Information Technology Reference
In-Depth Information
Cyberespionage
Clifford Stoll's (
B.12.1
) classic topic
The Cuckoo's Egg
describes the com-
plexity of tracking and prosecuting a black hat hacker (
Fig. 12.2
). Stoll was
an astronomer turned system administrator for the computers at Lawrence
Berkeley National Laboratory. The lab's computers ran Berkeley Unix and had
two systems of accounting software for keeping track of the usage of these
machines - one a standard Unix utility program and the other a homegrown
program specific to Berkeley. From a seventy-five-cent discrepancy in the com-
puter accounts at Lawrence Berkeley National Laboratory in 1986, Stoll deduced
that someone was hacking into the lab's system. By sleeping in the lab and
being alerted to every incoming computer connection, Stoll was able to record
the exact keystrokes that had been used when the offense occurred. The results
were surprising.
The hacker had gained access to one of Stoll's computers by guessing the
password for an old, inactive user's account. When in the system, he then used
a bug in the popular GNU-Emacs editor program to trick the computer into
giving him the same privileges as a system administrator, so-called super-user
or root privileges. This bug allowed him to move a file from his user area into
what should have been an area of memory restricted to the system manager.
The GNU software did not check whether the area was in the protected system
software memory space. Once in this privileged area, the hacker then ran a
counterfeit version of a standard Unix program,
atrun
, which runs queued up
jobs at regular intervals. This unauthorized program is the cuckoo's egg of the
title of the topic - named for the cuckoo's trick of laying its eggs in nests of
other birds. Running the counterfeit program allowed the hacker to gain the
super-user privileges of a system administrator. He then restored the real Unix
atrun program and erased his tracks from the system log so that the systems
administrators would see nothing wrong. He also scanned all email messages
for references to “hacker” and “security” and used his new privileges to kill the
program of any user who he thought might have been monitoring his activity.
The situation was extremely serious: the hacker could read anyone's email,
access or delete any file, and set up a new, hidden account that could provide
him with a “backdoor” into the computer known only to him. All of the data
stored on the computer was now at risk. Moreover, from his position as super-
user, he was able to explore not only all the other computers at the Berkeley
Lab connected by the Local Area Network (LAN), but also the computer systems
connected to Berkeley through the ARPANET.
Stoll watched the hacker systematically attempting to break into several
military computer installations by guessing passwords or by using unprotected
guest or visitor accounts. It was surprising how many supposedly secure military
sites still used the standard factory password settings for their super-user system
administrator accounts. After a long chase - and remarkable initial indifference
from the Federal Bureau of Investigation (FBI), the Central Intelligence Agency,
and even the National Security Agency (NSA) - the trail led to West Germany
(
Fig. 12.3
). The hacker, Markus Hess, was part of a group selling sensitive informa-
tion obtained from these U.S. military computing systems to the Soviet Union.
Fig. 12.2. A fascinating detective story
about Cliff Stoll chasing a hacker during
the ARPANET era.
B.12.1. Clifford Stoll is a U.S.
astronomer and author who is
probably best known for his topic
The Cuckoo's Egg
. This tracked a
hacker who had broken into Stoll's
computer at Lawrence Berkeley
Laboratory back to Hanover,
Germany.
Search WWH ::
Custom Search