MONEY INC DIGEST # 31 02/17/95 ***>$ MONEY INC $<*** presents: " The Flight And Fall Of Condor" Ok, here's a bunch of posts and clippings regarding the arrest of Kevin Mitnick. It is by no means a diffinitive guide. It is mearly a compilation of mail sent to me over the past few days to inform others of and to clear up various rumors regarding the arrest of Condor. -Sonic Fury ***>$ Money Inc $<*** $$$$$$$$$< SNIP >$$$$$$$$$$$$$$$$$< SNIP >$$$$$$$$$$$$$$$$$< SNIP >$$$$$$$$$$$ ----------------------------------------------------- Slippery cybervandal caught in his own electronic web ----------------------------------------------------- New York Times RALEIGH, N.C. (9:05 p.m.) -- After a search of more than two years, a team of FBI agents early Wednesday morning captured a 31-year-old computer expert accused of a long crime spree that includes the theft of thousands of data files and at least 20,000 credit card numbers from computer systems around the nation. The arrest of Kevin D. Mitnick, one of the most wanted computer criminals, followed a 24-hour stakeout of a Raleigh apartment building here. A convicted computer felon on the run from federal law enforcement officials since November 1992, Mitnick has used his sophisticated skills over the years to worm his way into many of the nation's telephone and cellular telephone networks and vandalize government, corporate and university computer systems. Most recently, he had become a suspect in a rash of break-ins on the global Internet computer network. "He was clearly the most wanted computer hacker in the world," said Kent Walker, an assistant U.S. attorney in San Francisco who helped coordinate the investigation. "He allegedly had access to corporate trade secrets worth billions of dollars. He was a very big threat." But federal officials say Mitnick's confidence in his hacking skills may hppave been his undoing. On Christmas Day, he broke into the home computer of a computer security expert, Tsutomu Shimomura, a researcher at the federally financed San Diego Supercomputer Center. Shimomura then made a crusade of tracking down the intruder, an obsession that led to Wednesday's arrest. It was Shimomura, working from a monitoring post in San Jose, Calif., who determined last Saturday that Mitnick was operating through a computer modem connected to a cellular telephone somewhere near Raleigh, N.C. Sunday morning, Shimomura flew to Raleigh, where he helped telephone company technicians and federal investigators use cellular-frequency scanners to home in on Mitnick. Mitnick was arrested at 2 o'clock Wednesday morning in his apartment in the Duraleigh Hills neighborhood of northwest Raleigh, after FBI agents used their scanners to determine that Mitnick, in keeping with his nocturnal habits, had connected once again to the Internet. Shimomura was present Wednesday at Mitnick's pre-arraignment hearing at the federal courthouse in Raleigh. At the end of the hearing, Mitnick, who now has shoulder-length brown hair and was wearing a black sweat suit and handcuffs, turned to Shimomura, whom he had never met face to face. "Hello, Tsutomu," Mitnick said. "I respect your skills." Shimomura, who is 30 and also has shoulder-length hair, nodded solemnly. Mitnick, already wanted in California for a federal parole violation, was charged Wednesday with two federal crimes. The first, illegal use of a telephone access device, is punishable by up to 15 years in prison and a $250,000 fine. The second charge, computer fraud, carries potential penalties of 20 years in prison and a $250,000 fine. Federal prosecutors said they were considering additional charges related to Mitnick's reported Internet spree. Federal officials say Mitnick's motives have always been murky. He was recently found to have stashed thousands of credit card numbers on computers in the San Francisco Bay area -- including the card numbers of some of the best-known millionaires in Silicon Valley. But there is no evidence yet that Mitnick had attempted to use those credit card accounts. Indeed, frequently ignoring the possibility of straightforward financial gain from the information he has stolen, Mitnick has often seemed more concerned with proving that his technical skills are better than those whose job it is to protect the computer networks he has attacked. Federal officials say the arrest of Mitnick does not necessarily solve all the recent Internet crimes, because his trail of electronic mail has indicated that he may have accomplices. One of them is an unknown computer operator, thought to be in Israel, with whom Mitnick has corresponded electronically and boasted of his Internet exploits, investigators said. Still, the capture of Mitnick gives the FBI custody of a notoriously persistent and elusive computer break-in expert. Raised in the San Fernando Valley near Los Angeles by his mother, Mitnick has been in and out of trouble with the law since 1981. It was then, as a 17-year-old, that he was placed on probation for stealing computer manuals from a Pacific Bell telephone switching center in Los Angeles. Those who know Mitnick paint a picture of a man obsessed with the power inherent in controlling the nation's computer and telephone networks. The recent break-ins he is accused of conducting include forays into computer systems at Apple Computer Inc. and Motorola Inc. and attacks on commercial services that provide computer users with access to the Internet, including the Well in Sausalito, Calif., Netcom in San Jose, Calif., and the Colorado Supernet, in Boulder, Colo. To make it difficult for investigators to determine where the attacks were coming from, Mitnick is said to have used his computer and modem to manipulate a local telephone company switch in Raleigh to disguise his whereabouts. In recent weeks, as an elite team of computer security experts tightened an invisible electronic net around the fugitive, Mitnick continued to taunt his pursuers, apparently unaware of how close they were to capturing him. About 10 days ago, for example, someone whom investigators believe to have been Mitnick left a voice-mail message for Shimomura, a Japanese citizen. The message reprimanded Shimomura for converting the intruder's earlier voice-mail messages into computer audio files and making them available on the Internet. "Ah Tsutomu, my learned disciple," the taunting voice said. "I see that you put my voice on the Net. I'm very disappointed, my son." But the continued attempts at one-upmanship simply gave the pursuers more electronic evidence. "He was a challenge for law enforcement, but in the end he was caught by his own obsession," said Kathleen Cunningham, a deputy marshal for the U.S. Marshals Service who has pursued Mitnick for several years. Mitnick first came to national attention in 1982 when, as a teen-age prank, he used a computer and a modem to break into a North American Air Defense Command computer. He subsequently gained temporary control of three central offices of telephone companies in New York City and all the phone switching centers in California. This gave him the ability to listen in on calls and pull pranks like reprogramming the home phone of someone he did not like so that each time the phone was picked up, a recording asked for a deposit of a coin. But the break-ins escalated beyond sophomoric pranks. For months in 1988, Mitnick secretly read the electronic mail of computer security officials at MCI Communications and Digital Equipment Corp., learning how their computers and phone equipment were protected. Officials at Digital later accused him of causing $4 million in damage to computer operations at the company and stealing $1 million of software. He was convicted in July 1989 and sentenced to a year in a low-security federal prison in Lompoc, Calif. One of his lawyers convinced the court that Mitnick had an addiction to computers. In July 1989, after his release from prison, he was placed in a treatment program for compulsive disorders, the Beit T'Shuvah center in Los Angeles. During his six months there, he was prohibited from touching a computer or modem. That restriction was a condition of his probation when he was released in mid-1990, and it was for reportedly violating this condition that federal officials were pursuing him when he dropped out of sight in November 1992. In September 1993, the California Department of Motor Vehicles also issued a warrant for his arrest. The warrant stated that Mitnick had wiretapped calls from FBI agents. He then used law-enforcement access codes obtained by eavesdropping on the agents to illegally gain access the drivers' license data base in California. Federal law enforcement officials believe that Mitnick has conducted a long string of computer and phone telephone network break-ins during more than two years on the run. And they say his ability to remain at large until now illustrates the new challenges that law enforcement officials face in apprehending criminals who can cloak themselves behind a curtain of forged electronic data. ------------------------------------------------------------------------------ HOW A COMPUTER SLEUTH TRACED A DIGITAL TRAIL By John Markoff Special to The New York Times RALEIGH, N.C., Feb. 15 -- It takes a computer hacker to catch one. Ad if, as Federal authorities contend, the 31-year-old computer outlaw Kevin D. Mitnick is the person behind a recent spree of break-ins to hundreds of corporate, university and personal computers on the global Internet, his biggest mistake was raising the interest and ire of Tsutomu Shimomura. Mr. Shimomura, who is 30, is a computational physicist with a reputation as a brilliant cybersleuth in the tightly knit community of programmers and engineers who defend the country's computer networks. And it was Mr. Shimomura who raised the alarm in the Internet world after someone using sophisticated hacking techniques on Christmas Day to remotely break into the computers he keeps in his beach cottage near San Diego and steal thousands of his data files. Almost from the moment Mr. Shimomura discovered the intrusion, he made it his business to use his own considerable hacking skills to aid the Federal Bureau of Investigation's inquiry into the crime spree. He set up stealth monitoring posts, and each night over the last few weeks, used software of his own devising to track the intruder, who was prowling the Internet. The activity usually began around midafternoon, Eastern time, and broke off in the early evening, then resumed shortly after midnight and continued through dawn. The monitoring by Mr. Shimomura enable investigators to watch as the intruder comandeered telephone company switching centers, stole computer files from Motorola, Apple Computer and other companies, and copied 20,000 credit card account numbers from a commercial computer network used by some of the world's wealthiest and savviest people. And it was Mr. Shimomura who concluded last Saturday that the intruder was probably Kevin Mitnick, whose whereabouts had been unknown since November 1992, and that he was operating from a cellular phone network in Raleigh, N.C. On Sunday morning, Mr. Shimomura took a flight from San Jose, Calif., to Raleigh-Durham International Airport. By 3 A.M. Monday, he had helped local telephone company investigators use cellular-frequency scanners to pinpoint Mr. Mitnick's location: a 12-unit apartment building in the northwest Raleigh suburb of Duraleigh Hills. Over the next 48 hours, as the F.B.I. sent in a surveillance team, obtained warrants and prepared for an arrest, cellular telephone technicians from Sprint Cellular monitored the electronic activities of the person they believed to be Mr. Mitnick. The story of the investigation, particularly Mr. Shimomura's role, is a tale of digital detective work in the ethereal world known as cyberspace. [Another note from Bill: Go ahead and retch now. Go on. Get it out of your system. There. Feel better? Okay, let's move on. :) ] When a Detective Becomes a Victim On Christman Day, Tsutomu Shimomura was in San Fransisco, preparing to make the four-hour drive to the Sierra Nevada, where he spends most of each winter as a volunteer on the cross-country ski patrol near Lake Tahoe. But the next day, before he could leave for the mountains, he received an alarming call from his colleagues at the San Diego Supercomputer Center, the federally financed research center that employs him. Someone had broken into his home computer, which was connected to the center's compiter network. Mr. Shimomura returned to his beach cottage near San Diego, in Del Mar, Calif., where he found that hundreds of software programs and files had been taken eletronically from his work station. This was no random ransacking; the information would be useful to anyone interested in breaching the security of computer networks or cellular phone systems. Taunting messages for Mr. Shimomura were also left in a computer- altered voice on the Supercomputer Center's voice-mail system. almost immediately, Mr. shimomura made to decisions. He was going to track down the intruders. And Lack Tahoe would have to wait a while this year. The Christmas attack exploited a flaw in the Internet's design by fooling a target computer into believing that a message was coming from a trusted source. By masquerading as a familiar computer, an attacker can gain access to protected com[uter resources and seize control of an otherwise well-defended computer system. In this case, the attack had been started from a commandeered computer at Loyola University of Chicago. Though the vandal was deft enough to gain control of Mr. Shimomura's computers, he, she or they had made a clumsy error. One of Mr. Shimomura's machines routinely mailed a copy of several record keeping files to a safe computer elsewhere on the network -- a fact that the intruder did not notice. That led to an automatic warning to employees of the Supercomputer Center that an attack was under way. This allowed the center's staff to throw the burglar off the system, and it later allowed Mr. Shimomura to reconstruct the attack. In computer-security circles, Mr. Shimomura is a respected voice. Over the years, software security tools that he has designed have made him a valuable consultant not only to corporations, but also to the F.B.I., the Air Force and the National Security Agency. Watching An Attack From a Back Room The First significant break in the case came on Jan. 28, after Bruce Koball, a computer programmer in Berkeley, Calif., read a newspaper account detailing the attack on Mr. Shimomura's computer. The Day before, Mr. Koball had received a puzzling message from the managers of a commercial online service called the Well, in Sausalito, Calif. Mr. Koball is an organizer for a public-policy group called Computers, Freedom and Privacy, and Well officials told him that the group's directory of network files was taking up millions of bytes of storage space, far more than the group was authorized to use. That struck him as odd, because the group had made only mimimal use of the Well. But as he checked thr group's directory on the Well, he quickly realized that someone had broken in and filled it with Mr. Shimomura's stolen files. Well officials eventually called in Mr. Shimomura, who recruited a colleague from the Supercomputer Center, Andrew Gross, and an independent computer consultant, Julia Menapace. Hidden in a back room at the Well's headquarters in an office building near Sausalito, the three experts set up a temporary headquarters, attaching three laptop computers to the Well's internal computer network. Once Mr. Shimomura had established his monitoring system, the team had an advantage: it could watch the intruder unnoticed. Though the identity of the accacker or attackers was unknown, within days a profile emerged that seemed increasinly to fit a well-known computer outlaw: Kevin Mitnick, who had been convicted in 1989 of stealing software from Digital Equipment Corporation. Among the programs found at the Well and at stashes elsewhere on the Internet was the software that controls the operations of cellular telephones made by Mototola, NEC, Novkia, Novatel, Oki, Qualcomm and other manufacturers. That would be consistent with the kind of information of interest to Mr. Mitnick, who had first made his reputation by hacking into telephone networks. And the burglar operated with Mr. Mitnick's trademark derring-do. One night, as the investigators watched electronically, the intruder broke into the computer designed to protect Motorola Inc's internal network from outside attack, stealing the protective software itself. Mr. Shimomura's team, aided by Mark Seiden, an expert in computer security, soon discovered that someone had obtained a copy of the credit card numbers for 20,000 members of Netcom Commuinications Inc., a service based in San Jose that provides Internet access. To more easily monitor the invaders, the team moved its operation last Thursday to Netcom's network operation center in San Jose. High-Tech Tools Force an Endgame Netcom's center proved to be a much better vantage point. To let its customers connect their computer modems to its network with only a local telephone call, Netcom provides thousands of computer dial-in lines in cities across the country. Hacking into the network, the intruder was connecting a computer to various dial-in sites to elude detection. Still, every time the intruder would connect to the Netcom network, Mr. Shimomura was able to capture the computer keystrokes. Late last week, F.B.I. surveillance agents in Los Angeles were almost certain that the intruder was operating somewhere in Colorado. Yet calls were also coming in from Minneapolis and Raleigh. The big break came last Saturday in San Jose, as Mr. Shimomura and Mr. Gross, red-eued from a 36-hour monitoring session, were eating pizza. Subpoenas issued by Kent Walker, an assistant United States attorney in San Fransisco, had begin to yield results from telephone company calling records. And now came data from Mr. Walker that suggested to Mr. Shimomura that calls had been placed to Netcom's dial-in site in Raleigh through a cellular telephone modem. The calls were moving through a local switching office operated by the GTE Corpotation. But GTE's records showed that the calls had looped through a nearby cellular telephone switch operated by Sprint. Because of someone's clever manipulation of the network software, the GTE switch thought that the call came from the Sprint switch, and the Sprint switch [thought] it was from GTE. Neither company had a record identifying the cellular phone. When Mr. Shimomura called the number in Raleigh, he could hear it looping around endlessly with a "clunk, clunk" sound. He called a Sprint technician in Raleigh and spent five hours comparing Sprint's records with the Netcom log-ins. It was nearly dawn when they determined that the calls were being placed from near the Raleigh-Durham airport. By 1 A.M. Monday, Mr. Shimomura was riding around Raleigh with a second Sprint technician. From the passenger seat, Mr. Shimomura held a cellular-frequency direction-finding antenna and watched a mater display its readings on a laptop computer screen. Within 30 minutes, the two had narrowed the site to the Players Court apartment complex in Duraleigh Hills, three miles from the airport. At that point, it was time for law enforcement officials to take over. At 10 P.M. Monday, an F.B.I. surveillance team arrived. In order to obtain a search warrant it was necessary to determine a precise apartment address. And although Mr. Shimomura had found the apartment complex, pinning down the apartment was difficult because the cellular signals were creating a radio echo from an adjacent building. The F.B.I. team set off with its own gear. On Tuesday evening, the agents had an address -- Apartment 202 -- and at 8:30 P.M. a Federal judge in Raleigh issued the warrant from his home. At 2 A.M. today, F.B.I. agents knocked on the door of Apartment 202. It took Mr. Mitnick more than five minutes to open the door. When he did, he said he was on the phone with his lawyer. But when an agent took the receiver, the line went dead. ------------------------------END OF SECOND ARTICLE--------------------------- From: emmanuel@well.sf.ca.us (Emmanuel Goldstein) Subject: Mitnick Affidavit Date: 17 Feb 1995 14:10:13 GMT Organization: The Whole Earth 'Lectronic Link, Sausalito, CA Lines: 48 Message-ID: <3i2ao5$o8q@nkosi.well.com> Part Two - more of the affidavit filed 2/14 On February 2, 1995, I was advised by Gross a computer at The Well (an internet provider), San Francisco, California, was compromised. GROSS reported that the machine compromised at the Well was well.well.com (aka well.sf.ca.us). The account used to gain access is called "dono." The logged session contained many ftp transfers (ftp being a program for moving files form [sic] one machine to another in either direction) to the account "dono." The intruder had previously eliminated any other traces of activity that would have similar logs. In the home directory of the account "dono," there are several files of an unusual nature. "Wietse" is a file of personal E-mail from DAN FARMER to WIETSE VENEMA (two well known authorities in computer security). The file "0108.gz" is a compressed file that contains copies of credit card numbers from the Internet provider Netcom. The files "newoki.tar.Z" and "okitsu.tar.Z" match files found at Loyola University by Tom Reynolds that were confirmed to have been copied from Tsutomu Shimomura's machine ariel.sdsc.edu. The remaining files contain tools for breaking into computers (obtaining root access, e.g. full access to the machine and all user data), tools for hiding the intruder's tracks, electronic mail from several sources, and source code which has not been identified yet. Gross advised that the majority of activity in the "dono" account originated from the machine teal.csn.org which belongs to the Colorado Supernet (CSN) (an Internet provider). The session documented on January 31, 1995, shows that the person using the "dono" account had knowledge of the files taken from Shimomura's machine and in one case the person in question renames one of the files to a more memorable name. Gross provided a copy of one full session from teal.csn.org wherein the person logs in and uses the "newgrp" command which has been replaced with a hacker version of newgrp that allows root access (Superuser). The "zap2" program is then run to delete the corresponding accounting records in the log files. The intruder then goes to the "nascom" directory, looks at the files, renames one of the files (indicating prior knowledge of their existence), and then users [sic] the "last" command to make sure the accounting log files are clean. Gross also provided a detailed listing of the files in the nascom directory. The files are copies of the originals taken form [sic] Tsutomu Shimomura's machine ariel.sdsc.edu on December 25-26, 1994. The files also match the copies found at Loyola University. $$$6$$$6$$$6$$$MYC$$$6$$$6$$$6$$$MYC$$$6$$$6$$$6$$$MYC$$$6$$$6$$$6$$$ NETCOM HELPS PROTECT THE INTERNET - A Letter from CEO Bob Rieger to Our Customers - I know many of you are interested in NETCOM's involvement with the arrest of Kevin Mitnick, and how this may impact you, if at all, as a NETCOM subscriber. First, let me supply a chronology of events: 1. In a routine security check, NETCOM discovered a misappropriated file. As a result, we began an investigation to trace what appeared to be a security breach. 2. At about the same time, the WELL (a small Sausalito-based on-line provider) was investigating an account with an unexpectedly large amount of disk usage. In the course of this investigation, they discovered suspicious material which included items believed illicitly obtained from well-known network security expert Tsutomu Shimomura's computer. Mr. Shimomura performed network monitoring at the WELL, and determined that the account was being accessed from a number of sites, including NETCOM. 3. The WELL contacted NETCOM for assistance in tracking the source of the security breach. 4. A day or two later, the FBI contacted NETCOM and requested NETCOM's active involvement in the broadening investigation of the suspicious activities at the WELL. 5. NETCOM caucused with representatives of the WELL, the FBI, the U.S. Attorney's Office, Mr. Shimomura, and Julia Menapace (an independent computer consultant and associate of Mr. Shimomura). 6. Following the conversation, it was decided that the best vantage point for further tracking of these activities was NETCOM's Network Operations Center. 7. NETCOM operations staff joined their efforts with Mr. Shimomura and his associates to trace the suspect intrusions to a particular telephone modem in NETCOM's Raleigh, N.C. site. 8. At that point, the U.S. Justice Department subpoenaed the local telephone carrier for records of dial-ins at specific times to this modem. It became apparent that the telephone company's switch equipment had been compromised, so that these records could not be obtained. However, the Justice Department found another method for making a match. 9. With this information, the Justice Department knew the approximate location of the originating call. 10. Mr. Shimomura flew to Raleigh and used cellular tracking equipment to locate the apartment building the calls were coming from. Eventually, the calls were traced to an individual apartment, and Mr. Mitnick was arrested. I hope this detailed recounting helps explain the necessity for silence and discretion on NETCOM's part while the investigation was ongoing. Similarly, we need to be appropriately discrete during the continuing investigation of Mr. Mitnick's alleged illegal activities. While respecting these legitimate restraints, we will provide as much information as possible on a timely basis to you. (As an aside, you may have noticed that I recently promoted Mr. Kael Loftus to the position of Customer Liaison. Mr. Loftus has already proven very helpful in facilitating communication between our customers and NETCOM.) There has been some concern expressed about the security of NETCOM customers' credit card numbers. While this incident may have involved the duplication of some credit card numbers, this would apply only to UNIX shell accounts. NETCOM has always made system security its top priority, but every UNIX system has loopholes that can potentially be exploited by an expert cracker. However, to provide additional security for our UNIX accounts, we have further isolated these customers' billing information, including credit card data. This is why the "ccupdate" feature for the UNIX shell accounts has been disabled, and why the "quota" program currently says,"Your account balance is temporarily unavailable." These features will be reinstated when we are able to do so in a secure fashion. As a practical matter, at this time we have absolutely no indication that any of our UNIX shell customers' credit card numbers have been used illicitly. Naturally, we encourage all customers to check their credit card billing statements carefully. If there is any hint of inappropriate billing, this should be brought to the immediate attention of the credit card issuer for reversal of those charges. The incident did not involve NetCruiser accounts, which make up the vast majority of NETCOM accounts. Fortunately, the security firewalls built-in to NetCruiser's system architecture makes such a compromise far more difficult. The big story in all of this is that the Internet is maturing into an extraordinarily efficient means of communication that millions of people use and depend on daily. NETCOM will do everything in its power to help assure the security of our network. We will spend the money and employ the technology, but deterrence is our real goal. Common thieves should know that NETCOM will be ever vigilant in seeking their identification and prosecution. -$$$$$$$$$$$$$$$OOOh$$$$$$$$$$$$$$$I'm$$$$$$$$$$$$$$$SCARED!!!$$$$$$$$$$$$$$$-