Docentes de Lenguaje

Mayhem

O

per the defense of cyberspace is the idea that all hacking is done only by juvenile joy riders: i.e., youthful geniuses bent on embarrassing law enforcement and the military. Of course, one of the ways in which this misconception is spread is through the main- stream media. Most cases that reach the light of day usually do end up involving juvenile hackers.

Why? Well, cases involving true cyberterrorists, information war- riors, intelligence agencies, and corporate spies slip below the sur- face of the headlines. They are lost in the murky waters of “classified operations” or are swept under thick corporate carpets. ( You’ll read more about such cases in Chapter 10 and Chapter 12.)

Juvenile hackers or other “sport hackers” (a term used to describe hackers who break into systems for the same reasons but aren’t minors) end up in the newspapers because they get caught. They also end up in the headlines because they seek the limelight. Furthermore, acknowledging their activities doesn’t open a Pandora’s box for the government agency or the corporation that was hit. If a government agency acknowledged an intelligence oper- ation conducted by another country, there could be serious diplo- matic or even military consequences. If a major corporation acknowledged a hack attack in which trade secrets were compro- mised seemingly by another corporation, there would be a public relations debacle: for example, their stock could dive, law suits could get filed, etc.

Nevertheless, juvenile or sport hackers, or joy riders, have wreaked a lot of havoc and mayhem over the years.

Here are some of the details of three high-profile stories, stretching from 1994 to 1999, that illustrate some of the lessons learned and unlearned along the way.

The Rome Labs Case: Datastream Cowboy and Kuji

Mix It Up with the U.S. Air Force

The Rome Air Development Center (Rome Labs), located at Griffiss Air Force Base (New York), is the U.S. Air Force’s premier command-and-control research facility. Rome Lab researchers collaborate with universities, defense contractors, and com- mercial research institutions on projects involving artificial intelligence systems, radar guidance systems, and target detection and tracking systems.

On March 28, 1994, Rome Labs’s system administrators (sysadmins) noticed that a

password sniffer, a hacking tool that gathers user’s login information, had been sur-

reptitiously installed on a system linked to the Rome Labs network. The sniffer had collected so much information that it filled the disk and crashed the system, accord- ing to James Christy, who was director of Computer Crime Investigations for the Air Force Office of Special Investigations.

The sysadmins informed the Defense Information Systems Agency (DISA) that the Rome Labs network had been hacked into by an as yet unknown perpetrator. The DISA Computer Emergency Response Team (CERT), in turn, informed the Air Force Office of Special Investigations (AFOSI) of the report of an intrusion. The AFOSI, in turn, informed the Air Force Information Warfare Center (AFIWC), headquartered in San Antonio, Texas.

An AFOSI team of cybercrime investigators and security experts was dispatched to Rome Labs. They reviewed audit trails and interviewed the sysadmins. The conclu- sions that they reached in their preliminary investigation were very disturbing. Two hackers had broken into seven different computers on the Rome Labs network. They had gained unlimited access, downloaded data files, and secreted sniffers on every one of them. The seven sniffers had compromised a total of 30 of Rome Labs’s systems.

These systems contain sensitive research and development data.

System security logs disclosed that Rome Labs’s systems had been actually been hacked into for the first time on March 23, five days before the discovery made on March 28.

The investigation went on to disclose that the seven sniffers had compromised the security of more than 100 more user accounts by capturing user logons and pass- words. Users’ e-mail messages had been snooped, duplicated, and deleted. Sensitive battlefield simulation program data had been pursued and purloined. Furthermore, the perpetrators had used Rome Labs’s systems as a jumping-off point for a series of hack attacks on other military, government, and research targets around the world. They broke into user accounts, planted sniffer programs, and downloaded massive quantities of data from these systems as well.

The investigators offered the Rome Labs commanding officer the option of either securing all the systems that had been hacked or leaving one or more of them open to attack. If they left a few systems open, they could monitor the comings and goings of the attackers in the hope of following them back to the their point of origination and identifying them.

The commander opted to leave some of the systems open to lay a trap for the intruders. CHAPTER 6 JOY RIDERS: MISCHIEF THAT LEADS TO MAYHEM 67

HQ NATO Latvia U.K. Commercial Rome Labs AF Contractor WPAFB Army USBR AF Contractor JPL, NASA Commercial S. Korean Atomic Research Inst Colombia and Chile

Rome Labs Attack Summary

• 2 Hackers • 26 Days of Attacks • 20 Days of Monitoring • 7 Sniffers on Rome Systems • Over 150 Intrusions at Rome Labs from 10 Different Points of Origin

• Victims - Many and Varied • Law Enforcement Agencies -

Multiple

• At Least 8 Countries Used as Conduit

Goddard SFC

Figure 6.1 More than 100 downstream victims from the Rome Labs attacks.

Investigators Wrestle with Legal Issues and Technical