[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Toad Hop
[Before it is publicized, KM describes for Littman the
Christmas 1994 attack on Shimomura's systems as a "TCP/IP
prediction packet attack." (. . .) below are by Littman.]
Three days later, on January 23, Shimomura will describe
the attack in a widely distributed public Internet post. IP
source address spoofing and TCP/IP sequence number
prediction are the technical terms Shimomura uses to
describe it, much like Mitnick's description. But his
analysis is extremely technical, and even some UNIX
security experts find it tough going.
That same day, about 2 P.M., CERT will blast out an
advisory to its international mailing list of 12,000
Internet sites in the United States, Germany, Australia,
the United Kingdom, Japan, and other countries. The vaguely
worded report is much less specific than Mitnick's
one-minute explanation on the telephone. Most likely, CERT
is trying to provide enough detail so Internet sites can
protect themselves against future attacks without providing
so much detail that it could encourage copycat attacks.
On one level, the hack is simple, a clever strike at a
basic weakness of the Internet. Computers on the Internet
are often programmed to trust other computers. The Internet
was created to share information, and the attack on
Shimomura, just like the Robert Morris Internet Worm attack
seven years before, exploits that trust.
The Internet has its own way of sending e-mail or files.
Messages or files are split into smaller digital chunks or
packets, each with its own envelope and address. When each
message is sent, it's like a flock of birds that migrates
to a planned location and reunites as a flock at the
destination. Computers on the Internet often act like great
flocks of birds that trust one another too. And all it
takes is one enemy bird to infiltrate the flock.
. . .
On Christmas Day 1994 the attack begins.
First, the intruder breaks into a California Internet site
that bears the cryptic name toad.com. Working from this
machine, the intruder issues seven commands to see who's
logged on to Shimomura's workstation, and if he's sharing
files with other machines. Finger is one of the common UNIX
commands the intruder uses to probe Shimomura's machine. As
a security professional Shimomura should have disabled the
feature. Finger is so commonly used by hackers to begin
attacks that 75 percent of Internet sites, or about 15
million of the more than 20 million Internet users, block
its function to increase security.
The intruder's making judgment calls on the fly about which
commands will help him uncover which machines Shimomura's
workstation might trust. He works fast. In six minutes he
deduces the pattern of trust between Shimomura's UNIX
workstation and an unknown Internet server.
Then the automatic spoofing attack begins. It will all be
over in sixteen seconds. The prediction packet attack
program fires off a flurry of packets to busy out the
trusted Internet server so it can't respond. Next, the
program sends twenty more packets to Shimomura's UNIX
workstation.
The program is looking for a pattern in the initial
sequence numbers -- the numbers used to acknowledge receipt
of data during communications. The program deciphers the
returned packets by subtracting each sequence number from
the previous one. It notes that each new initial sequence
number has grown by exactly 128,000. The program has
unlocked the sequence number key.
Shimomura's machine has to be idle for the attack to
succeed. New Internet connections would change the initial
sequence number and make it more difficult to predict the
key. That's why the hacker attacks on Christmas Day.
The attack program sends packets that appear to be coming
from the trusted machine. The packet's return or source
address is the trusted machine's Internet address.
Shimomura's workstation sends a packet back to the trusted
machine with its initial sequence number. But flooded by
the earlier flurry of packets, the trusted server is still
trying to handle the earlier traffic. It's tangled up.
Taking advantage of the gagged server, the attacking
program sends a fake acknowledgment. It looks real because
it's got the source address of the trusted server, and the
correct initial sequence number. Shimomura's workstation is
duped. It believes it's communicating with a trusted
server.
Now the attacking program tells Shimomura's obedient
workstation to trust everyone. It issues the simple UNIX
"Echo" command to instruct Shimomura's workstation to trust
the entire Internet. At that point, Shimomura's personal
and government files are open game to the world. It's more
than a humiliating blow to the security expert. By making
Shimomura's machine accessible from any Internet site, the
intruder has masked his own location. He can return from
anywhere.
The hacker can't believe his good luck. The attack is only
successful because Shimomura has not disabled the "R"
commands, three basic commands that allow users to remotely
log-in or execute programs without a password. Tens of
thousands of security-conscious Internet sites,
representing well over a million users, routinely block
access to the R commands to avoid its well publicized abuse
by hackers.
It takes a few keystrokes and about thirty seconds to shut
off the R commands on an Internet server. You don't even
have to turn off the machine.
Why didn't Shimomura do it?
. . .
Mitnick laughs. "He's [Shimomura's] not happy. I have
nothing to do with it. I'm just telling you what I hear
through the grapevine."
[Littman] "Who do you think might have done it?" I ask
the likely suspect. "How did he figure it out himself?"
"He [Shimomura] realized that somebody had edited his
wrapper log, which shows incoming connections. Somebody
actually modified those logs, and then he was able to
reconstruct what happened through these logs that were
mailed to another site unbeknownst to the intruder."
Mitnick's actually telling me the evidence Shimomura
collected to figure out the attack. The wrapper is supposed
to control connections to Shimomura's server and log all
connection attempts. It failed to protect Shimomura but
still it logged the hacker's spoofed connection, and a copy
of the log was e-mailed off-site.
"So you were asking me if there's a secure e-mail site?"
Mitnick continues, his voice suddenly hard. "My answer is
no. This guy in my estimation is the brightest in security
on the whole Internet. He blows people like Neil Clift
away. I have a lot of respect for this guy. 'Cuz I know a
lot about him. He doesn't know anything about me,
hopefully, but he's good.
"On the Internet, he's one of the best in the world."
[pp. 222-25]
-----
[KM] "I don't know what his motive is. I don't know
the man at all. Alls I know is he's very technical and he's
very good at what he does. He's in the top five."
[JL] "What makes Shimomura so good?"
[M] "When someone penetrates his system he knows what to
look for. When you compile a program, it uses external
files and libraries. This is the type of guy that would
look at the access times of the files to try to figure out
what type of program somebody was compiling. The guy's
sharp."
On UNIX systems it's possible to tell the last time a file
was read. Mitnick's guessing that Shimomura could determine
the type of application that was compiled (converted into
the computer's most basic machine language) by examining
the date stamps in certain system directories. He's also
acknowledging he knows that the intruder compiled a program
while he was on Shimomura's machine.
Once again, Kevin Mitnick seems to have an amazing amount
of detail on how Shimomura analyzes an attack.
[M] "He's just very good at -- well, he's a spook. What do
you expect? This is only what I hear in the grapevine." ...
[L] "But does the grapevine say he's primarily a spook?"
[M] "Unknown. He's good in security and he consults with
companies like Trusted Information Systems, the people that
develop Internet fire walls, and a lot of people in D.C.
and the Virginia area."
Trusted Information -- the name strikes a bell. Markoff
quoted someone from Trusted Information in his front-page
"Data Threat" article.
[L] "Where is Trusted Information?"
[M] "Oh, in Maryland, 301 area code. Baltimore, I believe."
[L] "What are some of the Virginia companies Shimomura
works with?"
[M] "I just have the phone numbers," Mitnick reveals
casually. "I haven't called them yet to see."
[pp. 252-53]
-----
Why not ask John Markoff about the real reason he called me
twice this morning?
So I ask him about the Shimomura Newsweek story, and the
odd reference to cellular phones. He comes back with a
stunning revelation.
"Somebody hit a different Tsutomu machine last summer and
the NSA was pissed," Markoff tells me. "They freaked out.
There's no question about it."
Why didn't he mention this in his New York Times stories?
Why create the false appearance Shimomura was first hacked
Christmas Day?
"But it was a different machine?" I ask.
"Am I being interviewed here?"
It strikes me as an odd question. Markoff was the one who
called me twice in the space of an hour. Who's interviewing
whom?
"Let's get on the same wavelength," Markoff suggests. "I'm
glad to share this stuff with you, but I want to know where
it's going to show up. 'Cuz I'm pretty close to Shimo and
it's an issue for me."
Before I can respond, he starts talking about Shimomura
again.
"I wrote that profile of Tsutomu because after I mentioned
him in the bottom of my story ["Data Threat"] I basically
outed him and a million reporters were all over him."
"He wasn't happy about that?"
"No, Tsutomu loves it," Markoff says. "He's playing his own
games.
"I'II tell you it's unclear what was taken [referring to
the Christmas hack], and point two, I can send you a public
posting by an Air Force information warfare guy who
described what was taken and their assessment of the
damage.
"And there are lots of little snips of code that a
brilliant hacker could probably use. But Tsutomu's mind
works in very cryptic ways. It's not clear that without
Tsutomu you're going to be able to do anything with it.
"Now in this break-in I don't actually think a lot of stuff
was taken."
This break-in? Just how many times was Shimomura hacked
before Christmas?
But I ask a different question. "Why would an Air Force guy
post something?"
"Oh, Tsutomu," Markoff casually replies. "He produced a lot
of software for the Air Force."
"Where would he post this?"
"Oh, to a mailing list. A lot of people were concerned
about what was taken from his [Shimomura's] machine. What
they [the hacker] got was a lot of his electronic mail.
Some of it's kind of embarrassing. [But] I don't think
people are going to find new ways to attack the network
based on this particular attack.
"There is another issue," Markoff cautions in a serious
tone.
"Tsutomu is a very sharp guy, and it is not impossible that
that was a bait machine, which is why I stayed away from
the issue."
Is Markoff implying Shimomura, a rumored NSA spy, laid a
trap? And what about Markoff's New York Times articles?
Were they part of the trap, too?
"Think about it for a second," Markoff pauses dramatically.
"And you get into this wilderness-of-mirrors kind of world.
And a lot of people that are writing don't know everything,
and I don't know everything.
"I've been protecting him [Shimomura] for five years. I get
the profile and the [Wall Street] Journal is on him. They
don't know how close he is to the military. It would make
perfect sense. Who knows what's on the code? The guy is in
the counterintelligence business."
[pp. 258-60]