Mitnick Into: FBI Affidavit, Well Stmt, Misc.
MAIN BODY OF THE MITNICK AFFIDAVIT
On 2/12/95, Tsutomu Shimomura, SDSC, arrived in Raleigh, NC, to
assist Jim Murphy Sprint Cellular, review and compare Sprint Cellular
CDR's with logging information obtained from Robert Hood, Senior Netcom
Administrator, Netcom. Review of call detail records (CDR) for MIN
919-602-6523, determined that a call was initiated on February 11, 1995
at 16:37 Eastern Standard Time (EST). This call was place [sic] to Netcom's
POP in Minneapolis, Minnesota (612)-362-5400. Netcom records verify
session login to Netcoms machine from Minneapolis POP at 13:39 Pacific
Standard Time (PST). CDR indicated that this call was terminated at 17:35
EST and verified by Netcom record of termination at 14:35 PST.
On 2/12/95, Joseph Orsak, Senior Maintenance Engineer, Sprint Cellular,
advised affiant that he had identified the particular cell site in the
Raleigh area associated with the cellular telephone calls to Netcom POP's.
Cell site #19, sector 3 & 4 which are at 60 degree angles, with areas of
coverage as follows: South East Bluestone Drive intersecting state highway
#70; South West State Road #1649 to William Omstead State Park; South
Duraleigh Road to State Road 1664 (see attached map). At 22:00 EST a
search was initiated to seek out the cellular location associated with
activity listed in paragraphs 9 & 10. Orsak informed affiant that he used
Sprint Cellular service equipment to determine that the call was
originating from the area of the Players Apartment complex, 4518
Tournament Drive, Raleigh, NC. Once the area of the cellular transmission
was determined Orsak terminated search at 04:00 EST. Orsak advised that
his equipment indicated that MIN 919-602-6523 which match Cellular One
CDR's for 2/12/95 conducted a series of calls from 02:00 to 04:00 EST.
Your affiant is familiar with the computers, software and other equipment
commonly used by hackers to modify or clone telephones. Hackers are able
to use cellular phones to conduct their activities by connecting their
computers to a cellular compatible modem. With such a modem, the hacker
uses the cellular phone to dial out to a targeted land - line phone
number - often a network remote or public dialup access line. Such an
access number allows the hacker to connect to and communicate with the
targeted computer system or network. The hacker will often launder his
illegal access attempts by routing calls through a public computer
access network - such as the Internet or by illegally accessing a PBX
telephone system. Once they access the targeted system, the hacker uses
his or her knowledge of computers to steal, erase or manipulate data and
computer programs. Hackers commonly use sophisticated computer programs
to break the password codes which protect computer systems form [sic]
unauthorized use.
Affiant believes that all referenced cellular calls in paragraphs 9 & 10
originated from the same individual located within the Players Apartment
Complex, Raleigh, NC. Records obtained from Robert Hood, Netcom, indicate
that computer hacking sessions took place as a direct result of the
cellular hacker activities referenced in paragraphs 9 & 10:
- On February 11, 21:40 - 22:25 PST, computer system listed as bi.fish.com
(belonging to Dan Farmer) is hacked into by gkremen@netcom.com and
computer programs are compressed and transferred to another machine.
- Files are later transferred to the Internet provider The Well. E-mail
is read and hacker backdoor tools allowing the intruder to obtain
root access are initiated. Programs to erase all accounting log files
of intruder are activated.
- Internex.net a [sic] Internet provider is accessed and backdoor programs
are activated. On this machine stolen files are placed in the lost+found
directory, a favorite place to hide information.
- Intruder changes directories into that of New York Times writer John
Markoff. Intruder reads E-mail and then deletes the mail from the system.
- On February 12, 12:40 - 12:53 PST, from Netcom the intruder hacks into
Mead Data Central (archive site for newspapers). Intruder then logs into
escape.com then csn.org and begins to read the E-mail of a user
named hank.
- On February 13, 15:45 - 15:58 PST, intruder logs into internex.net then
into escape.com where he changes the permissions and .rhost file of
writer John Markoff to make his account world accessible by anyone.
Proceeds to delete several files from the system. Activates backdoor
hacking tools to obtain root superuser status on machine.
Investigation conducted via electronic tracking measures has narrowed
the citus of the target's cellular phone operations into the computer
networks to Apartment No. 107 and Apartment No. 108, located in Players
Apartment Complex on 4640 Tournament Road, Raleigh, North Carolina.
Investigation of the leases on these apartments reveal that Apartment
No. 107 was leased on February 4, 1995, by a new lessee. This is the
precise date on which the target began operating out of the Raleigh,
North Carolina, area. The other apartment is leased by the girlfriend of
the apartment complex's manager, who is not a suspect.
Based upon the above stated facts, and upon my training and experience,
your affiant believes that a resident of the Players Apartment Complex,
is actively engaged in illegal use of cellular telephone to make
unauthorized access into the above listed computer systems and of as
yet, undetermined computer and business entities, a violation of Title
18, United States Code, Section 1030, Computer Fraud and Abuse.
To the best of my knowledge and belief, the information contained in
the above affidavit is true and accurate.
LEVORD M. BURNS
Special Agent
Federal Bureau of Investigation
This is from the AP wire for Thursday, February 16, 1995.
RALEIGH, N.C. (AP) - He was a notorious computer vandal, a fugitive
described by one official as "the most wanted hacker in the world."
In more than two years on the run, Kevin D. Mitnick allegedly pilfered
thousands of data files and at least 20,000 credit card numbers, worming
his way into even the most sophisticated systems.
But Mitnick, who once broke into a top-secret military defense system as a
teen-age prank, apparently infiltrated one computer too many.
One of his latest victims, a computer security expert, was so angered that
he made it his crusade to track Mitnick down.
Mitnick, 31, was charge with computer fraud, punishable by 20 years in
prison, and illegal use of a telephone access device, which carries a
maximum 15-year sentence. Both crimes also are punishable by $250,000
fines.
He already was wanted in California for violating probation on a previous
hacking conviction.
"He was clearly the most wanted computer hacker in the world," Kent
Walker, an assistant U.S. attorney in San Francisco who helped cordinate
the investigation, told The New York Times. "He allegedly had access to
corporate trade secrets worth billions of dollars. He was a very big
threat."
Mitnick had been on the run since 1992. Authorities say he broke into many
of the nation's telephone networks, and most recently he had become a
suspect in a rash of break-ins on the global Internet computer network.
"He's a computer terrorist," said John Russell, a U.S. Justice Department
spokesman.
Mitnick's downfall began Christmas Day, when he broke into the home
computer of Tsutomu Shimomura of the San Diego Supercomputer Center and
stole security programs he had written.
Incensed, Shimomura canceled a ski vacation and assembled a team of
computer experts to hunt down the intruder. They traced Mitnick to
Netcom, a nationwide Internet access provider, and with the help of
federally subpoenaed phone records determined that he was lacing calls
from a cellular phone near Raleigh-Durham International Airport, the
Times said.
Early Monday morning, Shimomura drove around Raleigh with a telephone
company technician. They used a cellular frequency direction-finding
antenna hooked to a laptop to narrow the search to an apartment complex.
The FBI arrested Mitnick after a 24-hour stakeout.
Shimomura, 30, attended Mitnick's prearraignment hearing Wednesday at the
federal courthouse in Raleigh. At the end of the hearing, a handcuffed
Mitnick turned to Shimomura, who he had never met, according to the Times.
"Hello, Tsutomu. I respect your skills." Shimomura nodded solemnly.
THE MITNICK FAQ FROM 'THE WELL'
[mod's note: Kevin Mitnick's arrest was connected with the investigation
of intrusions on the WELL, a conferencing system in Sausalito, California.
The WELL has issued a press statement in the form of a FAQ]:
The WELL : FAQ (Frequently Asked Questions) Sheet for Press
Q. When did The WELL first become aware of the unauthorized activity on
it's system?
A. Friday, January 27th.
Q. How did you discover it?
A. A routine system check.
Q. What actions did the WELL take to help track the suspect?
A. Our technical staff began monitoring and analyzing the situation over
that weekend. By Monday, we had contacted Computer Emergency Response Team
(CERT), The FBI, Sun's Security Team, Tsutomo Shimomura of San Diego
Supercomputer Center, the Board of Directors of The WELL, representatives of
The WELL community and EFF to discuss our appropriate response. We also
contacted other Internet service sites who we believed were compromised.
Our main objective was to understand risks, options, and factors affecting
our system security and Net-wide responsibilities.
After discussing the situation with the above groups, and carefully
considering our options and responsibilities, we made the decision to
contact the U.S. Attorney's Office and to cooperate with Tsutomo Shimomura
in apprehending the intruder. We did this in an effort to foster greater
security on the global net.
We initiated round-the-clock staffing to monitor the illegal activity.
WELL technical staff were joined by Mr. Shimomura and his associates to
help trace the suspect using sophisticated monitoring software that he
supplied.
At no time was the FBI onsite at The WELL or involved in monitoring at our
site.
Q. What was the chronology of events at The WELL the day leading up to the
arrest of Kevin Mitnick?
A. Tuesday, February 14, 2:30 pm PST
WELL technical staff, which had been monitoring the activity for nearly 18
days, notices that the cracker has erased information on one transaction
file on The WELL. The transaction file (there are dozens of accounting
files on The WELL) contained user log-on data, and was a file which is
stored elsewhere and backed up regularly.
WELL decides to bring the system down so we can re-build the damaged file
and do further investigation. WELL staff shuts down WELL computers.
Tuesday, February 14, 3:00 pm PST
Technical staff positively determines that it is only one accounting file
that has been affected. Approximately three hours after the incident the
damaged file is rebuilt.
Tuesday, February 14, 5:00 pm PST
Shimomura and assistants are contacted, and confirm with The WELL technology
team that the cracker appeared to have made a typing error when he zeroed
the one accounting file. Shimomura reports that they are hours from
catching the suspect.
Tuesday, February 14, 8:30 pm PST
WELL puts system back up. Monitoring continues in full gear.
Tuesday, February 14, 10:30 pm PST
Kevin Mitnick is arrested in Raleigh, North Carolina.
Q. What other sites were affected?
A. In the interest of their privacy, we will not say. We believe that at
least a dozen sites were compromised.
Q. What are The WELL's normal security procedures?
A. The WELL follows normal UNIX and Internet system security procedures
including, but not limited to, implementing changes as recommended by CERT
advisories, security patches as available from vendors (e.g. SUN, Cisco),
regular use of system security diagnostic software, including "crack" and
other appropriate security related measures. We feel it is inappropriate to
enumerate all our security measures in a public forum.
Q. Did the cracker get WELL members' credit card information or personal
files?
A. To the extent that we are able to determine, no credit card information
was accessed by the intruder.
We monitored nearly every keystroke of the cracker. A total of 11 accounts
were compromised by the intruder, and we have contacted all of the account
holders. In general, the cracker was not interested in information on The
WELL itself, but used the WELL for storing files from other sites.
Q. Wouldn't have changing all members' passwords have secured the system?
A. Fundamentally, it wouldn't have made any difference. The tools used by
this cracker would not have been defeated by changing individual passwords.
Additionally, we have no information that would lead us to believe that
member's passwords had been cracked or distributed.
Q. What exactly were you monitoring and who was doing this?
A. We were tracking network transactions, e.g.. ftp, smtp, telnet etc. to
and from systems known and/or suspected by us to have been compromised. We
added additional sites as we learned about this.
Those monitoring our system included The WELL tech staff as well as Andrew
Gross, a consultant from Shimomura's office.
Q. What are you doing to strengthen the security of The WELL?
A. We've purchased a new main server, a Sparc 1000e. We're re-installing
application software from binaries, implementing one-time (DES) password
protection for critical including root passwords, and requiring every user
on the system to select a new password (adhering to standards that make
password cracking more difficult). We are continuing close liaison with
Sun specialists and other system security specialists and advisors to
examine techniques used by the cracker to gain system access and addressing
these system weaknesses.
The WELL plans to install the new Sparc 1000e on Monday, February 20th.
BRAIN DEAD IN CYBERSPACE
By Jim Silvania
The demise of America's number one cyperthief, Kevin Mitnick, The
Condor, has been widely reported. Discussions among Internet users
regarding Mitnick's arrest have led to some interesting revelations.
There appears to be a growing fear by Internet computer users that
Mitnick (sometimes referred to as the "Hannibal Lector of hacking"), or
other cyberpunks with modems, could somehow gain access to their
private computer system and reek havoc by stealing their secrets or
implanting an information consuming virus. The possibility exists but
even more of a threat is someone surreptitiously entering your home or
business and walking off with your hard drive and thereby rendering
your business brain dead.
Medical shows (such as ER and Chicago Hope) have once again become
popular with TV viewers. Would I be revealing my age if I stated I
can remember watching Ben Casey, M.D. and Dr. Kildare? In all of the
previous mentioned medical shows one scene always portrayed is that of
a patient lying in a hospital bed hooked up to a visual monitor. One
soon learned that at some point during the show the lines on the
monitor went flat causing the monitor to sound an alarm and thereby
sending the staff into a controlled "Code Blue" panic. In the older
television dramas, the doctor would rush to the rescue and save the
dying patient. In the newer TV dramas, the viewers have learned that
if the lines on the monitor remain flat, the patient dies. The patient
is labeled "brain dead" and all bodily functions cease.
I am now involved in an investigation of another theft or a lobotomy
of a business entity. Again an uncommon thief has entered a business
and removed or stolen the computer's hard drive. The hard drive
contained the business' customer list. In one of the more recent
cases, not only did the perpetrator steal the hard drive, he/she also
stole the taped backup which was located next to the hard drive and, of
course, plainly marked "backup".
The thieves in these past instances did not gain access to the
business' secrets via the use of a modem or the process of hacking.
The acts of these criminal s were committed as easily as the
professional shoplifter who steals from the neighborhood discount
store.
The investigation into the theft of a hard drive becomes a horse of a
different color. The street cop who is dispatched to the business to
take the theft report views the whole affair as just a minor theft of
computer hardware that can be easily replaced by submitting an
insurance claim. The investigating detective with a stack of 100
reports on his desk views the matter in the same light. What neither
law enforcement officer realizes is that the actions of the
perpetrators amount to more than just a theft. Their actions amount to
murder. The lines on the monitor monitoring your business have gone
flat. The alarm should be sounding a "Code Blue" because your company
is now "brain dead".
The motivations of such thievery can be inclusive of espionage,
subversion, competitor intelligence or just a disgruntled employee
seeking revenge. Here are some tips on preventing your business from
becoming "brain dead":
1. Secure your hard drive, preferably with a lock and key.
2. Pass wording doesn't cut it. If your hard drive is stolen, it can
be booted by a floppy disk or simply mounting your hard drive into a
new computer.
[HTML ed note: there are a number of file/disk encryption tools covered
in the Tools: section.]
3. Secure your backup. It belongs someplace else other than next to
your computer.