Shimomura vs. Mitnick: The Computer Crime of the Year?
The story of the Christmas Day, 1994 attack on Tsutomu Shimomura and the events that unfolded following that attack may provide a behind-the scenes look at an Internet-based computer crime -- unfortunately, the type of crime we can expect to see more and more in the future. But, just as this crime shows how today's technologies can be used to commit a crime, it also shows how such technologies can be used to catch the criminal.
Tsutomu Shimomura, a computational physicist at the San Diego Supercomputer Center, is known for his interest in computer security -- in particular, methods of preventing intrusion into systems. For years, he has collected information about security holes in various systems and tools for exploiting these holes. He has also developed many tools for preventing intrusion and tracking system intruders. On Christmas Day, while Shimomura was en route to a ski vacation at Lake Tahoe, an intruder broke in, remotely, to his highly secured home computer at Solana Beach, California, and began copying his files -- tens of thousands of them.
A graduate student at the Supercomputer Center noticed alterations in system log files at a computer there, and caught on to what was happening. (Shimomura had installed on his computer a program that automatically copied logging records to a backup computer at the San Diego site.) The student notified Shimomura, who rushed home to inspect the damage. In the days after the attack, as Shimomura was inventorying what had been stolen, the attacker added insult to injury. In a December 27 voice mail message (disguised by computer alteration), he told Shimomura, Damn you. My technique is the best. . .Don't you know who I am? Me and my friends, we'll kill you.
Far from frightening Shimomura away, the message further strengthened his resolve. He wouldn't leave this investigation exclusively to law enforcement. This one was personal.
Few victims of computer crime have the technical knowledge -- or the determination -- of Shimomura. Right from the start, he went public with news of the break-in, announcing it at a conference in Sonoma, California, and publishing the technical details of the attack so others on the Internet could protect themselves from similar attacks.
Shimomura has long been known as someone who believes in free discussions about system vulnerabilities. Where some people in the computing community feel that publicizing security holes aids and abets intruders, Shimomura believes in revealing these holes -- so everyone will know about them and fix them. He set out to understand exactly what happened and why, and to see if he could use the electronic traces the intruder left behind to track him down.
What was to blame for the attack on Shimomura's system? The attack was based on the intruder's ability to fake the source address of the packets that are sent to a system. Some systems and applications decide whether to trust another system to send it commands by looking at the source address on the incoming packets. That was the case with Shimomura's otherwise well-protected system. The intruder got access by making it appear that the packets came from a system other than the one they were really coming from.
What are packets and how do they work? Packets are the messages, or sections of messages, that are sent from one computer to another. Rather than being transmitted directly from one computer to another, these packets bounce from system to system to system, using the best route available to it on the Internet's huge collection of interconnected networks. Addresses attached to the packets are interpreted by the protocols that make the Internet work. One of these, called the Internet Protocol, or IP, was the source of the attack on Shimomura. What the intruder did was to send file transfer commands to Shimomura's computer that looked like they came from a computer that was authorized to read these files.
The attack was a particularly tricky one. Computers don't simply listen to instructions and obey them. When a packet is received by a system, that system sends back a reply to the originating computer, confirming receipt of the packet. In this way, the two computers synchronize their transmissions using sequence numbers associated with the packets. Without being able to see the acknowledgments being sent back by Shimomura's system (those acknowledgments were going to the computer the attacker was pretending to be), the attacker was nevertheless able to guess the sequence numbers being passed, and thereby associate appropriate numbers with future packets he sent.
Once Shimomura had figured out how the intruder had gained access, he publicized the method. The CERT (see sidebar) sent out an advisory to Internet users, warning them that the same thing could happen to them. Shimomura now turned his attention to finding out who had attacked his system by monitoring all further packets sent to his computer.
Shimomura' willingness to share the details of the attack with the world worked to his advantage. A month after the break-in, something odd happened at the Well, a commercial on-line service used by many in the San Francisco Bay Area. The Well's system administrator had noticed a huge flooding of files in an area of the Well's disk storage designated for use by the Computers, Freedom, and Privacy group. Because the group used the Well only occasionally, this didn't make any sense. Bruce Koball, a programmer who helps run CFP, had read about the Shimomura break-in, and when he looked through the mystery files, he saw immediately that these were the same files stolen from Shimomura.
When Shimomura learned that his intruder had used the Well, he set up software there that monitored Well operations to see what else the intruder might do. By examining packets coming into the Well, they could record the intruder's keystrokes. Watching the intruder's electronic activities might provide clues about who he was and where he could be found. Had the intruder laid low for a while, he might never have been found. But he couldn't stop cracking systems. He wanted to try out the new tools he'd stolen from Shimomura. And this proved to be his undoing.
In short order, the intruder had broken into Motorola as well. This made sense. Cellular telephones are a prime tool for crackers, and Motorola is a major manufacturer. In fact, along with Shimomura's files on the Well, investigators found a copy of Motorola's cellular phone control software. Next, the intruder moved to Netcom, another large West Coast online service. There, he hit the jackpot. He managed to copy the credit card numbers of nearly 10,000 Netcom subscribers. Other computer companies and online services also fell victim to his cracking skills.
When the intruder hit Netcom, law enforcement got busy. Sensitive files are valuable, but credit cards are big business that any investigator can understand. The FBI was involved from the start, but now Kent Walker, the U.S. Assistant District Attorney from the San Francisco area, obtained subpoenas, allowing them to wiretap calls to Netcom. Initially, this didn't help much. Netcom provides many dial-in lines from all over the country. The intruder had manipulated a switching center so his calls would look as if they originated in Colorado and Minnesota. Did they? It was too early to tell.
The more Shimomura watched the intruder's activities, the more suspicious be became. The intruder was leaving his fingerprints at the scene. They might be electronic ones, but like the smudges found around door jambs and on wall safes, they were there. As time went on, they became clearer and clearer.
Shimomura's began to suspect that everything pointed to Kevin Mitnick as being the intruder.
Who is Kevin Mitnick? At 31, he's older than many computer crackers, and he has spent half his life breaking into systems, starting with the computer system that ran the Los Angeles Unified School District's attendance, grade reporting, and scheduling applications. During those early years, a la War Games, he also broke in remotely to a computer at the North American Air Defense Command in Colorado Springs, and attacked a number of telephone company computers in New York and California. Mitnick was always attracted by telephone company computers^; the lure of free telephone calls, the ability to route his calls through switches that disguised his whereabouts, and the technology that let him play pranks on friends and enemies was too powerful to resist.
A few years later, Mitnick, who had come to be known as Condor in the computer cracking community, was sentenced to probation for stealing technical manuals from Pacific Bell. In the years since, he's served a few jail terms for stealing a million dollars worth of software from Digital Equipment Corporation and for violating parole. Eventually, Mitnick's lawyer saved him from a hefty jail term by convincing a judge to place Mitnick in a Los Angeles treatment program^; his love of computer cracking was an addiction, like drugs or alcohol, the lawyer declared. Three years ago, Mitnick took off after the FBI started suspecting he had been involved in several Pac Bell cases and, since his flight was a Federal parole violation, Federal authorities have been looking for him ever since. Mitnick has also been the target of a state probe. After he wiretapped the FBI's own calls to the California Department of Motor Vehicles -- and thereby got access to the California drivers' license database -- the California State Police issued a warrant for his arrest as well.
Although, over the years, Mitnick had stolen credit card numbers, telephone access numbers, and all kinds of valuable software and documents, he has never appeared to be motivated primarily by financial gain. In the Shimomura case, for example, he apparently didn't sell the hacking tools he stole (although we can assume that, by now, the tools have been widely distributed to the computer underground), nor did he appear to use or distribute the credit card numbers taken from Netcom. Cracking was its own reward.
Mitnick's continued cracking activities did suggest addiction. He couldn't bring himself to stop, although his best bet would have been to lay low until Shimomura and law enforcement lost interest in him. The more he prowled through the Internet, the more opportunities they had to follow his trail. Eventually, the trail of telephone calls into Netcom started to bear fruit. It became apparent that the calls came from a cellular telephone modem, a favorite tool of Mitnick's Although the calls moved through a GTE local switching office, they actually were looping through a cellular phone switch operated by Sprint in Raleigh, North Carolina. Careful comparison of Sprint's records with Netcom's showed that the calls were apparently coming from an apartment building -- the Players Court, near the Raleigh-Durham airport. Shimomura, Sprint officials, and the FBI got closer and closer, watching cellular frequency meters and trying to identify the precise apartment in the building. Once they did, they were able to obtain a Federal warrant for Mitnick's arrest.
In the middle of the night on February 16, less than two
months from the Christmas Day break-in, Shimomura had tracked
his attacker to his lair. At the time of this writing, Mitnick
awaits trial on a variety of charges.
^macro[showdigestcomments;^uri;Shimomura vs. Mitnick: The Computer Crime of the Year?]