VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

The West German Hacker Incident and Other Intrusions

Mel Mandell
Computers under attack: intruders, worms, and viruses, pp. 150-155
ISBN 0-201-53067-8
January 1990

[Back to index] [Comments]


Article 7

from Computers under attack: intruders, worms, and viruses

Copyright © 1990, Association for Computing Machinery, Inc.

"The cuckoo has egg on his face." An intruder left this embarrassing message in the computer file assigned to Clifford Stoll. The reference is to Stoll's book, The Cuckoo's Egg [1], which deals with Stall's tracking of the intrusions of a West German hacker, described in greater detail below. The file is in a computer owned by Harvard University, with which astronomer Stoll is now associated. The embarrassment was heightened by the fact that the computer is on the Internet network. The intruder, or intruders, who goes by the name of Dave, also attempted to break into dozens of other computers on the same network — and succeeded.

The "nom de guerre," Dave, it now appears, was used by one or more of three Australians arrested earlier this year by the federal police down under [2]. The three, who, at the time of their arrest were, respectively 18, 20, and 21 years of age, successfully penetrated computers in both Australia and the United States. Among the organizations that suffered intrusions are Boston, New York, Purdue, and Texas Universities, Citicorp, and, more frighteningly, two U.S. installations where classified research is conducted. Significantly, Digital Equipment Corporation also suffered intrusions. DEC may have been the computer maker that, according to the report in The New York Times [2], was not aware that computers in its research laboratory were being penetrated until so informed!

What is particularly unnerving about these intrusions is that they elicited the following comment from a spokesman for the Computer Emergency Response Team at Carnegie Mellon University, the group that monitors computer security breaches on Internet: "Intruders constantly attempt to enter Internet-attached computers" [3].

The three Australians went beyond browsing to damage data in computers in their own nation and the United States. At the time they began their intrusions in 1988 (when the youngest was only 16), there was no law in Australia under which they could be prosecuted. It was not until legislation making such intrusions prosecutable was passed that the police began to take action.

Stalking the Wily Hacker

The most famous sequence of intrusions involved a member of a small group of West Germans who were eventually apprehended and prosecuted. This sequence was originally detailed in Stoll's well known article, "Stalking the Wily Hacker" [4]. Although the prime intruder, now known to be one Markus H., had begun his trans-Atlantic intrusions many months before, he did not come to Stoll's attention until August, 1986, when he attempted to penetrate a computer at Lawrence Berkeley Laboratory (LBL). Instead of denying the intruder access, management at LBL went along with Stoll's recommendation that they attempt to unmask him, even though the risk was substantial because the intruder had gained system-manager privileges.

The initial assumption that the intruder was a prankster enrolled at the nearby campus of the University of California made his detection more difficult; it was further assumed that it would not take long to track him down and that few other organizations had to be involved in the effort. In fact, the intruder turned out to be a foreigner attempting to garner classified information, even though none was supposed to be stored in any of the computers on the network attacked, MILNET. And many organizations, U.S. and West German, were eventually recruited into the trans-Atlantic tracing effort, which required much effort and coordination and took nearly a year.

Markus H. was an unusually persistent intruder, but no computer wizard. He made use of known deficiencies in the half-dozen or so operating systems, including UNIX, VMS, VM-TSO, and EMBOS, with which he was familiar, but he did not invent any new modes of entry. He was also very patient. For instance, he created an account with system privileges on an obscure gateway computer that he did not utilize for six months. In one instance, he was able to make good use of one of his Trojan horses created nearly a year prior, even though the original hole in the operating system through which he slipped had been patched in the interim.

How Persistence Paid Off

Markus H.'s overall penetration rate was low. By making so many attempts, however, he did penetrate a good number of computers. At the time there were 450 computers on MILNET; he penetrated 30. One reason for his success was widespread use of plain words as passwords. (Computer security consultant Dr. Harold Highland, professor emeritus, State University of New York, has claimed that about "... 40 passwords will let me into 80 percent of the Unix systems." He told of some users whose password is "password" [5].) Stoll's intruder gained entry by using such common account names as "root," "guest," "system," and "field." He often acquired currently logged-on account names by querying systems using "who" or "finger." Although Stoll rated this method of attack as "primitive," it was successful in five percent of attempts. The intrusions were also facilitated by users who left their passwords in their files.

When the intruder's guesses at passwords were not successful, he used his own personal computer to dicipher passwords that were left in publicly readable but encrypted form. He apparently worked backwards by encrypting familiar words and matching the encrypted versions with those he found in privileged files. The intruder was also helped inadvertently by one U.S. defense contractor that permitted those on its LAN to dial other computers at no charge to them. He merely intruded himself onto the LAN from afar.

The first suspicion of an intrusion arose when one of LBL's computers reported an accounting error. The accounting program could not balance its books, since an account had been opened incorrectly — it did not have a corresponding billing address. Even when the account was removed, the problem persisted: Someone acting as a system manager was attempting to modify accounting records.

To detect the intruder, line printers and recorders were connected to all incoming ports. By capturing all of the intruder's keystrokes, the tracers determined he was using a subtle "bug" in the GNU Emacs text editor to obtain system-manager privileges (see letter from the author of GNU Emacs following the Stoll article). Off-line monitors are not only invisible, even to an intruder with system privileges, but also they don't consume computer resources that might slow down other work. On-line monitors, which must use highly privileged software, might introduce new security holes. A valuable aid in analyzing the intruder's tactics was the keeping of a log book. The log book helped convince lawenforcement officers of the seriousness of the intrusions and eventually to bring about the prosecution of the intruder.

Because the intruder could access electronic-mail files, communications about security among those engaged in the tracing effort were confined to face-to-face meetings and the telephone. To disguise the tracing effort, false electronic-mail messages were created to reassure the intruder that he had not been detected. Preventing the intruder from detecting the tracing effort was important, because he showed himself to be very alert to discovery: Whenever he found a system manager logged on to a computer he was attempting to penetrate, he disconnected.

To trace the intruder and prevent him from causing great damage, it was important that he be detected in the act, not after the fact. Alarms were placed on all incoming ports. Once it was determined that the intruder always entered via X.25 ports, recording and alarms were confined to that port. If an intrusion was detected, an operator was alerted automatically via phone. By following the intruder's actions in real time, the operator could cut the intruder off if he attempted to delete files or damage the operating system. When he attacked sensitive computers or attempted to download sensitive files, line noise was inserted into the link. The off-line monitors also revealed that more than one intruder were attempting to enter LBL's computers.

A key move in tracing the intruder was keeping him on line for many minutes by permitting him to browse through a fictitious file that purportedly dealt with many of the classified matters identified as his prime targets. Usually, he wouldn't stay connected long enough to permit a trace. By monitoring the intruder on line, round-trip packet acknowledgements could be timed. When estimated average network delay times were translated into distances, an overseas origin was confirmed.

Lessons Applied

After the intruder was successfully traced, efforts were instituted to make LBL's computers less vulnerable. To insure high security, it would have been necessary, for instance, to change all passwords overnight and recertify each user. This and other demanding measures were deemed impractical. Instead, password expiration, deletion of all expired accounts, was instituted; shared accounts were eliminated; monitoring of incoming traffic was extended, with alarms set in key places; and education of users was attempted. They were warned not to choose passwords that were in the dictionary. However, random password assignment was not instituted, because users often stored such harder-to-remember passwords in command files or simply wrote them on their terminals. (The last is the same as leaving in one's open desk the written combination to the lock on a nearby file containing classified material.)

In "Stalking the Wily Hacker," Stoll faulted the manufacturers of computers and those who create operating systems. First, he complained that vendors distribute "weakly protected systems software." These systems came with default accounts and "backdoor entryways left over from software development." He further noted that at the time of the intrusions Berkeley UNIX did not offer optimal password security: It lacked both aging and expiration of passwords and password integrity depending solely on encryption. In contrast, other operating systems add access control and alarms to protect the password file. Plaintively, he asked: "When vendors do not see security as a selling point, how can we encourage them to distribute more secure systems?"

Stoll also faulted those who are responsible for operating computers for "sloppy systems management and administration." Because there are thousands of computers without systems administrators, who will fix the security flaws reported to them? And channel for reporting flaws are weak. He called for a central clearinghouse to "receive reports of problems, analyze their importance, and disseminate trustworthy solutions." As a result of the wily hacker incident, some nations did write new legislation to make remote computer intrusion a crime, whether or not damage was done.

Stoll Agonistes

Stoll agonized over the decision not to block the intrusions. The intruder might have caused real damage, such as erasing or modifying files. He could have planted viruses that would have damaged many hundreds, if not thousands, of systems. In the end Stoll was satisfied that the decision not to block proved right: It resulted in the unveiling and prosecution of a group of West Germans who had apparently offered themselves to the East Bloc — for money, in one instance to support a drug habit — as spies. During the tracing efforts, Stoll was able to alert those in charge of computers used by the military and defense contractors that an intruder was active. As a result, they tightened their security measures. Some had already detected the intrusions but had not mounted any tracing efforts or increased security.

The episode was summed up by Stoll as a powerful learning experience for those involved in the detection process and for all those concerned about computer security. That the intruder was caught at all is a testimony to the ability of a large number of concerned professionals to keep the tracing effort secret until he was caught. Destroyed was the naive assumption that intruders are student pranksters, as in the case of two of the three Australian hackers.

The three Australians also demonstrated that the procedures for reporting security flaws are faulty. Apparently, "Dave" had access to information circulated to systems managers warning them of security flaws in their systems. Dave was successful in penetrating systems by simply responding to the warnings faster than those legitimately warned [6].

Mel Mandell, who is the author of The Handbook of Business & Industrial Security, was formerly the editor of Computer Decisions.


  1. Stoll, C. The Cuckoo's Egg, Doubleday, 1989.
  2. Markoff, J. Arrests in computer break-ins show a global peril. New York Times (April 4, 1990).
  3. Alexander, M., and Booker, E. Internet interloper targets hacker critics. ComputerWorld (March 26, 1990). Reprinted in this volume.
  4. Stoll, C. Stalking the Wily Hacker. Commun. ACM (May 1988).
  5. Security letter (April 2, 1990).
  6. Markoff, J. Caller says he broke computers' barriers to taunt the experts. New York Times (March 21, 1990).
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka