[prev in list] [next in list] [prev in thread] [next in thread] 

List:       best-of-security
Subject:    BoS: Jim Christy GAO witness document
From:       Julian Assange <proff () suburbia ! net>
Date:       1996-05-28 18:11:05
[Download RAW message or body]

PREPARED TESTIMONY OF
JIM CHRISTY
AIR FORCE INVESTIGATOR
BEFORE THE SENATE GOVERNMENTAL AFFAIRS COMMITTEE
PERMANENT INVESTIGATIONS SUBCOMMITTEE

APPENDIX "A" to STAFF STATEMENT
U.S. Senate Permanent Subcommittee On Investigations
[Note: The Subcommittee's full Staff Statement will be presented at the June 5,
1996 hearing on Security in Cyberspace.]
THE CASE STUDY: ROME LABORATORY, GRIFFISS AIR FORCE BASE, NY INTRUSION
The following case study is a good illustration of the type of threat facing our
Department of Defense information infrastructure. Although the incident has been
fully investigated by the Air Force Office of Special Investigations (OSI)
numerous questions remain unanswered.
On March 28, 1994, computer systems administrators at Rome Air Development
Center, Griffiss Air Force Base, New York, ("Rome Labs") discovered their
network had been penetrated and compromised by an illegal wiretap computer
program called a "sniffer'' /1/ that had been covertly installed on one of the
systems connected to Rome Labs network. Rome Labs is the Air Force's premier
command and control research facility. Its projects include artificial
intelligence system, radar guidance systems, and target detection and tracking
systems. Rome Labs works with academic institutions, commercial research
facilities, and Defense contractors.
Upon detecting the password sniffer, the Rome Labs systems administrators
immediately notified the Defense Information Systems Agency (DISA) that several
computers at the Rome Labs had been penetrated electronically by unknown
intruder(s). The Defense Information Systems Agency has a Computer Emergency
Response Team (CERT) of computer security experts that assist Department of
Defense systems administrators when they have a computer security incident.   
The DISA CERT team, recognizing the severity of the incident, notified the Air
Force Office of Special Investigations (AFOSI) of the intrusion. Agents from
AFOSI notified the Air Force computer security experts at the Air Force
Information Warfare Center, San Antonio, Texas. /2/ The team of security experts
and Computer Crime Investigators traveled to Rome Labs and proceeded to review
audit trails and interview systems administrators and witnesses. Their
preliminary investigation revealed that two unknown individuals had:
electronically penetrated seven of the computer system at Rome Labs and gained
complete access to all of the information residing on the systems; downloaded
(copied) data files; and installed sniffer software programs on each of the
seven systems.
These seven sniffer programs compromised a total of 30 of Rome Labs's systems.
These systems contain sensitive research and development data. The computer
system security logs revealed that Rome Labs systems had initially been
penetrated on March 23, 1994, but were not discovered until five days later
(March 28).
The investigation further revealed that the seven sniffer programs compromised
over 100 additional user accounts by capturing user logons and passwords. User's
e-mall were read, copied and deleted. Sensitive unclassified battlefield
simulation program data was read and copied.
After the attackers had compromised all of the 30 systems at Rome Labs the
intruders used Rome Labs systems as a Internet launching platform to attack
other military, government, commercial, and academic systems world-wide,
compromising user accounts, installing sniffer programs, and downloading large
volumes of data from penetrated systems.
The investigative team assembled briefed the Rome Labs Commander who was given
the option of securing all of the systems that had been penetrated by the
attackers, or leaving one or more of the compromised systems open to attack so
the agents could attempt to trace the path of the attacks back to their origin
and identify the attackers. The commander opted to leave some of the systems
open for the agents but the majority of the 30 compromised computer systems were
secured.
Using standard software and computer systems commands the attacks were initially
traced back one leg of their path. The majority of the attacks were traced back
to two commercial Internet providers, /3/ cyberspace.com, in Seattle, Washington
and mindvox.phantom.com, in New York. Newspaper articles indicated that
mindvox.phantom.com's computer security was provided by individuals that
described themselves as "two former East-Coast Legion of Doom members". The
Legion of Doom is a loose-knit computer hacker group which had several members
convicted for intrusions into corporate telephone switches in 1990 and 1991.
Because the agents did not know whether the owners of the New York Internet
provider were willing participants or merely a transit point for the break-ins
at Rome Labs, they decided to surveil the victim computer systems to find out
the extent of the access of the intruders and identify all of the victims.
Following legal coordination and approval with Headquarters AFOSI's legal
counsel, the Air Force General Counsel's Office and Department of Justice,
Computer Crime Unit, real time content monitoring was established on one of the
Rome Labs's networks. Real time content monitoring is analogous to performing a
Title III wiretap as it allows you to eavesdrop on communications, or in this
case text. The investigative team also began full "keystroke monitoring" /4/ at
Rome. A sophisticated sniffer program was installed by the team to capture every
keystroke of any intruder who entered the Rome Labs's system /5/ Additionally
limited context monitoring of the commercial Internet providers was also
performed remotely. This limited context monitoring consisted of subscribing to
the commercial Internet providers service and utilizing only software commands
and utilities the Internet provider authorized every subscriber to use.
The path of the intruders could only be traced back one leg. To determine the
next leg of the intruders path required access to the next system along the
hacker's route. If the attacker was utilizing telephone systems to access the
Internet provider a court ordered "trap and trace" of telephone lines was
required. Due to the time constraints involved in obtaining such an order, it
was not a viable option. Furthermore, if the attacker changed their path the
trap and trace would not be fruitful.
During the course of the intrusions, the Investigative team monitored the
hackers as they intruded on the system attempting to trace the intruders back to
their origin. They found the intruders were using the Internet and making
fraudulent use of the telephone systems, or "phone phreaking." /6/ Because the
intruders used multiple paths to launch their attacks, the investigative team
was unable to trace back to the origin in real time due to the difficulty in
tracing back multiple systems in multiple countries. Subsequent reviews of the
surveillance logs revealed that on March 30, 1994, that systems of the Army
Corps of Engineers, Vicksburg, Mississippi were attacked from Rome Lab's
systems. Additionally, from the monitoring, the investigators were able to
determine the hackers used the nicknames Datastream and Kuji.
AFOSI Computer Crime Investigators turned to their human intelligence network of
informants that "surf the Internet". The investigators levied their informants
to identify the two hackers using the handles Datastream and Kuji. On April 5,
1994, an informant told the investigators he had a conversation with a hacker
that identified themselves as Datastream Cowboy.

The conversation was via E-Mail and the individual stated that he was from the
United Kingdom. The on line conversation had occurred three months prior. In the
E-Mail provided by the informant, Datastream indicated he was a 16 year old from
the United Kingdom who liked to attack ".MIL" /7/ sites because they were so
insecure. Datastream even provided the informant with his home telephone number
for his own hacker bulletin board systems he had established. /8/
The Air Force Agents had previously established liaison with New Scotland Yard
who were able to identify the individuals residing at the residence associated
with Datastream's telephone numbers. New Scotland Yard had British Telecom
initiate monitoring (pen registers) of the individual's telephone lines. A pen
register recorded all of the numbers dialed by the individuals at the residence.
Almost immediately that monitoring disclosed that someone from the residence was
phone phreaking through British Telecom, which is also illegal in the United
Kingdom.
New Scotland Yard found that every time there was an intrusion at Rome Labs, the
individual in the UK was phone phreaking the telephone lines to make free
telephone calls out of the UK. Originating from the UK, his path of attack was
through systems in multiple countries,in South America, multiple countries in
Europe, and also through Mexico and Hawaii and occasionally end up at Rome Labs.
>From Rome Labs he was able to attack systems via the Internet at NASA's, Jet
Propulsion Laboratory in California and their Goddard Space Flight Center in
Greenbelt, MD.
Continued monitoring by the UK and U.S. authorities disclosed on April 10, 1994,
Datastream successfully penetrated an aerospace contractor's home system that
had been compromised at Rome Labs by the installation of the sniffers. The
attackers captured the logon of the contractors at Rome Labs with their sniffer
programs when the contractor would log onto their home systems in California and
Texas. The sniffer would capture the address of their home system, plus that
contractor's logon and password for that home system. Once the logon and
password was compromised the attackers could masquerade as that authorized user
on the contractor's home system. Four of the contractor's systems were
compromised in California and a fifth in Texas.
Datastream also utilized an Internet Scanning Software attack on multiple
systems of this aerospace contractor. The Internet Scanning Software is a hacker
tool developed to gain intelligence about a system. It will attempt to collect
information on the type of operating system the computer is running and any
other available information that could be used to assist the attacker in
determining what attack tool might successfully break into that particular
system. The software also tries to locate the password file for the system being
scanned and then tries to make a copy of that password file. The significance of
the theft of a password file, is that even though password files are usually
stored encrypted, they are easily decrypted. There are several hacker "password
cracker" programs available on the Internet. If a password file is stolen/copied
and cracked, the attacker can then log onto that system as what the systems
perceives is a legitimate user.
Monitoring activity disclosed, on April 12, that Datastream initiated an
Internet Scanning Software attack from Rome Labs against Brookhaven National
Labs, Department of Energy, New York. Datastream also had a two hour connection
with the aerospace contractors system previously compromised.
On April 14, remote monitoring activity of the Seattle Internet provider,
cyberspace.com, by the Air Force, indicated Kuji connected to the Goddard Space
Flight Center, Greenbelt, Maryland, through the Internet provider and from
Latvia. The monitoring disclosed data was being transferred from Goddard Space
Flight Center to the Internet provider. In order to prevent the loss of
sensitive data, the monitoring team broke the connection. It is still unknown if
the data being transferred from the National Aeronautics and Space
Administration (NASA) system was destined for Latvia.
Further remote monitoring activity of the Seattle Internet provider,
cyberspace.com, disclosed Datastream accessing the National Aero-Space Plane
Joint Program Office, a joint project headed by the NASA and the Air Force at
Wright-Patterson, AFB, Ohio. Monitoring disclosed a transfer of data from
Wright-Patterson AFB traversing through cyberspace.com to Latvia. Apparently,
Datastream attacked and compromised a system in Latvia which was just being used
as conduit to prevent identification.
Kuji also initiated an Internet Scanning Software attack against
Wright-Patterson AFB, from the Internet provider in Seattle, Washington, the
same day. The theft of a password file from a computer system at
Wright-Patterson AFB was also attempted.
On April 15, real time monitoring disclosed Kuji executing the Internet Scanning
Software, against NATO Headquarters in Brussels, Belgium and Wright-Patterson
AFB, OH, from Rome Labs. Kuji did not appear to gain access to any NATO systems
from this particular attack. However, a systems administrator from SHAPE
Technical Center (NATO Headquarters), The Hague, Netherlands was interviewed, on
April 19, by AFOSI and disclosed Datastream had successfully attacked one of
SHAPE's computer systems from the Internet provider in New York,
mindvox.phantom.com, Once they confirmed the hacker's identity, and developed
probable cause, New Scotland Yard requested and was authorized a search warrant
for the residence of Datastream. The plan was to wait until the individual was
on line, at Rome Labs, and then execute the search warrant. The investigators
wanted to catch Datastream on line so they could identify all of the victims in
the path between his residence and Rome Labs. Once Datastream got on-line at
Rome Labs,they found that he suddenly accessed a system in Korea and logically
/9/ obtained up all of data stored on the Korean Atomic Research Institute
system and deposited it on Rome Lab's system. Initially it was unclear whether
the Korean system belonged to North Korea or South Korea. The concern was that
if it was North Korea, the North Koreans would think the logical transfer of the
storage space was an intrusion by the US Air Force, which could be perceived as
an aggressive act of war. During this time frame, the U.S. was in sensitive
negotiations with the North Koreans regarding their nuclear weapons program.
Within hours, it was determined that Datastream had hacked into the South Korean
Atomic Research Institute. At this point, New Scotland Yard decided to expand
their investigation and requested the Air Force to continue to monitor and
collect evidence in support of their investigation and postponed execution of
the search warrant.
On May 12, New Scotland Yard executed their search warrant on Datastream's
residence. The search disclosed Datastream had launched his attacks with only a
25 MHz, 486 SX desktop computer with only an 170 Megabyte hard drive. This is a
very modest system that is very slow with very limited storage capacity./10/
Datastream had numerous documents which contained references to Internet
addresses, including six NASA systems, US Army and US Navy systems with
instructions on how to loop through multiple systems to avoid detection.
At the time of the search, Datastream was arrested and interviewed by New
Scotland Yard detectives. Detectives stated Datastream had just logged out of a
computer systems when they entered his room. Datastream admitted to breaking
into Rome Labs numerous times as well as multiple other Air Force systems
(Hanscom AFB, Massachusetts, and Wright-Patterson AFB, Ohio). Datastream
admitted to stealing a sensitive document containing research regarding Air
Force artificial intelligence. He added he searched for the word "missile", not
to find missile data but to find information specifically about artificial
intelligence. He further explained that one of the files he stole was a 3-4
megabyte file (3-4 million characters in size) and he stored it at the Internet
provider's system in New York (mindvox.phantom.com). He stored it at the
Internet provider's system because it was too large to fit on his home system.
This file was an artificial intelligence program that dealt with Air Order of
Battle. Datastream explained he paid for the Internet provider's service with a
fraudulent credit card number which was generated by a hacker program he had
found on the Internet. Datastream was released on bail following the interview.
The investigation never revealed the identity of Kuji. From conduct observed
through the investigators monitoring, Kuji was a far more sophisticated hacker
than the 16 year old Datastream. Air Force investigators were able to observe
that Kuji would only stay on a telephone line a short time, not long enough to
be traced successfully. There was no informant information available except that
Computer Crime Investigators from the Victorian Police Department in Australia
had seen the name Kuji on some of the hacker Bulletin Board Systems in
Australia. Unfortunately, Datastream provided a great deal of the information he
stole to Kuji electronically.
Furthermore, Kuji appears to have tutored Datastream on how to break into
networks and on what information to obtain.

During the monitoring, the investigative team could observe Datastream attack a
system and fail to break in. Datastream would then get into an on-line "chat
sessions" /11/ with Kuji which the investigative team could not see due to the
limited context monitoring at the Internet providers. These chat sessions would
last 20-40 minutes. Following the on-line conversation the investigative team
would then watch Datastream attack the same system he had previously failed to
penetrate, but this time he would be successful. Apparently Kuji assisted and
mentored Datastream and, in return, received from Datastream stolen information.
Datastream, when interviewed by New Scotland Yard's Computer Crime
Investigators, told them he had never physically met Kuji and only communicated
with him through the Internet or on the telephone. Nobody knows what Kuji did
with this information or why it was being collected. In addition it is not known
where Kuji resides. During the 26 day period of attacks, there were over 150
known intrusions by the two hackers, Datastream Cowboy and Kuji.
A damage assessment of the intrusions into the Rome Lab's systems was conducted
on October ,31, 1994. The assessment indicated a total loss to the United States
Air Force of $211,722. This cost did not include the costs of the investigative
effort or the recovery and monitoring team. No other federal agencies that were
victims of the hackers, including NASA and the Bureau of Reclamation, conducted
damage assessments. The General Accounting Office conducted an additional damage
assessment at the request of Senator Sam Nunn. (See GAO Report, Information
Security, Computer Attacks at Department of Defense Pose Increasing Risks. )
Datastream is pending prosecution in the UK. Numerous aspects of this
investigation remain unsolved:
- The identity and motivation of Kuji. Thought investigators believe he was
technically more sophisticated than Datastream, he has not been identified,
and his motivation is presently unknown. Furthermore, it is unknown whether
Datastream was his only agent, or whether he utilized others in the same manner.
- The extent of the attack. The investigators believe they only uncovered a
portion of the attack. It is not still not known (1) whether the hackers
attacked Rome Labs at previous times before the sniffer was discovered; (2)
whether the hackers attacked other systems where they were not detected.  - The
extent of the damage. Some costs can be attributed to the incident such as the
cost of repair, and the cost of the investigative effort. The investigation,
however, was unable to reveal what was downloaded from the networks, or whether
any data was tampered with. Given the sensitive information contained on the
various computer networks -- Rome Labs, at Goddard Space Flight Center, Jet
Propulsion Laboratory at Wright-Patterson AFB, or National Aero-Space Plane
Program -- it is very difficult to quantify the loss from a national security
perspective.
End Notes
/1/ A sniffer is covertly installed on computer networks by hackers to illegally
collect user logons of authorized users. Generally sniffers collect the first
128 characters of each new user's logon. The first 128 characters of a user
session usually contain the network address information of the computer system
the user wants to log onto and then their private logon and password. These
sniffers will capture this sensitive information in a file that is hidden from
most systems administrator making it very difficult to find even when an expert
knows what to look for. The hacker periodically comes back (electronically) and
reads the sniffer file of captured user logons. The hacker can then masquerade
as any of those authorized users that had their logon and password captured.
/2/ The Air Force Information Warfare Center has the Air Force's Computer
Emergency Response Team (AFCERT) which receives all AF computer security
incidents reports. The Air Force responded by sending multi-disciplined teams
from the Air Force Information Warfare Center (AFIWC), Air Intelligence Agency,
and a team of AFOSI Computer Crime Investigators. The computer security experts
from AFCERT performed three functions at Rome Labs; 1) assist in the assessment
and extent of compromise of the Rome Lab's systems 2) secure systems, and 3)
provide computer surveillance support for AFOSI's Computer Crime Investigators.
/3/ An Internet provider is a subscription service provided by a commercial
company. In this case, the company had computers that were connected to the
Internet and a bank of telephone lines connected to their computer system that
can be accessed from a home or office computer via modem. Once a subscriber
accesses the company's computer system he or she can store data on their
systems, utilize their reference library or use programs that reside on their
system. In addition the service provider gives you connectivity to the Internet.
/4/ Keystroke monitoring is the capturing of predetermined data typed by a user
that is logged into a system. Keystroke monitoring usually captures every
keystroke typed by every user logged into the system. Keystroke monitoring is an
electronic surveillance equivalent to a wiretap.
/5/ Since the Rome Lab had previously installed a logon warning banner putting
all users on notice that the system was for "Official Use Only", was monitored
for security purposes, and "Use of the system constituted consent to
monitoring", a court order was not required. The surveillance could commence
with only the approval of the AF's General Counsel's office.
/6/ Phone phreaking is a subset of computer hacking and involves hacking of the
telephone systems to make fraudulent phone calls, or manipulate the telephone
systems. Phone phreakers can install calling features like caller-id, call
waiting, make conference calls, zero out billing records, etc.
/7/ ".MIL" is a suffix attached to many military Internet addresses.
/8/ Hackers commonly set up bulletin boards that serve as open access
repositories of information they wish to disseminate to the Internet community.
/9/ When a user logically picks up data, he or she is adding remote disk storage
that will be accessed by their own system as if it were physically located
inside their own system.
/10/ Computers sold off the shelf today, just 2 years later, are significantly
more powerful with over 100 Mhz Pentium processors and well over 1 Gigabytes of
disk storage capacity.
/11/ Chat sessions are text conversations that occur between users on the
Internet who type their conversations in real time versus talking of voice
telephone lines.

[prev in list] [next in list] [prev in thread] [next in thread]