Copy Link
Add to Bookmark
Report
Money Incorporated Digest 31
MONEY INC DIGEST # 31 02/17/95
***>$ MONEY INC $<***
presents:
" The Flight And Fall Of Condor"
Ok, here's a bunch of posts and clippings regarding the arrest of
Kevin Mitnick. It is by no means a diffinitive guide. It is mearly a
compilation of mail sent to me over the past few days to inform others
of and to clear up various rumors regarding the arrest of Condor.
-Sonic Fury
***>$ Money Inc $<***
$$$$$$$$$< SNIP >$$$$$$$$$$$$$$$$$< SNIP >$$$$$$$$$$$$$$$$$< SNIP >$$$$$$$$$$$
-----------------------------------------------------
Slippery cybervandal caught in his own electronic web
-----------------------------------------------------
New York Times
RALEIGH, N.C. (9:05 p.m.) -- After a search of more than two years, a team
of FBI agents early Wednesday morning captured a 31-year-old computer
expert accused of a long crime spree that includes the theft of thousands
of data files and at least 20,000 credit card numbers from computer systems
around the nation.
The arrest of Kevin D. Mitnick, one of the most wanted computer criminals,
followed a 24-hour stakeout of a Raleigh apartment building here.
A convicted computer felon on the run from federal law enforcement
officials since November 1992, Mitnick has used his sophisticated skills
over the years to worm his way into many of the nation's telephone and
cellular telephone networks and vandalize government, corporate and
university computer systems. Most recently, he had become a suspect in a
rash of break-ins on the global Internet computer network.
"He was clearly the most wanted computer hacker in the world," said Kent
Walker, an assistant U.S. attorney in San Francisco who helped coordinate
the investigation. "He allegedly had access to corporate trade secrets
worth billions of dollars. He was a very big threat."
But federal officials say Mitnick's confidence in his hacking skills may
hppave been his undoing. On Christmas Day, he broke into the home computer of
a computer security expert, Tsutomu Shimomura, a researcher at the
federally financed San Diego Supercomputer Center.
Shimomura then made a crusade of tracking down the intruder, an obsession
that led to Wednesday's arrest.
It was Shimomura, working from a monitoring post in San Jose, Calif., who
determined last Saturday that Mitnick was operating through a computer
modem connected to a cellular telephone somewhere near Raleigh, N.C.
Sunday morning, Shimomura flew to Raleigh, where he helped telephone
company technicians and federal investigators use cellular-frequency
scanners to home in on Mitnick.
Mitnick was arrested at 2 o'clock Wednesday morning in his apartment in the
Duraleigh Hills neighborhood of northwest Raleigh, after FBI agents used
their scanners to determine that Mitnick, in keeping with his nocturnal
habits, had connected once again to the Internet.
Shimomura was present Wednesday at Mitnick's pre-arraignment hearing at the
federal courthouse in Raleigh. At the end of the hearing, Mitnick, who now
has shoulder-length brown hair and was wearing a black sweat suit and
handcuffs, turned to Shimomura, whom he had never met face to face.
"Hello, Tsutomu," Mitnick said. "I respect your skills."
Shimomura, who is 30 and also has shoulder-length hair, nodded solemnly.
Mitnick, already wanted in California for a federal parole violation, was
charged Wednesday with two federal crimes. The first, illegal use of a
telephone access device, is punishable by up to 15 years in prison and a
$250,000 fine.
The second charge, computer fraud, carries potential penalties of 20 years
in prison and a $250,000 fine. Federal prosecutors said they were
considering additional charges related to Mitnick's reported Internet
spree.
Federal officials say Mitnick's motives have always been murky. He was
recently found to have stashed thousands of credit card numbers on
computers in the San Francisco Bay area -- including the card numbers of
some of the best-known millionaires in Silicon Valley. But there is no
evidence yet that Mitnick had attempted to use those credit card accounts.
Indeed, frequently ignoring the possibility of straightforward financial
gain from the information he has stolen, Mitnick has often seemed more
concerned with proving that his technical skills are better than those
whose job it is to protect the computer networks he has attacked.
Federal officials say the arrest of Mitnick does not necessarily solve all
the recent Internet crimes, because his trail of electronic mail has
indicated that he may have accomplices. One of them is an unknown computer
operator, thought to be in Israel, with whom Mitnick has corresponded
electronically and boasted of his Internet exploits, investigators said.
Still, the capture of Mitnick gives the FBI custody of a notoriously
persistent and elusive computer break-in expert. Raised in the San Fernando
Valley near Los Angeles by his mother, Mitnick has been in and out of
trouble with the law since 1981.
It was then, as a 17-year-old, that he was placed on probation for stealing
computer manuals from a Pacific Bell telephone switching center in Los
Angeles.
Those who know Mitnick paint a picture of a man obsessed with the power
inherent in controlling the nation's computer and telephone networks.
The recent break-ins he is accused of conducting include forays into
computer systems at Apple Computer Inc. and Motorola Inc. and attacks on
commercial services that provide computer users with access to the
Internet, including the Well in Sausalito, Calif., Netcom in San Jose,
Calif., and the Colorado Supernet, in Boulder, Colo.
To make it difficult for investigators to determine where the attacks were
coming from, Mitnick is said to have used his computer and modem to
manipulate a local telephone company switch in Raleigh to disguise his
whereabouts.
In recent weeks, as an elite team of computer security experts tightened an
invisible electronic net around the fugitive, Mitnick continued to taunt
his pursuers, apparently unaware of how close they were to capturing him.
About 10 days ago, for example, someone whom investigators believe to have
been Mitnick left a voice-mail message for Shimomura, a Japanese citizen.
The message reprimanded Shimomura for converting the intruder's earlier
voice-mail messages into computer audio files and making them available on
the Internet.
"Ah Tsutomu, my learned disciple," the taunting voice said. "I see that you
put my voice on the Net. I'm very disappointed, my son."
But the continued attempts at one-upmanship simply gave the pursuers more
electronic evidence.
"He was a challenge for law enforcement, but in the end he was caught by
his own obsession," said Kathleen Cunningham, a deputy marshal for the U.S.
Marshals Service who has pursued Mitnick for several years.
Mitnick first came to national attention in 1982 when, as a teen-age prank,
he used a computer and a modem to break into a North American Air Defense
Command computer.
He subsequently gained temporary control of three central offices of
telephone companies in New York City and all the phone switching centers in
California.
This gave him the ability to listen in on calls and pull pranks like
reprogramming the home phone of someone he did not like so that each time
the phone was picked up, a recording asked for a deposit of a coin.
But the break-ins escalated beyond sophomoric pranks. For months in 1988,
Mitnick secretly read the electronic mail of computer security officials at
MCI Communications and Digital Equipment Corp., learning how their
computers and phone equipment were protected.
Officials at Digital later accused him of causing $4 million in damage to
computer operations at the company and stealing $1 million of software. He
was convicted in July 1989 and sentenced to a year in a low-security
federal prison in Lompoc, Calif.
One of his lawyers convinced the court that Mitnick had an addiction to
computers. In July 1989, after his release from prison, he was placed in a
treatment program for compulsive disorders, the Beit T'Shuvah center in Los
Angeles. During his six months there, he was prohibited from touching a
computer or modem.
That restriction was a condition of his probation when he was released in
mid-1990, and it was for reportedly violating this condition that federal
officials were pursuing him when he dropped out of sight in November 1992.
In September 1993, the California Department of Motor Vehicles also issued
a warrant for his arrest. The warrant stated that Mitnick had wiretapped
calls from FBI agents. He then used law-enforcement access codes obtained
by eavesdropping on the agents to illegally gain access the drivers'
license data base in California.
Federal law enforcement officials believe that Mitnick has conducted a long
string of computer and phone telephone network break-ins during more than
two years on the run.
And they say his ability to remain at large until now illustrates the new
challenges that law enforcement officials face in apprehending criminals
who can cloak themselves behind a curtain of forged electronic data.
------------------------------------------------------------------------------
HOW A COMPUTER SLEUTH TRACED A DIGITAL TRAIL
By John Markoff
Special to The New York Times
RALEIGH, N.C., Feb. 15 -- It takes a computer hacker to catch one.
Ad if, as Federal authorities contend, the 31-year-old computer outlaw
Kevin D. Mitnick is the person behind a recent spree of break-ins
to hundreds of corporate, university and personal computers on the
global Internet, his biggest mistake was raising the interest and ire
of Tsutomu Shimomura.
Mr. Shimomura, who is 30, is a computational physicist with a reputation
as a brilliant cybersleuth in the tightly knit community of programmers
and engineers who defend the country's computer networks. And it was
Mr. Shimomura who raised the alarm in the Internet world after someone using
sophisticated hacking techniques on Christmas Day to remotely break into
the computers he keeps in his beach cottage near San Diego and steal
thousands of his data files.
Almost from the moment Mr. Shimomura discovered the intrusion, he made it
his business to use his own considerable hacking skills to aid the
Federal Bureau of Investigation's inquiry into the crime spree. He set up
stealth monitoring posts, and each night over the last few weeks, used
software of his own devising to track the intruder, who was prowling
the Internet. The activity usually began around midafternoon, Eastern
time, and broke off in the early evening, then resumed shortly after
midnight and continued through dawn.
The monitoring by Mr. Shimomura enable investigators to watch as the
intruder comandeered telephone company switching centers, stole computer
files from Motorola, Apple Computer and other companies, and copied 20,000
credit card account numbers from a commercial computer network used
by some of the world's wealthiest and savviest people.
And it was Mr. Shimomura who concluded last Saturday that the intruder
was probably Kevin Mitnick, whose whereabouts had been unknown since
November 1992, and that he was operating from a cellular phone network in
Raleigh, N.C.
On Sunday morning, Mr. Shimomura took a flight from San Jose, Calif., to
Raleigh-Durham International Airport. By 3 A.M. Monday, he had helped
local telephone company investigators use cellular-frequency scanners
to pinpoint Mr. Mitnick's location: a 12-unit apartment building in
the northwest Raleigh suburb of Duraleigh Hills.
Over the next 48 hours, as the F.B.I. sent in a surveillance team,
obtained warrants and prepared for an arrest, cellular telephone
technicians from Sprint Cellular monitored the electronic activities of
the person they believed to be Mr. Mitnick.
The story of the investigation, particularly Mr. Shimomura's role, is a
tale of digital detective work in the ethereal world known as cyberspace.
[Another note from Bill: Go ahead and retch now. Go on. Get it out
of your system. There. Feel better? Okay, let's move on. :) ]
When a Detective Becomes a Victim
On Christman Day, Tsutomu Shimomura was in San Fransisco, preparing
to make the four-hour drive to the Sierra Nevada, where he spends most
of each winter as a volunteer on the cross-country ski patrol near
Lake Tahoe.
But the next day, before he could leave for the mountains, he received an
alarming call from his colleagues at the San Diego Supercomputer Center,
the federally financed research center that employs him. Someone had
broken into his home computer, which was connected to the center's
compiter network.
Mr. Shimomura returned to his beach cottage near San Diego, in Del Mar,
Calif., where he found that hundreds of software programs and files had
been taken eletronically from his work station. This was no random
ransacking; the information would be useful to anyone interested in
breaching the security of computer networks or cellular phone systems.
Taunting messages for Mr. Shimomura were also left in a computer-
altered voice on the Supercomputer Center's voice-mail system.
almost immediately, Mr. shimomura made to decisions. He was going to track
down the intruders. And Lack Tahoe would have to wait a while this year.
The Christmas attack exploited a flaw in the Internet's design by fooling
a target computer into believing that a message was coming from a
trusted source. By masquerading as a familiar computer, an attacker can
gain access to protected com[uter resources and seize control of an
otherwise well-defended computer system. In this case, the attack had been
started from a commandeered computer at Loyola University of Chicago.
Though the vandal was deft enough to gain control of Mr. Shimomura's
computers, he, she or they had made a clumsy error. One of Mr. Shimomura's
machines routinely mailed a copy of several record keeping files to a
safe computer elsewhere on the network -- a fact that the intruder did
not notice.
That led to an automatic warning to employees of the Supercomputer Center
that an attack was under way. This allowed the center's staff to throw the
burglar off the system, and it later allowed Mr. Shimomura to reconstruct
the attack.
In computer-security circles, Mr. Shimomura is a respected voice. Over
the years, software security tools that he has designed have made him a
valuable consultant not only to corporations, but also to the F.B.I.,
the Air Force and the National Security Agency.
Watching An Attack From a Back Room
The First significant break in the case came on Jan. 28, after Bruce
Koball, a computer programmer in Berkeley, Calif., read a newspaper
account detailing the attack on Mr. Shimomura's computer.
The Day before, Mr. Koball had received a puzzling message from the
managers of a commercial online service called the Well, in Sausalito,
Calif. Mr. Koball is an organizer for a public-policy group called
Computers, Freedom and Privacy, and Well officials told him that
the group's directory of network files was taking up millions of
bytes of storage space, far more than the group was authorized to use.
That struck him as odd, because the group had made only mimimal use
of the Well. But as he checked thr group's directory on the Well, he
quickly realized that someone had broken in and filled it with
Mr. Shimomura's stolen files.
Well officials eventually called in Mr. Shimomura, who recruited a
colleague from the Supercomputer Center, Andrew Gross, and an independent
computer consultant, Julia Menapace. Hidden in a back room at the
Well's headquarters in an office building near Sausalito, the three
experts set up a temporary headquarters, attaching three laptop computers
to the Well's internal computer network.
Once Mr. Shimomura had established his monitoring system, the team had
an advantage: it could watch the intruder unnoticed.
Though the identity of the accacker or attackers was unknown, within days
a profile emerged that seemed increasinly to fit a well-known computer
outlaw: Kevin Mitnick, who had been convicted in 1989 of stealing
software from Digital Equipment Corporation.
Among the programs found at the Well and at stashes elsewhere on the
Internet was the software that controls the operations of cellular
telephones made by Mototola, NEC, Novkia, Novatel, Oki, Qualcomm and
other manufacturers. That would be consistent with the kind of information
of interest to Mr. Mitnick, who had first made his reputation by
hacking into telephone networks.
And the burglar operated with Mr. Mitnick's trademark derring-do. One
night, as the investigators watched electronically, the intruder broke
into the computer designed to protect Motorola Inc's internal network
from outside attack, stealing the protective software itself.
Mr. Shimomura's team, aided by Mark Seiden, an expert in computer
security, soon discovered that someone had obtained a copy of the credit
card numbers for 20,000 members of Netcom Commuinications Inc., a
service based in San Jose that provides Internet access.
To more easily monitor the invaders, the team moved its operation last
Thursday to Netcom's network operation center in San Jose.
High-Tech Tools Force an Endgame
Netcom's center proved to be a much better vantage point. To let its
customers connect their computer modems to its network with only a local
telephone call, Netcom provides thousands of computer dial-in lines
in cities across the country. Hacking into the network, the intruder
was connecting a computer to various dial-in sites to elude detection.
Still, every time the intruder would connect to the Netcom network,
Mr. Shimomura was able to capture the computer keystrokes.
Late last week, F.B.I. surveillance agents in Los Angeles were almost
certain that the intruder was operating somewhere in Colorado. Yet
calls were also coming in from Minneapolis and Raleigh.
The big break came last Saturday in San Jose, as Mr. Shimomura and
Mr. Gross, red-eued from a 36-hour monitoring session, were eating pizza.
Subpoenas issued by Kent Walker, an assistant United States attorney in
San Fransisco, had begin to yield results from telephone company calling
records. And now came data from Mr. Walker that suggested to Mr. Shimomura
that calls had been placed to Netcom's dial-in site in Raleigh through
a cellular telephone modem.
The calls were moving through a local switching office operated by
the GTE Corpotation. But GTE's records showed that the calls had looped
through a nearby cellular telephone switch operated by Sprint. Because
of someone's clever manipulation of the network software, the GTE switch
thought that the call came from the Sprint switch, and the Sprint switch
[thought] it was from GTE. Neither company had a record identifying
the cellular phone.
When Mr. Shimomura called the number in Raleigh, he could hear it
looping around endlessly with a "clunk, clunk" sound. He called a
Sprint technician in Raleigh and spent five hours comparing Sprint's
records with the Netcom log-ins. It was nearly dawn when they determined
that the calls were being placed from near the Raleigh-Durham airport.
By 1 A.M. Monday, Mr. Shimomura was riding around Raleigh with a second
Sprint technician. From the passenger seat, Mr. Shimomura held a
cellular-frequency direction-finding antenna and watched a mater display
its readings on a laptop computer screen. Within 30 minutes, the two
had narrowed the site to the Players Court apartment complex in Duraleigh
Hills, three miles from the airport.
At that point, it was time for law enforcement officials to take over.
At 10 P.M. Monday, an F.B.I. surveillance team arrived.
In order to obtain a search warrant it was necessary to determine a
precise apartment address. And although Mr. Shimomura had found the
apartment complex, pinning down the apartment was difficult because
the cellular signals were creating a radio echo from an adjacent building.
The F.B.I. team set off with its own gear.
On Tuesday evening, the agents had an address -- Apartment 202 -- and
at 8:30 P.M. a Federal judge in Raleigh issued the warrant from his home.
At 2 A.M. today, F.B.I. agents knocked on the door of Apartment 202.
It took Mr. Mitnick more than five minutes to open the door. When he
did, he said he was on the phone with his lawyer. But when an agent took
the receiver, the line went dead.
------------------------------END OF SECOND ARTICLE---------------------------
From: emmanuel@well.sf.ca.us (Emmanuel Goldstein)
Subject: Mitnick Affidavit
Date: 17 Feb 1995 14:10:13 GMT
Organization: The Whole Earth 'Lectronic Link, Sausalito, CA
Lines: 48
Message-ID: <3i2ao5$o8q@nkosi.well.com>
Part Two - more of the affidavit filed 2/14
On February 2, 1995, I was advised by Gross a computer at The Well
(an internet provider), San Francisco, California, was compromised.
GROSS reported that the machine compromised at the Well was well.well.com
(aka well.sf.ca.us). The account used to gain access is called "dono."
The logged session contained many ftp transfers (ftp being a program
for moving files form [sic] one machine to another in either direction)
to the account "dono." The intruder had previously eliminated any other
traces of activity that would have similar logs.
In the home directory of the account "dono," there are several files
of an unusual nature. "Wietse" is a file of personal E-mail from
DAN FARMER to WIETSE VENEMA (two well known authorities in computer
security). The file "0108.gz" is a compressed file that contains copies
of credit card numbers from the Internet provider Netcom. The files
"newoki.tar.Z" and "okitsu.tar.Z" match files found at Loyola
University by Tom Reynolds that were confirmed to have been copied
from Tsutomu Shimomura's machine ariel.sdsc.edu. The remaining files
contain tools for breaking into computers (obtaining root access, e.g.
full access to the machine and all user data), tools for hiding the
intruder's tracks, electronic mail from several sources, and source
code which has not been identified yet.
Gross advised that the majority of activity in the "dono" account
originated from the machine teal.csn.org which belongs to the
Colorado Supernet (CSN) (an Internet provider). The session
documented on January 31, 1995, shows that the person using the
"dono" account had knowledge of the files taken from Shimomura's
machine and in one case the person in question renames one of the
files to a more memorable name.
Gross provided a copy of one full session from teal.csn.org wherein
the person logs in and uses the "newgrp" command which has been
replaced with a hacker version of newgrp that allows root access
(Superuser). The "zap2" program is then run to delete the
corresponding accounting records in the log files. The intruder
then goes to the "nascom" directory, looks at the files, renames
one of the files (indicating prior knowledge of their existence),
and then users [sic] the "last" command to make sure the accounting
log files are clean.
Gross also provided a detailed listing of the files in the nascom
directory. The files are copies of the originals taken form [sic]
Tsutomu Shimomura's machine ariel.sdsc.edu on December 25-26, 1994.
The files also match the copies found at Loyola University.
$$$6$$$6$$$6$$$MYC$$$6$$$6$$$6$$$MYC$$$6$$$6$$$6$$$MYC$$$6$$$6$$$6$$$
NETCOM HELPS PROTECT THE INTERNET
- A Letter from CEO Bob Rieger to Our Customers -
I know many of you are interested in NETCOM's involvement with the arrest
of Kevin Mitnick, and how this may impact you, if at all, as a NETCOM
subscriber. First, let me supply a chronology of events:
1. In a routine security check, NETCOM discovered a misappropriated file.
As a result, we began an investigation to trace what appeared to be a
security breach.
2. At about the same time, the WELL (a small Sausalito-based on-line
provider) was investigating an account with an unexpectedly large amount
of disk usage. In the course of this investigation, they discovered
suspicious material which included items believed illicitly obtained from
well-known network security expert Tsutomu Shimomura's computer.
Mr. Shimomura performed network monitoring at the WELL, and determined that
the account was being accessed from a number of sites, including NETCOM.
3. The WELL contacted NETCOM for assistance in tracking the source of the
security breach.
4. A day or two later, the FBI contacted NETCOM and requested NETCOM's
active involvement in the broadening investigation of the suspicious
activities at the WELL.
5. NETCOM caucused with representatives of the WELL, the FBI, the U.S.
Attorney's Office, Mr. Shimomura, and Julia Menapace (an independent
computer consultant and associate of Mr. Shimomura).
6. Following the conversation, it was decided that the best vantage point
for further tracking of these activities was NETCOM's Network Operations
Center.
7. NETCOM operations staff joined their efforts with Mr. Shimomura and
his associates to trace the suspect intrusions to a particular telephone
modem in NETCOM's Raleigh, N.C. site.
8. At that point, the U.S. Justice Department subpoenaed the local
telephone carrier for records of dial-ins at specific times to this
modem. It became apparent that the telephone company's switch equipment
had been compromised, so that these records could not be obtained.
However, the Justice Department found another method for making a match.
9. With this information, the Justice Department knew the approximate
location of the originating call.
10. Mr. Shimomura flew to Raleigh and used cellular tracking equipment to
locate the apartment building the calls were coming from. Eventually, the
calls were traced to an individual apartment, and Mr. Mitnick was arrested.
I hope this detailed recounting helps explain the necessity for silence
and discretion on NETCOM's part while the investigation was ongoing.
Similarly, we need to be appropriately discrete during the
continuing investigation of Mr. Mitnick's alleged illegal activities.
While respecting these legitimate restraints, we will provide
as much information as possible on a timely basis to you. (As an aside,
you may have noticed that I recently promoted Mr. Kael Loftus to the
position of Customer Liaison. Mr. Loftus has already proven very
helpful in facilitating communication between our customers and NETCOM.)
There has been some concern expressed about the security of NETCOM
customers' credit card numbers. While this incident may have involved the
duplication of some credit card numbers, this would apply only to UNIX
shell accounts. NETCOM has always made system security its top priority,
but every UNIX system has loopholes that can potentially be exploited by
an expert cracker. However, to provide additional security for our UNIX
accounts, we have further isolated these customers' billing information,
including credit card data. This is why the "ccupdate" feature for the
UNIX shell accounts has been disabled, and why the "quota" program
currently says,"Your account balance is temporarily unavailable." These
features will be reinstated when we are able to do so in a secure fashion.
As a practical matter, at this time we have absolutely no indication that
any of our UNIX shell customers' credit card numbers have been used
illicitly.
Naturally, we encourage all customers to check their credit card billing
statements carefully. If there is any hint of inappropriate billing, this
should be brought to the immediate attention of the credit card issuer
for reversal of those charges.
The incident did not involve NetCruiser accounts, which make up the vast
majority of NETCOM accounts. Fortunately, the security firewalls built-in
to NetCruiser's system architecture makes such a compromise far more
difficult.
The big story in all of this is that the Internet is maturing into an
extraordinarily efficient means of communication that millions of people
use and depend on daily. NETCOM will do everything in its power to help
assure the security of our network. We will spend the money and employ
the technology, but deterrence is our real goal.
Common thieves should know that NETCOM will be ever vigilant in seeking
their identification and prosecution.
-$$$$$$$$$$$$$$$OOOh$$$$$$$$$$$$$$$I'm$$$$$$$$$$$$$$$SCARED!!!$$$$$$$$$$$$$$$-
