that to be held against me.

I was taken to the local police station for questioning and charged with conspiracy under the (British) Computer Misuse Act.
For the next 18 months I was prosecuted and underwent preparation for a trial which could have sent me to prison for 15 years.
I maintained throughout that any hacking I had done was on my own. There was no conspiracy. My argument was that I was in competition. As such I refused to accept any deals with which the prosecution offered based upon conspiracy.
In addition, conflicting information regarding sensitive information held on the sites and various other technical faults affected the prosecution’s case.

By the time the prosecution realised there was no conspiracy, they had run out of time to charge me with the other original offence, unauthorised access. This left them with only three more serious offences including unauthorised access with intent to impair the operation of the computer. This was nonsense. I would never wish to impair a machine I am having fun using to attack other machines.

The case was finally decided before going to trial with the prosecution offering no evidence. That meant a full acquittal with not guilty verdicts recorded. The British Crown Prosecution Service held that it was not in the public interest to prosecute me. They estimated the cost of a four month trial at ?10,000 a day plus the cost of bringing high ranking military personnel from America.

Looking back, I now believe that my case was not about hacking, but an exercise in propaganda. In the same year that a handful of hackers were caught, there was an estimated 250,000 attacks on computers in the US Department of Defence.
It was a prime target. I believe it was no coincidence that when the Senate was being asked for money to fund protection against Information Warfare, a case study appearing to proving their point fell in their laps.

But I am not bitter. I have respect, now. I am not bullied anymore. I will not attack your company anymore. I now work on the right side of the law as a computer consultant, mainly work performing penetration tests. I also volunteer my time and technical ability to www.antichildporn.org.

But I am still a hacker.

Mathew Bevan can be reached at hacker@kujimedia.com or www.kujimedia.com

Tangled Web:

Tales of Digital Crime from the Shadows of Cyberspace

Chapter Six

One of the greatest misconceptions among the many who hamper the defense of cyberspace is the idea that all hacking is done only by juvenile joy riders: i.e., youthful geniuses bent on embarrassing law enforcement and the military. Of course, one of the ways in which this misconception is spread is through the mainstream media. Most cases that reach the light of day usually do end up involving juvenile hackers.

Why? Well, cases involving true cyberterrorists, information warriors, intelligence agencies, and corporate spies slip below the surface of the headlines. They are lost in the murky waters of “classified operations” or are swept under thick corporate carpets. (You’ll read more about such cases in Chapter 10 and Chapter 12.)

Juvenile hackers or other “sport hackers” (a term used to describe hackers who break into systems for the same reasons but aren’t minors) end up in the newspapers because they get caught. They also end up in the headlines because they seek the limelight. Furthermore, acknowledging their activities doesn’t open a Pandora’s box for the government agency or the corporation that was hit. If a government agency acknowledged an intelligence operation conducted by another country, there could be serious diplomatic or even military consequences. If a major corporation acknowledged a hack attack in which trade secrets were compromised seemingly by another corporation, there would be a public relations debacle: for example, their stock could dive, lawsuits could get filed, etc.

Nevertheless, juvenile or sport hackers, or joy riders, have wreaked a lot of havoc and mayhem over the years.

Here are some of the details of three high-profile stories, stretching from 1994 to 1999, that illustrate some of the lessons learned and unlearned along the way.

The Rome Labs Case: Datastream Cowboy and Kuji Mix It Up with the U.S. Air Force

The Rome Air Development Center (Rome Labs), located at Griffiss Air Force Base (New York), is the U.S. Air Force’s premier command-and- control research facility.

Rome Lab researchers collaborate with universities, defense contractors, and commercial research institutions on projects involving artificial intelligence systems, radar guidance systems, and target detection and tracking systems.

On March 28, 1994, Rome Labs’s system administrators (sysadmins) noticed that a password sniffer, a hacking tool that gathers user’s login information, had been surreptitiously installed on a system linked to the Rome Labs network. The sniffer had collected so much information that it filled the disk and crashed the system, according to James Christy, who was director of Computer Crime Investigations for the Air Force Office of Special Investigations.

The sysadmins informed the Defense Information Systems Agency (DISA) that the Rome Labs network had been hacked into by an as yet unknown perpetrator. The DISA Computer Emergency Response Team (CERT), in turn, informed the Air Force Office of Special Investigations (AFOSI) of the report of an intrusion. The AFOSI, in turn, informed the Air Force Information Warfare Center (AFIWC), headquartered in San Antonio, Texas.

An AFOSI team of cybercrime investigators and security experts was dispatched to Rome Labs. They reviewed audit trails and interviewed the sysadmins. The conclusions that they reached in their preliminary investigation were very disturbing.

Two hackers had broken into seven different computers on the Rome Labs network. They had gained unlimited access, downloaded data files, and secreted sniffers on every one of them. The seven sniffers had compromised a total of 30 of Rome Labs’s systems.

These systems contain sensitive research and development data.

System security logs disclosed that Rome Labs’s systems had been actually been hacked into for the first time on March 23, five days before the discovery made on March 28.

The investigation went on to disclose that the seven sniffers had compromised the security of more than 100 more user accounts by capturing user logons and passwords. Users’ e-mail messages had been snooped, duplicated, and deleted. Sensitive battlefield simulation program data had been pursued and purloined. Furthermore, the perpetrators had used Rome Labs’s systems as a jumping-off point for a series of hack attacks on other military, government, and research targets around the world. They broke into user accounts, planted sniffer programs, and downloaded massive quantities of data from these systems as well.

The investigators offered the Rome Labs commanding officer the option of either securing all the systems that had been hacked or leaving one or more of them open to attack. If they left a few systems open, they could monitor the comings and goings of the attackers in the hope of following them back to the their point of origination and identifying them.

The commander opted to leave some of the systems open to lay a trap for the intruders.

Investigators Wrestle with Legal Issues and Technical Limitations

Using standard software and computer systems commands, the attacks were initially traced back one leg of their path. The majority of the attacks were traced back to two commercial Internet service providers, cyberspace.com, in Seattle, Washington and mindvox.phantom.com, in New York City.

Newspaper articles indicated that the individuals who provided mindvox.phantom.com’s computer security described themselves as “two former East Coast Legion of Doom members.”

The Legion of Doom (LoD) was a loose-knit computer hacker group that had several members convicted for intrusions into corporate telephone switches in 1990 and 1991. Because the agents did not know whether the owners of the New York Internet service provider were willing participants or merely a transit point for the break-ins at Rome Labs, they decided not to approach them. Instead, they simply surveiled the victim computer systems at Rome Labs’s network to find out the extent of the intruders’ access and identify all the victims.

Following legal coordination and approval with Headquarters, AFOSI’s legal counsel, the Air Force General Counsel’s Office, and the Computer Crime Unit of the Department of Justice, real-time content monitoring was established on one of Rome Labs’s networks. Real-time content monitoring is analogous to performing a wiretap because it allows you to eavesdrop on communications, or in this case, text. The investigative team also began full keystroke monitoring at Rome. The team installed a sophisticated sniffer program to capture every keystroke performed remotely by any intruder who entered the Rome Labs.

This limited context monitoring consisted of subscribing to the commercial ISPs’ services and using only software commands and utilities the ISP authorized every subscriber to use. The team could trace the intruder’s path back only one leg. To determine the next leg of the intruder’s path required access to the next system on the hacker’s route. If the attacker was using telephone systems to access the ISP, a court-ordered “trap and trace” of telephone lines was required.

Due to time constraints involved in obtaining such an order, this was not a viable option. Furthermore, if the attackers changed their path, the trap and trace would not be fruitful. During the course of the intrusions, the investigative team monitored the hackers as they intruded on the system and attempted to trace the intruders back to their origin. They found the intruders were using the Internet and making fraudulent use of the telephone systems, or “phone phreaking.”

Because the intruders used multiple paths to launch their attacks, the investigative team was unable to trace back to the origin in real-time due to the difficulty in tracing back multiple systems in multiple countries.

In my interview with James Christy for this book, he provided fascinating insight into the deliberations over what capabilities could be used to pursue the investigation.

“The AFIWC worked the Rome Labs case with us,” Christy says. “They developed the Hackback tool right at Rome.” According to Christy, Hackback is a tool that does a finger back to the system the attack came from, then launches a scripted hack attack on that system, surveils the system, finds the next leg back, and then launches a scripted attack on that system. Hackback was designed to follow them all the way back over the Internet to their point of origination.

“Well, AFIWC developed this tool,” Christy continues, “but we told them, ‘Hey, you can’t use that ’cause it’s illegal. You’re doing the same thing as the hacker is doing: You’re breaking into systems.’ They said, General Minihan [who was at that time the head of the NSA] says, ‘We’re at war, we’re going to use it.’ My guys had to threaten to arrest them if they did. So we all said, ‘Let’s try something.’ ”

Christy tells me there was a big conference call involving the DoJ, the Secret Service, the FBI, AFOSI, and the guys that were up at Rome Labs. “We all claimed exigent circumstances, a hot pursuit. Scott Charney [who was at that time the head of DoJ’s computer crime unit] gave us the approval to go run Hackback one time. We did it, but it didn’t buy us anything. The hackers weren’t getting into those nodes via the Internet. They were getting in through telephone dial-ups. So it dead-ended where we already knew it was coming from.”

Datastream Cowboy’s Biggest Mistake

As the result of the monitoring, the investigators could determine that the hackers used the nicknames Datastream and Kuji. With this clue, AFOSI Computer Crime Investigators turned to their human intelligence network of informants that surf the Internet. The investigators levied their informants to identify the two hackers using the handles Datastream and Kuji.

“Our investigators went to their sources,” Christy recalls, “saying, ‘Help us out here, anybody know who these guys are?’ And a day and a half later, one of these sources came back and said, ‘Hey, I got this guy. Here’s his e-mail!'”

According to Christy, these informants have diverse motivations. Some of them want to be cops; some of them want to do the right thing; some of them simply find hacking exciting; some of them have pressure brought to bear on them because of their own illegal activities.

Indeed, whatever the motivation, on April 5, 1994, an informant told the investigators he had a conversation with a hacker who identified himself as Datastream Cowboy.

The conversation was via e-mail and the individual stated that he was from the United Kingdom. The on-line conversation had occurred three months earlier. In the e-mail provided by the informant, Datastream indicated he was a 16-year-old who liked to attack .mil sites because they were so insecure.

Datastream had even provided the informant with his home telephone number for his own hacker bulletin board systems he had established.

Bragging of his hacking feats, as Christy explains, was Datastream Cowboy’s big mistake.

“It was the only way we solved the case,” he said. “If we had to rely on surveillance alone, we never would have traced it back to them because of all the looping and weaving through South America. We would have been working with multiple countries.

“Did these South American countries have laws against hacking?” Christy continues. “No. Would the South Americans have been able to do a trap and trace? Maybe not. Remember, they were using telephone lines.”

The Air Force agents had previously established a liaison with New Scotland Yard who could identify the individuals living at the residence associated with Datastream’s telephone numbers.

New Scotland Yard had British Telecom initiate monitoring of the individual’s telephone lines with pen registers. A pen register records all the numbers dialed by the individuals at the residence. Almost immediately, monitoring disclosed that someone from the residence was phone phreaking through British Telecom, which is also illegal in the United Kingdom.

Within two days, Christy and the investigative team knew who Datastream Cowboy was. For the next 24 days, they monitored Datastream’s online activity and collected data.

During the 26-day period of attacks, the two hackers, Datastream Cowboy and Kuji, made more than 150 known intrusions.

Scotland Yard Closes in on Datastream Cowboy

New Scotland Yard found that every time an intrusion occurred at Rome Labs, the individual in the United Kingdom was phone-phreaking the telephone lines to make free telephone calls out of Britain. Originating from the United Kingdom, his path of attack was through systems in multiple countries in South America and Europe, and through Mexico and Hawaii; occasionally he would end up at Rome Labs. From Rome Labs, he was able to attack systems via the Internet at NASA’s Jet Propulsion Laboratory in California and its Goddard Space Flight Center in Greenbelt, Maryland.

Continued monitoring by the British and American authorities disclosed that on April 10, 1994, Datastream successfully penetrated an aerospace contractor’s home system. The attackers captured the contractor’s logon at Rome Labs with sniffer programs when the contractor logged on to home systems in California and Texas. The sniffers captured the addresses of the contractor’s home system, plus the logon and password for that home system. After the logon and password were compromised, the attackers could masquerade as that authorized user on the contractor’s home system. Four of the contractor’s systems were compromised in California and a fifth was compromised in Texas.

Datastream also used an Internet Scanning Software (ISS)1 attack on multiple systems belonging to this aerospace contractor. ISS is a hacker tool developed to gain intelligence about a system. It attempts to collect information on the type of operating system the computer is running and any other available information that could be used to assist the attacker in determining what attack tool might successfully break into that particular system. The software also tries to locate the password file for the system being scanned, and then tries to make a copy of that password file.

The significance of the theft of a password file is that, even though password files are usually stored encrypted, they are easily cracked. Several hacker “password cracker” programs are available on the Internet. If a password file is stolen or copied and cracked, the attacker can then log on to that system as what the systems perceive is a legitimate user.

Monitoring activity disclosed that, on April 12, Datastream initiated an ISS attack from Rome Labs against Brookhaven National Labs, Department of Energy, New York. Datastream also had a two-hour connection with the aerospace contractor’s system that was previously compromised.

Kuji Hacks into Goddard Space Flight Center

On April 14, 1994, remote monitoring activity of the Seattle ISP conducted by the Air Force indicated that Kuji had connected to the Goddard Space Flight Center through an ISP from Latvia. The monitoring disclosed that data was being transferred from Goddard Space Flight Center to the ISP. To prevent the loss of sensitive data, the monitoring team broke the connection. It is still not known whether the data being transferred from the NASA system was destined for Latvia. (Latvia as a destination for sensitive data was, of course, something that concerned investigators. After all, the small Baltic nation had only recently become independent of Russian domination. It had been a part of the former U.S.S.R.)

Further remote monitoring activity of cyberspace.com disclosed that Datastream was accessing the National Aero-Space Plane Joint Program Office, a joint project headed by NASA and the Air Force at Wright- Patterson Air Force Base, Ohio. Monitoring disclosed a transfer of data from Wright-Patterson traversing through cyberspace.com to Latvia.

Apparently, Kuji attacked and compromised a system in Latvia that was just being used as conduit to prevent identification. Kuji also initiated an ISS attack against Wright-Patterson from cyberspace.com the same day. He also tried to steal a password file from a computer system at Wright- Patterson Air Force Base.

Kuji Attempts to Hack NATO HQ

On April 15, real-time monitoring disclosed Kuji executing the ISS attack against NATO Headquarters in Brussels, Belgium, and Wright-Patterson from Rome Labs. Kuji did not appear to gain access to any NATO systems from this particular attack. However, when interviewed on April 19 by AFOSI, a systems administrator from NATO’s SHAPE Technical Center in the Hague, Netherlands, disclosed that Datastream had successfully attacked one of SHAPE’s computer systems from the ISP mindvox.phantom.com in New York.

After authorities confirmed the hacker’s identity and developed probable cause, New Scotland Yard requested and obtained a search warrant for the Datastream Cowboy’s residence. The plan was to wait until the individual was online at Rome Labs, and then execute the search warrant. The investigators wanted to catch Datastream online so that they could identify all the victims in the path between his residence and Rome Labs. After Datastream got online at Rome Labs, he accessed a system in Korea, downloaded all data stored on the Korean Atomic Research Institute system, and deposited it on Rome Labs’s system.

Initially, it was unclear whether the Korean system belonged to North or South Korea. Investigators were concerned that, if it did belong to North Korea, the North Koreans would think the logical transfer of the storage space was an intrusion by the U.S. Air Force, which could be perceived as an aggressive act of war. During this time frame, the United States was in sensitive negotiations with the North Koreans regarding their nuclear weapons program. Within hours, it was determined that Datastream had hacked into the South Korean Atomic Research Institute.

At this point, New Scotland Yard decided to expand its investigation, asked the Air Force to continue to monitor and collect evidence in support of its investigation, and postponed execution of the search warrant.

Scotland Yard Knocks on Datastream Cowboy’s Door

On May 12, investigators from New Scotland Yard executed their search warrant on Datastream’s residence. When they came through the door, 16- year-old Richard Pryce (a.k.a. Datastream Cowboy) curled up in the fetal position and wept.

The search disclosed that Datastream had launched his attacks with only a 25 MHz, 486 SX desktop computer with only a 170 megabyte hard drive. This is a modest system, with limited storage capacity. Datastream had numerous documents that contained references to Internet addresses, including six NASA systems and U.S. Army and U.S. Navy systems with instructions on how to loop through multiple systems to avoid detection.

At the time of the search, New Scotland Yard detectives arrested and interviewed Datastream. Detectives stated that Datastream had just logged out of a computer system when they entered his room. Datastream admitted to breaking into Rome Labs numerous times as well as multiple other Air Force systems (Hanscom Air Force Base, Massachusetts, and Wright-Patterson). (He was charged with crimes spelled out in Britain’s Computer Misuse Act of 1990.)

Datastream admitted to stealing a sensitive document containing research regarding an Air Force artificial intelligence program that dealt with Air Order of Battle. He added that he searched for the word missile, not to find missile data but to find information specifically about artificial intelligence. He further explained that one of the files he stole was a 3_4 megabyte file (approximately three to four million characters in size). He stored it at mindvox.phantom.com’s system in New York because it was too large to fit on his home system.

Datastream explained he paid for the ISP’s service with a fraudulent credit card number that was generated by a hacker program he had found on the Internet. Datastream was released on bail following the interview.

This investigation never revealed the identity of Kuji. From conduct observed through the investigators’ monitoring, Kuji was a far more sophisticated hacker than the teenage Datastream. Air Force investigators observed that Kuji would only stay on a telephone line for a short time, not long enough to be traced successfully. No informant information was available except that Computer Crime Investigators from the Victoria Police Department in Australia had seen the name Kuji on some of the hacker bulletin-board systems in Australia.

Unfortunately, Datastream provided a great deal of the information he stole to Kuji electronically. Furthermore, Kuji appears to have tutored Datastream on how to break into networks and on what information to obtain. During the monitoring, the investigative team could observe Datastream attack a system and fail to break in. Datastream would then get into an online chat session with Kuji, which the investigative team could not see due to the limited context monitoring at the Internet service providers. These chat sessions would last 20_40 minutes. Following the on-line conversation, the investigative team would then watch Datastream attack the same system he had previously failed to penetrate, but this time he would be successful.

Apparently Kuji assisted and mentored Datastream and, in return, received stolen information from Datastream. Datastream, when interviewed by New Scotland Yard’s Computer Crime Investigators, told them he had never physically met Kuji and only communicated with him through the Internet or on the telephone.

Kuji’s Identity Is Finally Revealed

In 1996, New Scotland Yard was starting to feel some pressure from the glare of publicity surrounding the upcoming hearings in the U.S. Senate, chaired by Sam Nunn (D-Georgia). Two years had passed since the arrest of the Datastream Cowboy, and yet Kuji was still at large.

New Scotland Yard investigators went back to take a closer look at the evidence they had seized and found a phone number that they hadn’t traced back to its origin. When they did trace it, they discovered Kuji’s true identity. Ten days after Jim Christy’s initial testimony concerning the Rome Lab intrusions, 21-year-old Matthew Bevan (a.k.a. Kuji) was finally apprehended.

In court, Pryce pleaded guilty to 12 hacking offenses and paid a nominal fine of 1,200 British pounds.

But Bevan, whose father was a police officer, “lawyered-up.”

After 20 hearings in which the defense challenged the Crown’s evidence, the prosecution made a “business decision” and dropped the charges.

Bevan is now a computer security consultant. His Web site, http:// www.bogus.net/, features an archive of news media coverage of the Rome Labs case, a timeline of his exasperating and successful legal maneuvers, photographs of his arresting officers, and scanned headlines from the London tabloids.

In my interview with Bevan, I asked him about the motivation in the attack on Rome.

“My quest,” he tells me, “was for any information I could find relating to a conspiracy or cover-up of the UFO phenomenon. I was young and interested in the UFO stuff that I had read and of course as I had the access to such machines that were broken (i.e., with poor security) it was a natural progression to seek out information.

“Also,” Bevan continues, “I was bullied almost every day of my school life; the hacking world was pure escapism. I could go to school, endure the day, come home, and log on to another world. Somewhere I could get respect, somewhere that I had friends.

“At school I may have been bullied but in the back of my mind was ‘Well, I hacked NASA last night, and what did you do?'”

I also asked Bevan if he wanted to set the record straight in regard to how authorities handled the case or how the media reported it.

“One of the biggest concerns that I have about the reporting of the case relates to the InfoWar aspect,” he says. “It is suggested that we were taken to the brink of WWIII because of an attack on the Korean nuclear research facility. A Secret Service agent here alleged that bombers were already on their way to Korea to do a preemptive strike as it was thought that when they discovered the attack, said to have come from a U.S. military computer, they would retaliate.

“In the evidence presented in the case,” Bevan says, “there was a snippet of a log that shows Datastream Cowboy logging into said facility with the user ID of ‘sync,’ and as the user has no Unix shell associated with it, the login is terminated. Nowhere else in the logs is any record of the intrusion being successful, and in my opinion the logs do not reflect that. Being called ‘the single biggest threat to world peace since Adolf Hitler’ is a tad annoying, but then even the layman can see that is just hype and propaganda.”

Who Can Find the Bottom Line?

A damage assessment of the intrusions into the Rome Labs’s systems was conducted on October 31, 1994. The assessment indicated a total loss to the United States Air Force of $211,722. This cost did not include the costs of the investigative effort or the recovery and monitoring team.

No other federal agencies that were victims of the hackers (for example, NASA) conducted damage assessments.

The General Accounting Office conducted an additional damage assessment at the request of Senator Nunn. (See GAO Report, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks [AIMD-96-84], May 22, 1996.)

Some aspects of this investigation remain unsolved:

The extent of the attack. The investigators believe they uncovered only a portion of the attack. They still don’t know whether the hackers attacked Rome Labs at previous times before the sniffer was discovered or whether the hackers attacked other systems where they were not detected.

The extent of the damage. Some costs can be attributed to the incident, such as the cost of repair and the cost of the investigative effort. The investigation, however, was unable to reveal what they downloaded from the networks or whether they tampered with any data. Given the sensitive information contained on the various computer networks (at Rome Labs, Goddard Space Flight Center, the Jet Propulsion Laboratory, Wright- Patterson AFB, or the National Aero-Space Plane Program), it is very difficult to quantify the loss from a national security perspective.

HotterthanMojaveinmyheart:2 The Case of Julio Cesar Ardita

On March 29, 1996, the U.S. Justice Department announced it had charged Julio Cesar Ardita (a.k.a. “El Griton”), a 21-year-old Argentine, with breaking into Harvard University’s computer network and using it as a staging platform for many other hacks into sites throughout cyberspace. Like Kuji and the Datastream Cowboy, Ardita targeted sites belonging to NASA, DoD, several American universities, and those in other countries (for example, Korea, Mexico, Taiwan, Chile, and Brazil). Like Kuji and the Datastream Cowboy, Ardita gained unauthorized access to important and sensitive information in his explorations. In Ardita’s case, the research information that was compromised involved satellites, radiation, and energy-related engineering.

Peter Garza of Evidentdata (Ranchero Cucamonga, California) was a special agent for the Naval Criminal Investigative Services. He led the digital manhunt that ended in Buenos Aires. Garza described Ardita as a dedicated hacker. “Ardita was no ordinary script kiddie,”

Garza tells me. “He didn’t run automated hacking scripts downloaded from someone else’s site. He did his hacking the old-fashioned way. He used a terminal emulator program, and he conducted manual hacks. He was prodigious. He had persistence and stamina. Indeed, I discovered records of ten thousand sessions on Ardita’s home computer after it was seized. During the technical interviews we did of Ardita in Argentina (after his arrest), he would describe all-night sessions hacking into systems all over the Internet.

“Early on in the investigation,” Garza adds, “I had guessed this would be a solvable case because of this persistence. I had guessed that because this was such a prolific hacker, he had to use the same file names, techniques, and hiding places just so that he would be able to remember where he left collected userids and passwords behind on the many hacked systems. Also, I hoped the hacker was keeping records to recall the hacked sites. Records that would help further the investigation if we were successful in tracking the hacker down. It was gratifying that I was right on both counts. Records on his seized computer, along with his detailed paper notes, helped us reconstruct much of what he had done.”

Like the investigation that led to the identification and arrest of the Rome Labs hackers, the pursuit that led to the identification and arrest of Ardita accelerated the learning curve of those responsible for tracking down cybercriminals and bringing them to justice.

The following account, drawn from my interview with Garza and the court affidavit written by Garza himself in support of the criminal complaint against Ardita, sheds light on the details of the investigations and the groundbreaking work that the case required.

How the Search for “El Griton” Began

Sysadmins at a U.S. Navy research center in San Diego detected that certain system files had been altered. Taking a closer look, they uncovered certain files, including a sniffer he left behind, the file that contained the passwords he was logging, and a couple programs he used to gain root access and cover up his tracks.

This evidence enabled Garza to construct a profile of the hacker.

Coincidentally, and fortuitously, Garza and other naval security experts happened to be at the San Diego facility for a conference on the day that the intrusion was detected.

They worked late into the night. They succeeded in tracking the as-yet- unidentified hacker to a host system administered by the Faculty of Arts and Sciences (FAS) at Harvard University, Cambridge, Massachusetts. The hacker was making unauthorized use of accounts on the FAS host and trying to access other systems connected to Harvard’s network via the Internet.

(As early as July 1995, host computers across the United States as well as in Mexico and the United Kingdom reported both successful and unsuccessful hacking attempts seeming to originate from the FAS Harvard host. But this U.S. Navy investigation that commenced in late August would lead to Ardita’s arrest.)

Although it was impossible at first to determine the hacker’s true identity because he was using the legitimate account holders’ identities as his aliases or covers, investigators could distinguish the hacker from other users of the FAS Harvard host and the Internet through certain distinctive patterns of illicit activity. But to track the hacker all the way back to his point of origination, Garza was going to need a court order for a wiretap.

“I called the U.S. Attorney’s office in Boston on a Thursday and asked if we could have the court order in place by Monday,” Garza recounts. “They laughed. Six months was considered the ‘speed of light’ for wiretap approval. But we started to put the affidavit together anyway, and got it okayed in only six weeks, which at that time was unheard of.

The cream of US military intelligence last week had their bungled attempt to prosecute a bedroom hacker thrown out by a British court. Duncan Campbell discovers why the spooks are firing blanks in the infowar
More Naked Gun than Top Gun

THE THREE year long case of the world?s most notorious ?information warfare? attack on US government computer systems collapsed last Friday. On a grey morning in a south London court, a 23-year-old computer programmer from Cardiff walked free as crown prosecutors told the judge it wasn’t worth the cost of trying to hold his trial. They acknowledged that he had posed no threat to security.

But Matthew Bevan, who was obsessed with the X-Files and the search for alien spacecraft, and his 16-year-old accomplice, Richard Pryce, had achieved a notoriety out of all proportion to their actions. They were “Kuji” and “Datastream Cowboy” hackers whose haphazard penetration of US Air Force and defence contractors’ computers have been portrayed since 1994 as the work of foreign agents and the greatest electronic danger yet to hit the US Air Force on its home turf.

The collapse of Bevan’s trial has exposed the US infowarriors. On the back of overblown rhetoric and oversold threats, they have won lavish funding from Congress for new military and intelligence “infowar” units, and recently sold their security services to private corporations.

But the inside story of the Bevan and Pryce cases shows their forensic work to have been so poor it would have been unlikely to have stood up in court and convicted Bevan. The public portrayal of the two Britons as major threats to US national security was pure hype.

The case began in April 1994, when computer managers at an obscure US Air Force base at Rome, New York State, noticed that some of their computers had been penetrated via the Net. Over the next few weeks, a team of 50 infowar experts combed USAF and other computers to try to track the interlopers.

In May 1994, a USAF investigator told the Senate that the duo had “downloaded large volumes of data from penetrated systems”. But the computer used by Pryce to hack the US Air Force systems had already been discovered and seized by Scotland Yard. It was an aging 486 with a midget 170Mb hard disk. Bevan was no better equipped.

Although the two did allegedly download one or two classified files, those who have studied the detailed evidence in the case say that their approach was entirely haphazard and (so far as Bevan was concerned) motivated by the belief that a captured alien spacecraft, held secretly at the remote Nevada airbase Area 51 (as featured in last year?s film Independence Day), was reality.

In 1994, Bevan?s activities drew attention not in Nevada but Texas. Close to San Antonio is the Medina Annex of Lackland Air Force Base. Here, Air Force staff of the Consolidated Security Operations Center process communications from around the world. Like the real Area 51, Medina is one of the US government?s highest security facilities. San Antonio is home to the Electronic Security Command, the US Air Force section of the intelligence agency NSA. It also now hosts an Information Warfare Centre.

When on March 28, 1994 the emergency call came from New York to San Antonio, the infowar team were alerted to defend their country. Captain Kevin Ziese, chief of Advanced Counter Measures Research for the Infowar Centre, led a six-strong team whose members or so he told Fortune magazine “slept under their desks for three weeks, hacking backwards” until Pryce was arrested.

Since then, Ziese has hit the US lecture circuit and privatised his infowar business. As the WheelGroup corporation of San Antonio, he now sells ‘friendly’ hacking services to top US corporations.

Meanwhile in Britain, the case against Bevan fell apart because testimony from Ziese and others wasn’t going to stand up in court. ‘Much of the US evidence would have collapsed on detailed scrutiny,’ according to Peter Sommer, the LSE computer security and Internet expert who advised the defence teams for both men. Much of the ‘evidence’ they gave to the Crown Prosecution Service was not valid evidence at all, but e-mails of edited files that had been relayed to Ziese and others.

Ziese?s technical investigation quickly ran dry, even after his team inserted their own anti-hacking and monitoring tools onto the Net. They had discovered that the hackers were entering USAF systems from two private Net sites, Cyberspace in Seattle and Mindvox in New York.

But where were the hackers really coming from? To answer that question, the USAF team obtained legitimate accounts on the Cyberspace computer. They used these to launch snooper programs codenamed Stethoscope and Pathfinder at the Cyberspace computer. It failed, as it could not determine how the hackers were phoning into Cyberspace.

US investigators have claimed the programs they used were legal because they did not access information that other users could not get. But they have refused to produce the programs.

Traditional police methods, not arcane infowar techniques, identified Pryce. A hacker who was an undercover informant had chatted to Pryce a few weeks earlier. Pryce had used his hacker name and given the informant his London phone number. Scotland Yard?s Computer Crimes Unit were soon at Pryce?s door with a search warrant. Bevan was eventually located in a similar way. His phone number was on Pryce?s computer. Had it not been for Scotland Yard, the relatively innocuous Pryce and Bevan would never have been found ? and the US Senate would still be hearing about ?cyberterrorists? from faraway lands.

A further flaw in the USAF evidence appeared in May, when they refused to let defence experts examine and test programs they had used to monitor the Net. ?Worst of all,? says Sommer, ?having set traps to catch hackers, they neglected to produce ?before? and ?after? file dumps of the target computers.?

In the end, all the Americans handed over was patchy and circumstantial evidence that their computers had been hacked from Britain. To have attempted to fill in the holes in the evidence could have meant flying two dozen USAF witnesses to Britain to face lengthy and embarrassing cross-examination.

UK SPYMASTER SAYS TOO MANY SPOOKS SPOIL THE PLOT

British business security chiefs were last week lectured on the risks and realities of infowar at a conference on Business Crime and Risk at the Royal Society of Arts in London. But the highlight of the meeting was an unexpected call for British intelligence agencies to be cut down and realigned.

David Bickford was legal adviser to the intelligence and security services from 1987 until 1995, where he taught MI5 how to turn its work into evidence that its agents could present in court ? skills that the US Air Force could do well to catch up with.

Bickford said that British intelligence ?is not doing its job properly?. The ?750 million a year cost of maintaining three intelligence agencies ? the Security Service (MI5), Secret Intelligence Service (MI6) and GCHQ (responsible for electronic eavesdropping) ? was now completely unjustified. There was ?triplication of management, triplication of bureaucracy and triplication of turf battles?.

As a result, British intelligence was now turning ?a blind eye to the fact that economic crime, including organised racketeering in narcotics, kidnap, extortion, product contamination and fraud, now poses the greatest threat to the security of the international community?.

Bickford revealed that, in 1995, the intelligence agencies had secretly suggested to the Major government that they develop links to large companies in order to provide them with ?protective business intelligence?. The plan was turned down. Officially, it was claimed that the problem was distinguishing between ?protective intelligence? and economic espionage. But the truth, he suggested, was that MI5, MI6 and GCHQ had bickered about how to finance and run the proposed new scheme.

Until difficulties like this were hammered out, said Bickford, taxpayers? funds would be wasted and business damaged by the unavailability of important information that was kept only in government hands. A merger now would save ‘tens of millions of pounds’, and provide for the ‘focused direction, integration and analysis of electronic and human intelligence to reduce risk’, he added.

A cabinet office team is currently doing a year-long review of the structure of British intelligence. Their review should be ?quite fierce?, suggested Bickford.

Internal threats had all but disappeared ? and with them the raison d?etre of MI5. The main threat to Britain now was ‘serious economic crime’ and ‘super-terrorism’, involving the use of weapons of mass destruction, he said. Because of ‘the common international nature of these threats’, arguments for having three different intelligence services ‘falls at the first hurdle’.

Not only were ‘operational officers with long experience in intelligence’ being lost to the private sector, others were lost because they had to take up management posts instead of carrying on in intelligence. Tax payers were having to pay for this ‘waste of experience’, Bickford claimed.

A new ?national intelligence agency? should be formed, he added, in order to provide protective business intelligence. It could even charge for its services. It was ?long overdue? for the Parliamentary Intelligence Oversight Committee to instigate the process of amalgamating the three agencies.

Hostility and in-fighting between MI5 and MI6 has long been notorious. The situation only began to change in the mid-1970s, when the two agencies formed a joint section to fight Irish terrorism. Since 1990, MI5 has seen its traditional concerns of Soviet espionage and so-called ?internal subversion? all but vanish. Faced with the additional threat of a ceasefire in Ireland, MI5 has sought to move into police areas including fraud, money laundering, narcotics and organised crime. MI6 and GCHQ have also been retargeted into these areas.

Bickford?s call for more intelligence and security expertise for business was backed by Sir Peter Imbert, former Commissioner of the Metropolitan Police, and other senior ex-police officers.

While legal adviser to MI5 and MI6, Bickford helped draft the legislation that brought the once officially invisible organisations ‘in from the cold’ and put them on a statutory legal basis. Since leaving the agencies, Bickford has attacked the government?s willingness to allow British offshore islands to remain as tax havens, claiming that this constituted tacit support for money laundering and organised crime.

[Duncan Campbell is a freelance writer and broadcaster, and not the Guardian?s crime correspondent of the same name]

26 November 1997

Ex-hacker to help Nintendo with viral marketing
By: John Leyden
Posted: 29/03/2001 at 14:44 GMT

A well-known former computer hacker has been hired to do viral marketing for games firm Nintendo and TV channel E4.

Mathew Bevan, whose hacker handle is Kuji, was accused of breaking into US military computer systems but escaped without punishment when a 1997 case at Woolwich Crown Court was dropped after a long-running legal battle.

After the case Bevan became an ethical hacker and security consultant with Tiger Computer Security, and later on a freelance basis with his firm the Kuji Media Corporation.

Bevan was reluctant to go into details of his marketing work just yet, but said he was offered work for Nintendo and the E4 site, e4chained, through a third party and the Kuji Media Corporation. As a security expert it was felt he had the talent to help run a successful viral marketing campaign.

Bevan, and Richard Pryce (Datastream Cowboy) were accused of hacking into a research centre at Griffiss Air Force base in New York state and faced charges related to the Computer Misuse Act.

The case revolved an incident when the Korean Atomic Research Institute’s database was found to have had been deposited on USAF’s systems.

In court, USAF investigators admitted that they initially feared the data had come from North Korea – something that could spark a major international incident. This provoked fears that World War III might be started by a teenage computer hacker sitting in his bedroom.

An inquiry into the hack led investigators to Bevan and Pryce, who were subsequently charged.

Pryce, who was 16 at the time, was fined £1,200 in a hearing before the Woolwich Crown Court case. The prosecution against Bevan was dropped because after the leniency shown to Pryce, prosecutors concluded it was too expensive to continue with the case. ?

Foreign hackers working from overseas via the Internet penetrated sensitive U.S. Government computer systems.

Hacking U.S. Government Computers from Overseas

Foreign-based hacker groups working via the Internet have had substantial success breaking into U.S. Government and defense contractor computer systems holding sensitive but not classified information. There is one publicly known case in which computer break-ins from overseas were sponsored by a foreign intelligence service.

Three Germans in Bremen, West Germany were hired by the Soviet KGB during 1986- 1989 to hack into U.S. Government systems. They penetrated Pentagon systems, NASA networks, Los Alamos National Laboratories and Lawrence Berkeley Laboratories. They were detected by Clifford Stoll, at Berkeley, when he checked out minor discrepancies in the account billings. Stoll later wrote the popular book, The Cuckoo’s Egg, about the case. The three hackers were arrested and convicted of espionage.

The following three cases also show the ability of hackers overseas to penetrate protected domestic U.S. systems via the Internet. In these three cases there was some suspicion of possible foreign intelligence involvement. This could not be confirmed, but also could not be ruled out. Enterprising foreign hackers could collect this information on their own and then sell it to a foreign intelligence service, or a foreign service could sponsor the same kind of operation itself.

Argentine Hacker Intrusion Into Navy Systems

In July 1995 computers in several states and Mexico reported intrusions originating from Harvard University. The hacker apparently lifted user IDs and password information from accounts on a system administered by the university. The U.S. government became concerned in August when an intrusion was detected on a network operated by the U.S. Naval Command, Control and Ocean Surveillance Center (NCCOSC). The intruder broke into the NCCOSC computer and installed sniffer programs to capture the IDs and passwords of legitimate users, and other software that would allow him to alter or destroy network files or to make them inaccessible to users.

After attacking a site in Taiwan, the intruder was monitored while “chatting” on the Internet, using the name Griton. Griton was traced back to Argentina where the moniker was known by Argentine authorities as a computer pirate who specialized in hacking, cracking and phreaking. The subject was soon traced to Buenos Aires and identified as Julio Cesar Ardita, then a 21-year-old student in Buenos Aires at the University of Argentina.

According to news reports, this hacker gained access to a host computer at the Army Research Lab in Edgewood, Maryland; the Naval Research Laboratory in Washington; the California Institute of Technology in Pasadena, California; and the NASA Jet Propulsion Laboratory. Victim sites include 62 U.S. government, 136 U.S. educational, and 31 U.S. commercial facilities. The U.S. Navy, NASA, and Department of Energy’s National Laboratories were high on the list of frequency of penetration.

Ardita was served a warrant and his computer was seized. He admitted responsibility, but claimed he was guilty only of mischief. He was arraigned in December, 1995. The U.S. Department of Justice filed criminal charges against Ardita. Prosecution in the U.S. was initially frustrated by the fact that computer crime is not covered by international agreements for extradition. In December 1997, Ardita agreed to come voluntarily to the United States and plead guilty to unlawfully intercepting electronic communications over a military computer and damaging files on a military computer. In return for Ardita’s agreement to come voluntarily to the United States, he is being sentenced to only three years probation and fined $5,000.1

Although he hacked into important and sensitive government research files on satellites, radiation, and energy-related engineering, Ardita is not accused of obtaining classified information related to national security. To counterintelligence analysts, the hacker’s selection of targets and subject matter suggested a well-defined intelligence collection tasking, but foreign intelligence involvement has not been established. If a foreign intelligence service was involved, it is impossible to know which one, as many countries might have been interested in the information Ardita collected.

The Ardita case was the first time a court-ordered wire tap was used for real-time monitoring of an unknown subject to catch a computer criminal. It demonstrates the ability to chase and identify an international hacker on-line.1

Air Force Rome Development Center Break-In

Two young British hackers, Richard Pryce, age 16, and Mathew Bevan, age 21, broke into U.S. military computer systems. Pryce, who was identified and charged in 1995, allegedly obtained access to files on ballistic weapons research and messages from U.S. agents in North Korea during a 1994 crisis over inspection of nuclear facilities in North Korea. The penetrations were carried out over a period of several months.

Bevan, an information technology technician, was charged in 1996 with conspiracy to gain unauthorized access to computers. Pryce used the on-line nickname of “Datastream Cowboy” while Bevan identified himself as “Kuji.” Kuji was tutoring Datastream in his attempts to break into specific systems. According to news reports, investigators suspected the older culprit of being a foreign agent.

Pryce and Bevan broke into the Rome Air Development Center, Griffiss Air Force Base, NY, and before authorities became aware of their presence (five days later) they had penetrated seven systems, copied files including sensitive battlefield simulations, and installed devices to read passwords of everyone entering the systems. Rome Air Development Center was used as a launching pad for more than 150 intrusions into military, government and other systems including NASA and Wright-Patterson Air Force Base. Large volumes of data were downloaded from penetrated systems. One such data transfer (which was being monitored) involved the downloading of files from the Goddard Space Flight Center to an Internet provider in Latvia. In order to prevent the loss of sensitive data, the monitoring team broke the connection.

In one of these break-ins, Pryce used Rome to access a Korean facility. According to media reports, “For several anxious hours [U.S. authorities] didn’t know whether the intrusion was into a North or South Korean system. The concern was that the North Koreans would trace an intrusion coming from the U.S. and perceive it as an aggressive act of war.” The penetrated system turned out to be the South Korean Atomic Research Institute. The two were arrested after a long investigation by the Air Force Office of Special Investigation and New Scotland Yard.2

Dutch Teen Hackers

A group of Dutch teenagers penetrated computer systems at 34 U.S. military installations during 1990-91. They gained access to information on personnel performance reports, weapons development, and descriptions of movement of equipment and personnel. The systems penetrated included the Naval Sea Systems Command, the Army’s readiness system at Ft. Belvoir, Virginia, and the Army missile research lab at Aberdeen, Maryland.

At least one penetrated system directly supported U.S. military operations in Operation Desert Storm prior to the Gulf War. They copied or altered unclassified data and changed software to permit future access. The hackers were also looking for information about nuclear weapons. Their activities were first disclosed by Dutch television when camera crews filmed a hacker tapping into what was said to be U.S. military test information.

According to an ABC News report, the Dutch hackers had been operating for at least a year reading sensitive information about military plans and operations. Documents obtained by ABC indicate that hackers got so much information about the Patriot Missile that they had to break into several other computers just to find a place to store the data. At one point the intruders shut down computers in Wisconsin and Virginia which were later used to mobilize troops for Desert Storm. Information was gathered on the Patriot rocket launching system, the Navy’s Tomahawk cruise missile, and on the call up of military reserves for the Gulf War. The search words the hackers were particularly interested in were “military,” “nuclear” and “Desert Storm” or “Desert Shield.”

Many of the computer penetrations originated in Geldrop, Holland. At the time, investigators suspected the hackers could have been freelance spies looking for information to sell to the KGB or Iraqi intelligence, but no evidence of foreign intelligence service involvement has been found.

04/04/98 THE SCHOOLBOY SPY.

By Jonathan Ungoed-Thomas

The Americans called him their No 1 enemy, but he was only 16. Jonathan Ungoed-Thomas reveals one of the strangest stories of the cyber-age. On the evening of April 15, 1994, six American special agents sat in a concrete basement at a secret air force base patiently waiting for an attack. Their unseen and unknown enemy had for weeks been rampaging across the Pentagon network of computers, cracking security codes and downloading secret files.

Defence officials feared the infiltrator was a foreign agent. They were monitoring his movements in a desperate effort to trace him to his lair. He had first been spotted by a systems manager at the Rome Laboratory at the Griffiss air base in New York state, the premier command and control research facility in the United States. He had breached the security system and was using assumed computer identities from the air base to attack other sites, including Nasa, Wright-Patterson air force base – which monitors UFO sightings – and Hanscom air force base in Massachusetts. He was also planting “sniffer files” to pick up every password used in the system. This was a new type of warfare, a “cyber attack” at the heart of the most powerful military machine on earth. But the American military had been preparing for “cyber war” and it had a new breed of agent ready to fight back against the infiltrator. Computer specialists from the Air Force Office of Special Investigations (AFOSI) and the Air Force Information Warfare Centre in San Antonio, Texas, were dispatched to Rome Laboratory to catch the attacker.

By the end of the second week of their attempt to outwit him, their windowless basement room was a mess of food wrappers, sleeping bags and empty Coca-Cola cans. Sitting among the debris, the American cyber agents saw a silent alarm throb on one of the many terminals packed into the 30ft by 30ft room. Datastream Cowboy, as he called himself, was online again. They carefully tracked him on a computer screen as he used the access code of a high-ranking Pentagon employee to sign on. This gave him the power to delete files, copy secret information and even crash the system. As he sifted through battlefield simulation data, artificial intelligence files and reports on Gulf war weaponry, the agents worked frantically at their terminals, trying yet again to establish who he was and where he had come from. It was futile. Datastream Cowboy always bounced around the world before launching an attack and it was impossible even to establish in which country he was sitting.

Suddenly he left the Pentagon system. The agents rapidly checked the computer address of his new target and were chilled by the result: he was trying to get access to a nuclear facility somewhere in Korea. The shocked agents saw a terrible crisis coming. The United States was embroiled in tense negotiations with North Korea about its suspected nuclear weapons programme. The Clinton administration was publicly split between a faction that wanted to punish the Stalinist regime in Pyongyang for attempting to develop a nuclear bomb and State Department diplomats who insisted on a gentler approach.

If the paranoid North Koreans detected a computer attack on their nuclear facility from an American air base – because Datastream Cowboy had assumed an American military identity by routeing his assault through the Griffiss computer – they would be bound to believe that the hawks had won and this was an act of war. Senior defence officials were hurriedly briefed as the agents attempted to establish the exact location in Korea of the computer that Datastream Cowboy was trying to crack.

After several tense hours, they had their answer. His target was in South Korea, not North. The security alert was over, but the damage meted out by Datastream Cowboy was not. In the space of a few weeks he had caused more harm than the KGB, in the view of the American military, and was the “No 1 threat to US security”.

What made Datastream Cowboy so dangerous, in the view of the Americans, was that he was not alone; he was working with a more sophisticated hacker who used the “handle” of Kuji. The agents repeatedly watched Datastream Cowboy unsuccessfully attack a military site and retreat for an e-mail briefing from Kuji. He would then return and successfully hack into the site. Both Datastream Cowboy and Kuji were untraceable. They were weaving a path through computer systems in South Africa, Mexico and Europe before launching their attacks. Over 26 days, Datastream Cowboy and Kuji broke into the Rome Laboratory more than 150 times. Kuji was also monitored attempting an assault on the computers at Nato headquarters near Brussels. It was only three years after the final collapse of Soviet communism, but there was already a strong fear within the American government that the United States had become vulnerable to a new military threat: electronic and computer warfare.

Both America’s superpower military arsenal and its huge civilian economy had become reliant on microchips and in the words of Jamie Gorelick, a deputy attorney-general: “Some day we will wake up to find that the electronic equivalent of Pearl Harbor has crippled our computer networks and caused more chaos than a well placed nuclear strike. We do not want to wait for that wake-up call.”

What made the American military so vulnerable was that the Internet – the computer communications system that had been developed by Pentagon scientists as a tool for survival after nuclear war – was opening up in 1994 to anyone in the world who had access to a cheap and powerful personal computer.

The Internet automatically brought hackers to the very gates of the Pentagon’s most secret files – and it could not be policed, as it had been deliberately set up without controls to ensure ease of access for nuclear survivors.

According to official American figures, the Pentagon’s military computers are now suffering cyber attacks at the rate of 250,000 a year and it is retaliating with a $3.6bn programme of computer protection to key systems. THE attacks by Datastream Cowboy and Kuji were the opening shots in this barrage, and the Pentagon generals insisted that they had to be found and put out of action. It would have been relatively simple to shut them out of the Pentagon network, but they would survive to attack again – and their identities and the information they had already stolen would have remained unknown. The American cyber agents were ordered to continue chasing them through the electronic maze.

But how? They used a process called “fingering” in which they tried to detect every computer that Datastream Cowboy had used as stepping stones before attacking them. A computer on the Internet gives its own address in the first few bytes of any communication and the agents tried to trace Datastream Cowboy’s path backwards. The process can often be hit and miss because of the vast amount of traffic on the Internet and the hacker’s path was simply too long and circuitous to follow to its end. The agents almost gave up hope. Then old-fashioned police work was brought to bear. In the cyber age, where do hackers hang out? On the Internet, of course. They “chat” with each other through their screens.

The agents had informants who cruised the Internet and one of these made the breakthrough. He found that Datastream Cowboy hung out at Cyberspace, an Internet “service provider” based in Seattle. Moreover, he was a particularly chatty individual who was eager to engage other hackers in e-mail conversation. Naive, too. Before long, the informant had established that Datastream Cowboy lived in the United Kingdom. He even gave out his home telephone number.

Jubilant, a senior AFOSI agent contacted the computer crime unit in Scotland Yard for assistance. Datastream Cowboy’s number was traced to a house in a cul-de-sac in Colindale, part of the anonymous north London suburbs. In cold war days it would have been a classic address for a spy’s hideaway.

Telephone line checks revealed that the hacker was first dialling into Bogota, the Colombian capital, and then using a free phone line from there to hack his way into the sensitive military sites.

American agents flew to London and staked out the address with British police officers. Detectives were cautious, however, about making an immediate arrest because they wanted Datastream Cowboy to be online when they entered the house, so that he would be caught in the act.

At 8pm on May 12, 1994, four unmarked cars were parked outside the Colindale house. Inside one of them, a detective’s mobile phone rang. An agent from the Rome Laboratory was on the other end: Datastream Cowboy was online. Officers made a second call to British Telecom in Milton Keynes and established that a free phone call was being made to South America. Posing as a courier, one of the officers knocked on the door. As it was opened by a middle-aged man, eight policemen silently appeared and swept into the house. The officers quietly searched the downstairs and first floor. Then, creeping up the stairs to a loft-room, they saw a teenager hunched in his chair tapping frantically away on the keyboard of his ?700 PC World computer. They had found Datastream Cowboy.

One of the detectives walked up silently behind the young suspect and gently removed his hands from the computer. For 16-year-old Richard Pryce, a music student, it was the shock of his life. He looked at the policemen as they prepared to arrest him and collapsed on the floor in tears.

“They thought they were going to find a super-criminal and they just found me, a teenager playing around on his computer,” says Pryce now. “My mother had noticed people sitting outside our house for a few days beforehand, but I didn’t think much of it. I never thought I would get caught and it was very disturbing when I did.

“It had just been a game or a challenge from which I had got a real buzz. It was unbelievable because the computers were so easy to hack, like painting by numbers.”

Pryce, who was then a pupil at The Purcell School in Harrow, Middlesex, was arrested at his home but released on police bail the same evening. Five stolen files, including a battle simulation program, were discovered on the hard disk of his computer. Another stolen file, which dealt with artificial intelligence and the American Air Order of Battle, was too large to fit on to his desktop computer. So he had placed it in his own storage space at an Internet service provider that he used in New York, accessing it with a personal password.

During the subsequent police interviews, one pressing question remained unanswered: who was Kuji? Pryce claimed he had only talked with his hacking mentor on the Internet and did not know where he lived. American investigators regarded Kuji as a far more sophisticated hacker than Datastream. He would only stay on a telephone for a short time, not long enough to be traced successfully. “Kuji assisted and mentored Datastream and in return received from Datastream stolen information…Nobody knows what Kuji did with this information or why it was being collected,” agents reported.

Mark Morris, who was then a detective sergeant with Scotland Yard’s computer crime unit, was one of the investigating officers on the case. “It was awesome that Pryce, who was just one teenager with a computer, could cause so much havoc, but the greater worry in the US was about Kuji,” says Morris. “The fear was that he could be a spy working for a hostile foreign power. The job was then to find him.”

Pryce did give detectives one telephone number, but it was a red herring: a school library in Surrey. During the next two years of compiling evidence in Britain and America in the case against Pryce, British detectives and American agents failed to turn up any evidence that might lead to Kuji. Their break finally came in June 1996 when the computer crime unit decided to sift once again through the mass of information on the hard disk of Pryce’s computer.

Morris took on the job. “I was at home with my laptop and went through every bit of that hard disk, which was a huge task.” It took him three weeks. If all the files had been printed out they would have filled 40 filing cabinets.

At last he found what he wanted. “At the bottom of a file in the DOS directory I saw the name Kuji. Next to the name was a telephone number. Pryce might not have even known it was on his system because he downloaded so much information.”

For American agents hoping to catch a superspy, Kuji’s telephone number was a grave disappointment. He was based in Cardiff. A team of officers drove up to his address, a terraced house, and finally discovered Kuji’s identity. He was 21-year-old Mathew Bevan, a soft-spoken computer worker with a fascination for science fiction. His bedroom wall was covered with posters from The X Files and one of his consuming interests was the Roswell incident, the alleged crash of a UFO near Roswell, New Mexico, in July 1947. He was arrested on June 21, 1996, at the offices of Admiral Insurance where he worked.

“I would never have been caught if it wasn’t for Pryce and even then they took two years to find me,” Bevan says now. “And the only reason Pryce got caught was that he gave his number to a secret service informant.” Bevan, the son of a police officer, said he had not even been alarmed when Datastream Cowboy disappeared from the Internet. “Everyone was joking with me on the e-mail that he must have been arrested, but I didn’t believe it. It wasn’t until a year later that a friend phoned me and said: ‘Have you seen the papers? They think you’re a spy’.”

However, Bevan became confident that he had escaped detection and was stunned when he was arrested. “I was told to go and check the managing director’s computer. I went in and there were seven or eight of them in suits and I was arrested.” He was charged the next day with two counts of conspiracy under the Criminal Law Act 1997. He was later charged with three offences under the Computer Misuse Act 1990.

Pryce had been charged in June 1995, about 13 months after his arrest, with 12 offences under Section 1 of the Computer Misuse Act 1990. He was also charged with conspiracy three days before Bevan’s arrest. At the culmination of one of the biggest ever international computer crime investigations and after a massive security scare in the United States, law enforcers were left with a meagre and faintly embarrassing prize: two young hackers who in their spare time, from the comfort of their bedrooms, had penetrated what should have been the most secure defence network in the world. To rub salt into the wounds, their credentials were hardly impressive. Pryce had scraped a D grade in computer studies at A-level and Bevan had dropped out of an HND course in computer science.

Pryce’s father, Nick, who restores musical instruments, said: “They said Richard was a No 1 security threat and I think that was just rubbish. They had overreacted and when they found out it was just a teenager, they still wanted to try to make an example of him. I never knew what he was doing at the time; I just thought he was in his bedroom playing on his computer. When I found out, I never thought he had done anything particularly wrong and neither did our friends. He just showed how bad security was on those computers.”

But how did two rather ordinary young men manage to penetrate the Pentagon computer system and spark such a massive security alert? Both were bright and articulate, but there was nothing in their backgrounds to suggest a computer wizardry that would outwit the American military. Their success was based on a mixture of persistence and good luck, which was abetted by crude security mistakes in the Pentagon computer system. Pryce had had a musical upbringing with his two sisters, Sally and Katie, and had a passion for playing the double bass. He was bought his computer when he was 15 to help him in his studies. He would spend his spare time linked up to a bulletin board on the Internet, where computer users traded information and chatted. It was here that he got his first introduction to hacking.

“I used to get software off the bulletin boards and from one of them I got a ‘bluebox’, which could recreate the various frequencies to get free phonecalls,” he said. “I would phone South America and this software would make noises which would make the operator think I had hung up. I could then make calls anywhere in the world for free.”

Now 20 and in his third year at the Royal College of Music in London, Pryce said: “I would get on to the Internet and there would be hackers’ forums where I learnt the techniques and picked up the software I needed. You also get text files explaining what you can do to different types of computer. “It was just a game, a challenge. I was amazed at how good I got at it. It escalated very quickly from being able to hack a low-profile computer like a university to being able to hack a military system. The name Datastream Cowboy just came to me in a flash of inspiration.”

The attack on Rome Laboratory, his greatest success, relied on a ferret called Carmen. Pryce easily gained low-level security access to the Rome computer using a default guest password. Once inside the system, he retrieved the password file and downloaded it on to his computer. He then set up a program to bombard the password file with 50,000 words a second. “I just left the computer running overnight until it cracked it,” he explained.

If all the air force officers with access to the computer had followed orders and used passwords with a mixture of numerals and letters, his attack would have been foiled; but luck was on his side.

Morris, who has since left Scotland Yard’s computer crime unit and now works in London for Computer Forensic Investigations, a private company, revealed: “He managed to crack the file because a lieutenant in the USAF had used the password Carmen. It was the name of his pet ferret. Once Pryce had got that, he was free to roam the system. There was information there that was deemed classified and highly confidential and he was able to see it.”

Once he was in the system, Pryce kept getting access to higher levels in his aim to become a “root user”, which gives the hacker total control of the computer with the power to shut out other users and command the entire system.

“I was interested in Rome Labs because I knew they developed stuff for the military. I just wanted to find out what they were doing. I read that UFO material was being kept at Wright Patterson base and I thought it would also be a laugh to get in there. I also hacked into a Nasa site,” he said. “Rome Labs was my main project. I got the programming code for an artificial intelligence project. I downloaded files so I could view them at leisure at home.

“I know there was a big fuss when I tried to hack into a computer in Korea, but there was nothing sinister about it. I just fancied having a go at a different sort of computer and I happened to be on the Rome Laboratory computer. I just tapped in the address for the Korean research computer, but I didn’t hack into it. It never went further than that.” During an intensive three months of hacking, Pryce sent e- mails at least twice a week to the fellow hacker he knew as Kuji, without knowing his real name was Mathew Bevan.

Bevan, who is now 23, was more of a loner than Pryce and would spend up to 30 hours without a break on his computer. He claims the fraternity of hackers gave him the friendship that he had failed to find during his childhood. “I was bullied at school and I found my little community and interaction through my computer,” he said. “The hackers would all egg each other on. There wasn’t anything malicious about it. If there was, I could have downed as many computer systems as I wanted. I was just really looking for anything about UFOs. It was like war games; I just couldn’t believe what we could get into. I wasn’t tutoring Pryce, but the Americans made out I was because they thought I was some kind of east European masterspy.” Pryce agrees: “We embarrassed them by showing how lax their security was and that’s why they made out we had been a huge security threat. I’m now amazed by what I did, but I wasn’t surprised at the time. It was just my hobby. Some people watched television for six hours a day, I hacked computers.”

The first time Pryce and Bevan met in person was in July 1996 when they appeared at Bow Street magistrates court jointly charged with conspiracy and offences under the Computer Misuse Act. “He was at the back of the court when I went in and his mother said: ‘You’d better say hello’, which he did. We didn’t even have a chat,” said Bevan.

Conspiracy charges against both Pryce and Bevan were later dropped, but in March last year Pryce was fined ?1,200 after admitting 12 offences under the Computer Misuse Act. His lawyers said in mitigation that there had been some exaggeration when the Senate armed services committee had been told in 1996 that the Datastream Cowboy had caused more harm than the KGB and was the “No 1 threat to US security”. The remaining charges against Bevan were dropped in November after the Crown Prosecution Service decided it was not in the public interest to pursue the case.

Nevertheless, the case of Datastream Cowboy and Kuji remains one of the most notorious in American cyber history. The two young men are living this down in different ways. Pryce’s computer was confiscated, to his initial dismay. “After I had my computer taken away it was quite difficult because I had been doing it every night for a year,” he said. “If they hadn’t caught me, I would have carried on.” Now he thinks hacking was a waste of time and insists he will never do it again. He does not even own a computer any more.

Bevan, however, has put his notoriety to good use: he is now employed testing the computer security of private companies.Targeting the Pentagon United States defence computers have for years been one of the most covetedtargets for hacking addicts inspired by the film War Games, which showed a boy cracking an American defence network and nearly starting the third world war.

One of the pioneers of this craze was Kevin Mitnick, who repeatedly hacked into Pentagon computers in the mid-1980s. He was jailed in 1989 but continued his exploits on his release and was arrested again after a two-year hunt by the FBI. The number of cyber attacks on the Pentagon is estimated by Washington officials as 250,000 annually, but the incidents the public hears about are only the few where hackers get caught. In 1996 six Danes who hacked into Pentagon computers were given sentences of up to three months. The same year, special agents tracked down three teenage hackers in Croatia who had also succeeded in penetrating Pentagon computers.

They were never identified or charged, however, as there is no law against computer hacking in Croatia. Last month there was a spectacular example of the hackers’ work when American defence officials revealed that the Pentagon computer network had been subjected to a relentless two-month attack. CIA agents were reportedly anxious that the hackers might be the agents of Saddam Hussein.

FBI agents blamed a secret convention of hackers believed to be held in New York. A few days ago, the real culprit gave himself up. Ehud Tenenbaum, an Israeli teenager who dubbed himself The Analyser, had worked with two young hackers in California. Under house arrest in Tel Aviv, he said the attacks were not malicious. He had concentrated on American government sites because he hated organisations. “Chaos, I think it is a nice idea,” he said.

(c) Times Newspapers Ltd, 1998.

SUNDAY TIMES 29/03/98

Infowar.Com & Interpact, Inc. WebWarrior@Infowar.Com

Submit articles to: infowar@infowar.com
Voice: 813.393.6600 Fax: 813.393.6361

Last modified: Sun, 03 Jan 1999 00:04:46 GMT