MAIN BODY OF THE MITNICK AFFIDAVIT On 2/12/95, Tsutomu Shimomura, SDSC, arrived in Raleigh, NC, to assist Jim Murphy Sprint Cellular, review and compare Sprint Cellular CDR's with logging information obtained from Robert Hood, Senior Netcom Administrator, Netcom. Review of call detail records (CDR) for MIN 919-602-6523, determined that a call was initiated on February 11, 1995 at 16:37 Eastern Standard Time (EST). This call was place [sic] to Netcom's POP in Minneapolis, Minnesota (612)-362-5400. Netcom records verify session login to Netcoms machine from Minneapolis POP at 13:39 Pacific Standard Time (PST). CDR indicated that this call was terminated at 17:35 EST and verified by Netcom record of termination at 14:35 PST. On 2/12/95, Joseph Orsak, Senior Maintenance Engineer, Sprint Cellular, advised affiant that he had identified the particular cell site in the Raleigh area associated with the cellular telephone calls to Netcom POP's. Cell site #19, sector 3 & 4 which are at 60 degree angles, with areas of coverage as follows: South East Bluestone Drive intersecting state highway #70; South West State Road #1649 to William Omstead State Park; South Duraleigh Road to State Road 1664 (see attached map). At 22:00 EST a search was initiated to seek out the cellular location associated with activity listed in paragraphs 9 & 10. Orsak informed affiant that he used Sprint Cellular service equipment to determine that the call was originating from the area of the Players Apartment complex, 4518 Tournament Drive, Raleigh, NC. Once the area of the cellular transmission was determined Orsak terminated search at 04:00 EST. Orsak advised that his equipment indicated that MIN 919-602-6523 which match Cellular One CDR's for 2/12/95 conducted a series of calls from 02:00 to 04:00 EST. Your affiant is familiar with the computers, software and other equipment commonly used by hackers to modify or clone telephones. Hackers are able to use cellular phones to conduct their activities by connecting their computers to a cellular compatible modem. With such a modem, the hacker uses the cellular phone to dial out to a targeted land - line phone number - often a network remote or public dialup access line. Such an access number allows the hacker to connect to and communicate with the targeted computer system or network. The hacker will often launder his illegal access attempts by routing calls through a public computer access network - such as the Internet or by illegally accessing a PBX telephone system. Once they access the targeted system, the hacker uses his or her knowledge of computers to steal, erase or manipulate data and computer programs. Hackers commonly use sophisticated computer programs to break the password codes which protect computer systems form [sic] unauthorized use. Affiant believes that all referenced cellular calls in paragraphs 9 & 10 originated from the same individual located within the Players Apartment Complex, Raleigh, NC. Records obtained from Robert Hood, Netcom, indicate that computer hacking sessions took place as a direct result of the cellular hacker activities referenced in paragraphs 9 & 10: - On February 11, 21:40 - 22:25 PST, computer system listed as bi.fish.com (belonging to Dan Farmer) is hacked into by gkremen@netcom.com and computer programs are compressed and transferred to another machine. - Files are later transferred to the Internet provider The Well. E-mail is read and hacker backdoor tools allowing the intruder to obtain root access are initiated. Programs to erase all accounting log files of intruder are activated. - Internex.net a [sic] Internet provider is accessed and backdoor programs are activated. On this machine stolen files are placed in the lost+found directory, a favorite place to hide information. - Intruder changes directories into that of New York Times writer John Markoff. Intruder reads E-mail and then deletes the mail from the system. - On February 12, 12:40 - 12:53 PST, from Netcom the intruder hacks into Mead Data Central (archive site for newspapers). Intruder then logs into escape.com then csn.org and begins to read the E-mail of a user named hank. - On February 13, 15:45 - 15:58 PST, intruder logs into internex.net then into escape.com where he changes the permissions and .rhost file of writer John Markoff to make his account world accessible by anyone. Proceeds to delete several files from the system. Activates backdoor hacking tools to obtain root superuser status on machine. Investigation conducted via electronic tracking measures has narrowed the citus of the target's cellular phone operations into the computer networks to Apartment No. 107 and Apartment No. 108, located in Players Apartment Complex on 4640 Tournament Road, Raleigh, North Carolina. Investigation of the leases on these apartments reveal that Apartment No. 107 was leased on February 4, 1995, by a new lessee. This is the precise date on which the target began operating out of the Raleigh, North Carolina, area. The other apartment is leased by the girlfriend of the apartment complex's manager, who is not a suspect. Based upon the above stated facts, and upon my training and experience, your affiant believes that a resident of the Players Apartment Complex, is actively engaged in illegal use of cellular telephone to make unauthorized access into the above listed computer systems and of as yet, undetermined computer and business entities, a violation of Title 18, United States Code, Section 1030, Computer Fraud and Abuse. To the best of my knowledge and belief, the information contained in the above affidavit is true and accurate. LEVORD M. BURNS Special Agent Federal Bureau of Investigation
This is from the AP wire for Thursday, February 16, 1995. RALEIGH, N.C. (AP) - He was a notorious computer vandal, a fugitive described by one official as "the most wanted hacker in the world." In more than two years on the run, Kevin D. Mitnick allegedly pilfered thousands of data files and at least 20,000 credit card numbers, worming his way into even the most sophisticated systems. But Mitnick, who once broke into a top-secret military defense system as a teen-age prank, apparently infiltrated one computer too many. One of his latest victims, a computer security expert, was so angered that he made it his crusade to track Mitnick down. Mitnick, 31, was charge with computer fraud, punishable by 20 years in prison, and illegal use of a telephone access device, which carries a maximum 15-year sentence. Both crimes also are punishable by $250,000 fines. He already was wanted in California for violating probation on a previous hacking conviction. "He was clearly the most wanted computer hacker in the world," Kent Walker, an assistant U.S. attorney in San Francisco who helped cordinate the investigation, told The New York Times. "He allegedly had access to corporate trade secrets worth billions of dollars. He was a very big threat." Mitnick had been on the run since 1992. Authorities say he broke into many of the nation's telephone networks, and most recently he had become a suspect in a rash of break-ins on the global Internet computer network. "He's a computer terrorist," said John Russell, a U.S. Justice Department spokesman. Mitnick's downfall began Christmas Day, when he broke into the home computer of Tsutomu Shimomura of the San Diego Supercomputer Center and stole security programs he had written. Incensed, Shimomura canceled a ski vacation and assembled a team of computer experts to hunt down the intruder. They traced Mitnick to Netcom, a nationwide Internet access provider, and with the help of federally subpoenaed phone records determined that he was lacing calls from a cellular phone near Raleigh-Durham International Airport, the Times said. Early Monday morning, Shimomura drove around Raleigh with a telephone company technician. They used a cellular frequency direction-finding antenna hooked to a laptop to narrow the search to an apartment complex. The FBI arrested Mitnick after a 24-hour stakeout. Shimomura, 30, attended Mitnick's prearraignment hearing Wednesday at the federal courthouse in Raleigh. At the end of the hearing, a handcuffed Mitnick turned to Shimomura, who he had never met, according to the Times. "Hello, Tsutomu. I respect your skills." Shimomura nodded solemnly.
THE MITNICK FAQ FROM 'THE WELL' [mod's note: Kevin Mitnick's arrest was connected with the investigation of intrusions on the WELL, a conferencing system in Sausalito, California. The WELL has issued a press statement in the form of a FAQ]: The WELL : FAQ (Frequently Asked Questions) Sheet for Press Q. When did The WELL first become aware of the unauthorized activity on it's system? A. Friday, January 27th. Q. How did you discover it? A. A routine system check. Q. What actions did the WELL take to help track the suspect? A. Our technical staff began monitoring and analyzing the situation over that weekend. By Monday, we had contacted Computer Emergency Response Team (CERT), The FBI, Sun's Security Team, Tsutomo Shimomura of San Diego Supercomputer Center, the Board of Directors of The WELL, representatives of The WELL community and EFF to discuss our appropriate response. We also contacted other Internet service sites who we believed were compromised. Our main objective was to understand risks, options, and factors affecting our system security and Net-wide responsibilities. After discussing the situation with the above groups, and carefully considering our options and responsibilities, we made the decision to contact the U.S. Attorney's Office and to cooperate with Tsutomo Shimomura in apprehending the intruder. We did this in an effort to foster greater security on the global net. We initiated round-the-clock staffing to monitor the illegal activity. WELL technical staff were joined by Mr. Shimomura and his associates to help trace the suspect using sophisticated monitoring software that he supplied. At no time was the FBI onsite at The WELL or involved in monitoring at our site. Q. What was the chronology of events at The WELL the day leading up to the arrest of Kevin Mitnick? A. Tuesday, February 14, 2:30 pm PST WELL technical staff, which had been monitoring the activity for nearly 18 days, notices that the cracker has erased information on one transaction file on The WELL. The transaction file (there are dozens of accounting files on The WELL) contained user log-on data, and was a file which is stored elsewhere and backed up regularly. WELL decides to bring the system down so we can re-build the damaged file and do further investigation. WELL staff shuts down WELL computers. Tuesday, February 14, 3:00 pm PST Technical staff positively determines that it is only one accounting file that has been affected. Approximately three hours after the incident the damaged file is rebuilt. Tuesday, February 14, 5:00 pm PST Shimomura and assistants are contacted, and confirm with The WELL technology team that the cracker appeared to have made a typing error when he zeroed the one accounting file. Shimomura reports that they are hours from catching the suspect. Tuesday, February 14, 8:30 pm PST WELL puts system back up. Monitoring continues in full gear. Tuesday, February 14, 10:30 pm PST Kevin Mitnick is arrested in Raleigh, North Carolina. Q. What other sites were affected? A. In the interest of their privacy, we will not say. We believe that at least a dozen sites were compromised. Q. What are The WELL's normal security procedures? A. The WELL follows normal UNIX and Internet system security procedures including, but not limited to, implementing changes as recommended by CERT advisories, security patches as available from vendors (e.g. SUN, Cisco), regular use of system security diagnostic software, including "crack" and other appropriate security related measures. We feel it is inappropriate to enumerate all our security measures in a public forum. Q. Did the cracker get WELL members' credit card information or personal files? A. To the extent that we are able to determine, no credit card information was accessed by the intruder. We monitored nearly every keystroke of the cracker. A total of 11 accounts were compromised by the intruder, and we have contacted all of the account holders. In general, the cracker was not interested in information on The WELL itself, but used the WELL for storing files from other sites. Q. Wouldn't have changing all members' passwords have secured the system? A. Fundamentally, it wouldn't have made any difference. The tools used by this cracker would not have been defeated by changing individual passwords. Additionally, we have no information that would lead us to believe that member's passwords had been cracked or distributed. Q. What exactly were you monitoring and who was doing this? A. We were tracking network transactions, e.g.. ftp, smtp, telnet etc. to and from systems known and/or suspected by us to have been compromised. We added additional sites as we learned about this. Those monitoring our system included The WELL tech staff as well as Andrew Gross, a consultant from Shimomura's office. Q. What are you doing to strengthen the security of The WELL? A. We've purchased a new main server, a Sparc 1000e. We're re-installing application software from binaries, implementing one-time (DES) password protection for critical including root passwords, and requiring every user on the system to select a new password (adhering to standards that make password cracking more difficult). We are continuing close liaison with Sun specialists and other system security specialists and advisors to examine techniques used by the cracker to gain system access and addressing these system weaknesses. The WELL plans to install the new Sparc 1000e on Monday, February 20th.
BRAIN DEAD IN CYBERSPACE By Jim Silvania The demise of America's number one cyperthief, Kevin Mitnick, The Condor, has been widely reported. Discussions among Internet users regarding Mitnick's arrest have led to some interesting revelations. There appears to be a growing fear by Internet computer users that Mitnick (sometimes referred to as the "Hannibal Lector of hacking"), or other cyberpunks with modems, could somehow gain access to their private computer system and reek havoc by stealing their secrets or implanting an information consuming virus. The possibility exists but even more of a threat is someone surreptitiously entering your home or business and walking off with your hard drive and thereby rendering your business brain dead. Medical shows (such as ER and Chicago Hope) have once again become popular with TV viewers. Would I be revealing my age if I stated I can remember watching Ben Casey, M.D. and Dr. Kildare? In all of the previous mentioned medical shows one scene always portrayed is that of a patient lying in a hospital bed hooked up to a visual monitor. One soon learned that at some point during the show the lines on the monitor went flat causing the monitor to sound an alarm and thereby sending the staff into a controlled "Code Blue" panic. In the older television dramas, the doctor would rush to the rescue and save the dying patient. In the newer TV dramas, the viewers have learned that if the lines on the monitor remain flat, the patient dies. The patient is labeled "brain dead" and all bodily functions cease. I am now involved in an investigation of another theft or a lobotomy of a business entity. Again an uncommon thief has entered a business and removed or stolen the computer's hard drive. The hard drive contained the business' customer list. In one of the more recent cases, not only did the perpetrator steal the hard drive, he/she also stole the taped backup which was located next to the hard drive and, of course, plainly marked "backup". The thieves in these past instances did not gain access to the business' secrets via the use of a modem or the process of hacking. The acts of these criminal s were committed as easily as the professional shoplifter who steals from the neighborhood discount store. The investigation into the theft of a hard drive becomes a horse of a different color. The street cop who is dispatched to the business to take the theft report views the whole affair as just a minor theft of computer hardware that can be easily replaced by submitting an insurance claim. The investigating detective with a stack of 100 reports on his desk views the matter in the same light. What neither law enforcement officer realizes is that the actions of the perpetrators amount to more than just a theft. Their actions amount to murder. The lines on the monitor monitoring your business have gone flat. The alarm should be sounding a "Code Blue" because your company is now "brain dead". The motivations of such thievery can be inclusive of espionage, subversion, competitor intelligence or just a disgruntled employee seeking revenge. Here are some tips on preventing your business from becoming "brain dead": 1. Secure your hard drive, preferably with a lock and key. 2. Pass wording doesn't cut it. If your hard drive is stolen, it can be booted by a floppy disk or simply mounting your hard drive into a new computer. [HTML ed note: there are a number of file/disk encryption tools covered in the Tools: section.] 3. Secure your backup. It belongs someplace else other than next to your computer.