1996 Congressional Hearings
Intelligence and Security


SECURITY IN CYBERSPACE

U.S. SENATE
PERMANENT SUBCOMMITTEE ON INVESTIGATIONS
(Minority Staff Statement)
JUNE 5, 1996


APPENDIX B

THE CASE STUDY:
ROME LABORATORY,
GRIFFISS AIR FORCE BASE, NY INTRUSION

The following case study is a good illustration of the type of threat facing our Department of Defense information infrastructure. Although the incident has been fully investigated by the Air Force Office of Special Investigations (OSI) numerous questions remain unanswered.

On March 28, 1994, computer systems administrators at Rome Air Development Center, Griffiss Air Force Base, New York, ("Rome Labs") discovered their network had been penetrated and compromised by an illegal wiretap computer program called a "Sniffer"1 that had been covertly installed on one of the systems connected to Rome Lab network. Rome Lab is the Air Force's premier command and control research facility. Its projects include artificial intelligence system, radar guidance systems, and target detection and tracking systems. Rome Labs works with academic institutions, commercial research facilities, and Defense contractors.

Upon detecting the sniffer, the Rome Labs systems administrator immediately notified the Defense Information System Agency (DISA) that several computers at the Rome Labs had been penetrated electronically by unknown intruder(s). The Defense Information Systems Agency has a Computer Emergency Response Team (CERT) of computer security experts that assist Department of Defense systems administrators when they have a computer security incident.

The DISA CERT team, recognizing the severity of the incident, notified the Air Force Office of Special Investigations (AFOSI) of the intrusion. Agents from AFOSI notified the Air Force computer security experts at the Air Force Information Warfare Center, San Antonio, Texas.2

1 A sniffer is covertly installed on computer networks by hackers to illegally collect user logons of authorized users. Generally sniffers collect the first 128 characters of each new user's logon. The first 128 characters of a user session usually contain the network address information of the computer system the user wants to log onto and then their private logon and password. These sniffers will capture this sensitive information in a file that is hidden from most systems administrators making it very difficult to find even when an expert knows what to look for. The hacker periodically comes back (electronically) and reads the sniffer file of captured user logons. The hacker can then masquerade as any of those authorized users that had their logon and password captured.

2 The Air Force Information Warfare Center has the Air Force's Computer Emergency Response Team (AFCERT) which receives all AF computer security incidents reports. The Air Force responded by sending multi-disciplined teams from the Air Force Information Warfare Center (AFIWC), Air Intelligence Agency, and a team of AFOSI Computer Crime Investigators. The computer security experts from AFCERT performed three functions at Rome Labs; 1) assist in the assessment and extent of compromise of the Rome Lab's systems 2) secure systems, and 3) provide computer surveillance support for AFOSI's Computer Crime Investigators.


APPENDIX B 2.

The team of security experts and Computer Crime Investigators traveled to Rome Labs and proceeded to review audit trails and interview systems administrators and witnesses. Their preliminary investigation revealed that two unknown individuals had: electronically penetrated seven of the computer systems at Rome Labs and gained complete access to all of the information residing on the systems; downloaded (copied) data files; and installed sniffer software programs on each of the seven systems.

These seven sniffer programs compromised a total of 30 of Rome Labs's systems. These systems contain sensitive research and development data. The Computer system security logs revealed that Rome Labs systems had initially been penetrated on March 23, 1994, but were not discovered until five days later (March 28).

The investigation revealed that the seven sniffer programs compromised over 100 additional user accounts by capturing user logons and passwords. User's e-mail were read, copied and deleted. Sensitive unclassified battlefield simulation program data was read and copied.

After the attackers had compromised all of the 30 systems at Rome Labs the intruders used Rome Labs systems as a Internet launching platform to attack other military, government, commercial, and academic systems world-wide, compromising user accounts, installing sniffer programs, and downloading large volumes of data from penetrated systems.

The investigative team assembled briefed the Rome Labs Commander who was given the option of securing all of the systems that had been penetrated by the attackers, or leaving one or more of the compromised systems open to attack so the agents could attempt to trace the path of the attacks back to their origin and identify the attackers. The commander opted to leave some of the systems open for the agents but the majority of the 30 compromised computer systems were secured.

Using standard software and computer systems commands the attacks were initially traced back one leg of their path. The majority of the attacks were traced back to two commercial Internet providers,3 cyberspace.com, in Seattle, Washington and mindvox.phantom.com, in New York. Newspaper articles indicated that mindvox.phantom.com's computer security was provided by individuals that described themselves as "two former East-Coast Legion of Doom members". The Legion of Doom is a loose-knit computer hacker group which had several members convicted for intrusions into corporate telephone switches in 1990 and 1991.

Because the agents did not know whether the owners of the New York Internet provider were willing participants or merely a transit point for the break-ins at Rome Labs, they decided

3 An Internet provider is a subscription service provided by a commercial company. In this case, the company had computers that were connected to the Internet and a bank of telephone lines connected to their computer system that can be accessed from a home or office computer via modem. Once a subscriber accesses the company's computer system he or she can store data on their systems, utilize their reference library or use programs that reside on their system. In addition the service provider gives you connectivity to the Internet.


APPENDIX B page 3.

to surveil the victim computer systems to find out the extent of the access of the intruders and identify all of the victims. Following legal coordination and approval with Headquarters AFOSI's legal counsel, the Air Force General Counsel's Office and Department of Justice, Computer Crime Unit, real time content monitoring was established on one of the Rome Labs's networks. Real time content monitoring is analogous to performing a Title III wiretap as it allows you to eavesdrop on communications, or in this case text. The investigative team also began full "keystroke monitoring"4 at Rome. A sophisticated sniffer program was installed by the team to capture every keystroke of any intruder who entered the Rome Labs's system.5 Additionally limited context monitoring of the commercial Internet providers was also performed remotely. This limited context monitoring consisted of subscribing to the commercial Internet providers service and utilizing only software commands and utilities the Internet provider authorized every subscriber to use.

The path of the intruders could only be traced back one leg. To determine the next leg of the intruders path required access to the next system along the hacker's route. If the attacker was utilizing telephone systems to access the Internet provider a court ordered "trap and trace" of telephone lines was required. Due to the time constraints involved in obtaining such an order, it was not a viable option. Furthermore, if the attacker changed their path the trap and trace would not be fruitful.

During the course of the intrusions, the Investigative team monitored the hackers as they intruded on the system attempting to trace the intruders back to their origin. They found the intruders were using the Internet and making fraudulent use of the telephone systems, or "phone phreaking."6 Because the intruders used multiple paths to launch their attacks, the investigative team was unable to trace back to the origin in real time due to the difficulty in tracing back multiple systems in multiple countries. Subsequent reviews of the surveillance logs revealed that on March 30, 1994, that systems of the Army Corps of Engineers, Vicksburg, Mississippi were attacked from Rome Lab's systems. Additionally, from the monitoring, the investigators were able to determine the hackers used the nicknames Datastrean and Kuji.

AFOSI Computer Crime Investigators turned to their human intelligence network of informants that "surf the Internet". The investigators levied their informants to identify the two

4 Keystroke monitoring is the capturing of predetermined data typed by a user that is logged into a system. Keystroke monitoring usually captures every keystroke typed by every user logged into the system. Keystroke monitoring is an electronic surveillance equivalent to a wiretap.

5 Since the Rome Lab had previously installed a logon warning banner putting all users on notice that the system was for "Official Use Only", was monitored for security purposes, and "Use of the system constituted consent to monitoring", a court order was not required. The surveillance could commence with only the approval of the AF's General Counsel's office.

6 Phone phreaking is a subset of computer hacking and involves hacking of the telephone systems to make fraudulent phone calls, or manipulate the telephone systems. Phone phreakers can install calling features like caller-id, call waiting, make conference calls, zero out billing records, etc.


APPENDIX B page 4.

hackers using the handles Datastream and Kuji. On April 5, 1994, an informant told the investigators he had a conversation with a hacker that identified themselves as Datastream Cowboy. The conversation was via E-Mail and the individual stated that he was from the United Kingdom. The on line conversation had occurred three months prior. In the E-Mail provided by the informant, Datastream indicated he was a 16 year old from the United Kingdom who liked to attack ".MIL"7 sites because they were so insecure. Datastream even provided the informant with his home telephone number for his own hacker bulletin board system he had established.8

The Air Force Agents had previously established liaison with New Scotland Yard who were able to identify the individuals residing at the residence associated with Datastream's telephone numbers. New Scotland Yard had British Telecom initiate monitoring (pen registers) of the individual's telephone lines. A pen register recorded all of the numbers dialed by the individuals at the residence. Almost immediately that monitoring disclosed that someone from the residence was phone phreaking through British Telecom, which is also illegal in the United Kingdom.

New Scotland Yard found that every time there was an intrusion at Rome Labs, the individual in the UK was phone phreaking the telephone lines to make free telephone calls out of the UK. Originating from the UK, his path of attack was through systems in multiple countries in South America, multiple countries in Europe, and also through Mexico and Hawaii and occasionally end up at Rome Labs. From Rome Labs he was able to attack systems via the Internet at NASA'S, Jet Propulsion Laboratory in California and their Goddard Space Flight Center in Greenbelt, MD.

Continued monitoring by the UK and U.S. authorities disclosed on April 10, 1994, Datastream successfully penetrated an aerospace contractor's home system that had been compromised at Rome Labs by the installation of the sniffers. The attackers captured the logon of the contractors at Rome Labs with their sniffer programs when the contractor would log onto their home systems in California and Texas. The sniffer would capture the address of their home system, plus that contractor's logon and password for that home system. Once the logon and password was compromised the attackers could masquerade as that authorized user on the contractor's home system. Four of the contractor's systems were compromised in California and a fifth in Texas.

Datastream also utilized an Internet Scanning Software attack on multiple systems of this aerospace contractor. The Internet Scanning Software is a hacker tool developed to gain intelligence about a system. It will attempt to collect information on the type of operating system the computer is running and any other available information that could be used to assist the attacker in determining what attack tool might successfully break into that particular system. The software also tries to locate the password file for the system being scanned and then tries to make

7 ".MIL" is a suffix attached to many military Internet addresses.

8 Hackers commonly set up bulletin boards that serve as open access repositories of information they wish to disseminate to the Internet community.


APPENDIX B page 5.

a copy of that password file. The significance of the theft of a password file, is that even though password files are usually stored encrypted, they are easily decrypted. There are several hacker "password cracker" programs available on the Internet. If a password file is stolen/copied and cracked, the attacker can then log onto that system as what the systems perceives is a legitimate user.

Monitoring activity disclosed, on April 12, that Datastream initiated an Internet Scanning Software attack from Rome Labs against Brookhaven National Labs, Department of Energy, New York. Datastream also had a two hour connection with the aerospace contractors system previously compromised.

On April 14, remote monitoring activity of the Seattle Internet provider, cyberspace. com, by the Air Force, indicated Kuji connected to the Goddard Space Flight Center, Greenbelt, Maryland, through the Internet provider and from Latvia. The monitoring disclosed data was being transferred from Goddard Space Flight Center to the Internet provider. In order to prevent the loss of sensitive data, the monitoring team broke the connection. It is still unknown if the data being transferred from the National Aeronautics and Space Administration (NASA) system was destined for Latvia.

Further remote monitoring activity of the Seattle Internet provider, cyberspace. com., disclosed Datastream accessing the National Aero-Space Plane Joint Program Office, a joint project headed by the NASA and the Air Force at Wright-Patterson, AFB, Ohio. Monitoring disclosed a transfer of data from Wright-Patterson AFB traversing through cyberspace.com to Latvia. Apparently, Datastream attacked and compromised a system in Latvia which was just being used as conduit to prevent identification.

Kuji also initiated an Internet Scanning Software attack against Wright-Patterson AFB, from the Internet provider in Seattle, Washington, the same day. The theft of a password file from a computer system at Wright-Patterson AFB was also attempted.

On April 15, real time monitoring disclosed Kuji executing the Internet Scanning Software, against NATO Headquarters in Brussels, Belgium and Wright-Patterson AFB, OH, from Rome Labs. Kuji did not appear to gain access to any NATO systems from this particular attack. However, a systems administrator from SHAPE Technical Center (NATO Headquarters), The Hague, Netherlands was interviewed, on April 19, by AFOSI and disclosed Datastream had successfully attacked one of SHAPE's computer systems from the Internet provider in New York, mindvox.phantom. com.

Once they confirmed the hacker's identity, and developed probable cause, New Scotland Yard requested and was authorized a search warrant for the residence of Datastream. The plan was to wait until the individual was on line, at Rome Labs, and then execute the search warrant. The investigators wanted to catch Datastream on line so they could identify all of the victims in the path between his residence and Rome Labs. Once Datastream got on-line at Rome Labs,


APPENDIX B page 6.

they found that he suddenly accessed a system in Korea and logically9 obtained up all of data stored on the Korean Atomic Research Institute system and deposited it on Rome Lab's system. Initially it was unclear whether the Korean systems belonged to North Korea or South Korea. The concern was that if it was North Korea, the North Koreans would think the logical transfer of the storage space was an intrusion by the US Air Force, which could be perceived as an aggressive act of war. During this time frame, the U.S. was in sensitive negotiations with the North Koreans regarding their nuclear weapons program. Within hours, it was determined that Datastream had hacked into the South Korean Atomic Research Institute. At this point, New Scotland Yard decided to expand their investigation and requested the Air Force to continue to monitor and collect evidence in support of their investigation and postponed execution of the search warrant

On May 12, New Scotland Yard executed their search warrant on Datastream's residence. The search disclosed Datastream had launched his attacks with only a 25 MHZ, 486 SX desktop computer with only an 170 Megabyte hard drive. This is a very modest system that is very slow with very limited storage capacity.10 Datastream had numerous documents which contained references to Internet addresses, including six NASA systems, US Army and US Navy systems with instructions on how to loop through multiple systems to avoid detection.

At the time of the search, Datastream was arrested and interviewed by New Scotland Yard detectives. Detectives stated Datastream had just logged out of a computer system when they entered his room. Datastream admitted to breaking into Rome Labs numerous times as well as multiple other Air Force systems (Hanscom AFB, Massachusetts, and Wright-Patterson AFB, Ohio). Datastream admitted to stealing a sensitive document containing research regarding Air

Force artificial intelligence. He added he searched for the word "missile", not to find missile data but to find information specifically about artificial intelligence. He further explained that one of the files he stole was a 3-4 megabyte file (3-4 million characters in size) and he stored it at the Internet provider's system in New York (mindvoxphantom.com). He stored it at the Internet provider's system because it was too large to fit on his home system. This file was an artificial intelligence program that dealt with Air Order of Battle. Datastream explained he paid for the Internet provider's service with a fraudulent credit card number which was generated by a hacker program he had found on the Internet. Datastream was released on bail following the interview.

The investigation never revealed the identity of Kuji. From conduct observed through the investigators monitoring, Kuji was a far more sophisticated hacker than the 16 year old Datastream. Air Force investigators were able to observe that Kuji would only stay on a telephone line a short time, not long enough to be traced successfully. There was no informant information available except that Computer Crime Investigators from the Victorian Police Department in Australia had seen the name Kuji on some of the hacker Bulletin Board Systems

9 When a user logically picks up data, he or she is adding remote disk storage that will be accessed by their own system as if it were physically located inside their own system.

10 Computers sold off the shelf today, just 2 years later, are significantly more powerful with over 100 MHZ Pentium processors and well over 1 Gigabytes of disk storage capacity.


APPENDIX B page 7.

in Australia. Unfortunately, Datastream provided a great deal of the information he stole to Kuji electronically.

Furthermore, Kuji appears to have tutored Datastream on how to break into networks and on what information to obtain. During the monitoring, the investigative team could observe

Datastream attack a system and fail to break in. Datastream would then get into an on-line "chat sessions"11 with Kuji which the investigative team could not see due to the limited context monitoring at the Internet providers. These chat sessions would last 20-40 minutes. Following the on-line conversation the investigative team would then watch Datastream attack the same system he had previously failed to penetrate, but this time he would be successful. Apparently Kuji assisted and mentored Datastream and, in return, received from Datastream stolen information. Datastream, when interviewed by New Scotland Yard's Computer Crime Investigators, told them he had never physically met Kuji and only communicated with him through the Internet or on the telephone. Nobody knows what Kuji did with this information or why it was being collected. In addition it is not known where Kuji resides. During the 26 day period of attacks, there were over 150 known intrusions by the two hackers, Datastream Cowboy and Kuji.

A damage assessment of the intrusions into the Rome Lab's systems was conducted on October 31, 1994. The assessment indicated a total loss to the United States Air Force of $211,722. This cost did not include the costs of the investigative effort or the recovery and monitoring team. No other federal agencies that were victims of the hackers, including NASA and the Bureau of Reclamation, conducted damage assessments. The General Accounting Office conducted an additional damage assessment at the request of Senator Sam Nunn. (See GAO Report Information Security, Computer Attacks at Department of Defense Pose Increasing Risks.)

Datastream is pending prosecution in the UK. Numerous aspects of this investigation remain unsolved:

11 Chat sessions are text conversations that occur between users on the Internet who type their conversations in real time versus talking of voice telephone lines.


APPENDIX B page 8.