From: John Young <jya@pipeline.com>
Date: Mon, 8 Jan 1996 04:58:18 +0800
To: cypherpunks@toad.com
Subject: Toad Hop
Message-ID: <199601072043.PAA14996@pipe4.nyc.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


   [Before it is publicized, KM describes for Littman the
   Christmas 1994 attack on Shimomura's systems as a "TCP/IP
   prediction packet attack." (. . .) below are by Littman.]


   Three days later, on January 23, Shimomura will describe
   the attack in a widely distributed public Internet post. IP
   source address spoofing and TCP/IP sequence number
   prediction are the technical terms Shimomura uses to
   describe it, much like Mitnick's description. But his
   analysis is extremely technical, and even some UNIX
   security experts find it tough going.

   That same day, about 2 P.M., CERT will blast out an
   advisory to its international mailing list of 12,000
   Internet sites in the United States, Germany, Australia,
   the United Kingdom, Japan, and other countries. The vaguely
   worded report is much less specific than Mitnick's
   one-minute explanation on the telephone. Most likely, CERT
   is trying to provide enough detail so Internet sites can
   protect themselves against future attacks without providing
   so much detail that it could encourage copycat attacks.

   On one level, the hack is simple, a clever strike at a
   basic weakness of the Internet. Computers on the Internet
   are often programmed to trust other computers. The Internet
   was created to share information, and the attack on
   Shimomura, just like the Robert Morris Internet Worm attack
   seven years before, exploits that trust.

   The Internet has its own way of sending e-mail or files.
   Messages or files are split into smaller digital chunks or
   packets, each with its own envelope and address. When each
   message is sent, it's like a flock of birds that migrates
   to a planned location and reunites as a flock at the
   destination. Computers on the Internet often act like great
   flocks of birds that trust one another too. And all it
   takes is one enemy bird to infiltrate the flock.

                               . . .

   On Christmas Day 1994 the attack begins.

   First, the intruder breaks into a California Internet site
   that bears the cryptic name toad.com. Working from this
   machine, the intruder issues seven commands to see who's
   logged on to Shimomura's workstation, and if he's sharing
   files with other machines. Finger is one of the common UNIX
   commands the intruder uses to probe Shimomura's machine. As
   a security professional Shimomura should have disabled the
   feature. Finger is so commonly used by hackers to begin
   attacks that 75 percent of Internet sites, or about 15
   million of the more than 20 million Internet users, block
   its function to increase security.

   The intruder's making judgment calls on the fly about which
   commands will help him uncover which machines Shimomura's
   workstation might trust. He works fast. In six minutes he
   deduces the pattern of trust between Shimomura's UNIX
   workstation and an unknown Internet server.

   Then the automatic spoofing attack begins. It will all be
   over in sixteen seconds. The prediction packet attack
   program fires off a flurry of packets to busy out the
   trusted Internet server so it can't respond. Next, the
   program sends twenty more packets to Shimomura's UNIX
   workstation.

   The program is looking for a pattern in the initial
   sequence numbers -- the numbers used to acknowledge receipt
   of data during communications. The program deciphers the
   returned packets by subtracting each sequence number from
   the previous one. It notes that each new initial sequence
   number has grown by exactly 128,000. The program has
   unlocked the sequence number key.

   Shimomura's machine has to be idle for the attack to
   succeed. New Internet connections would change the initial
   sequence number and make it more difficult to predict the
   key. That's why the hacker attacks on Christmas Day.

   The attack program sends packets that appear to be coming
   from the trusted machine. The packet's return or source
   address is the trusted machine's Internet address.
   Shimomura's workstation sends a packet back to the trusted
   machine with its initial sequence number. But flooded by
   the earlier flurry of packets, the trusted server is still
   trying to handle the earlier traffic. It's tangled up.

   Taking advantage of the gagged server, the attacking
   program sends a fake acknowledgment. It looks real because
   it's got the source address of the trusted server, and the
   correct initial sequence number. Shimomura's workstation is
   duped. It believes it's communicating with a trusted
   server.

   Now the attacking program tells Shimomura's obedient
   workstation to trust everyone. It issues the simple UNIX
   "Echo" command to instruct Shimomura's workstation to trust
   the entire Internet. At that point, Shimomura's personal
   and government files are open game to the world. It's more
   than a humiliating blow to the security expert. By making
   Shimomura's machine accessible from any Internet site, the
   intruder has masked his own location. He can return from
   anywhere.

   The hacker can't believe his good luck. The attack is only
   successful because Shimomura has not disabled the "R"
   commands, three basic commands that allow users to remotely
   log-in or execute programs without a password. Tens of
   thousands of security-conscious Internet sites,
   representing well over a million users, routinely block
   access to the R commands to avoid its well publicized abuse
   by hackers.

   It takes a few keystrokes and about thirty seconds to shut
   off the R commands on an Internet server. You don't even
   have to turn off the machine.

   Why didn't Shimomura do it?

                               . . .

   Mitnick laughs. "He's [Shimomura's] not happy. I have
   nothing to do with it. I'm just telling you what I hear
   through the grapevine."

   [Littman] "Who do you think might have done it?" I ask 
   the likely suspect. "How did he figure it out himself?"

   "He [Shimomura] realized that somebody had edited his
   wrapper log, which shows incoming connections. Somebody
   actually modified those logs, and then he was able to
   reconstruct what happened through these logs that were
   mailed to another site unbeknownst to the intruder."

   Mitnick's actually telling me the evidence Shimomura
   collected to figure out the attack. The wrapper is supposed
   to control connections to Shimomura's server and log all
   connection attempts. It failed to protect Shimomura but
   still it logged the hacker's spoofed connection, and a copy
   of the log was e-mailed off-site.

   "So you were asking me if there's a secure e-mail site?"
   Mitnick continues, his voice suddenly hard. "My answer is
   no. This guy in my estimation is the brightest in security
   on the whole Internet. He blows people like Neil Clift
   away. I have a lot of respect for this guy. 'Cuz I know a
   lot about him. He doesn't know anything about me,
   hopefully, but he's good.

   "On the Internet, he's one of the best in the world."

   [pp. 222-25]

   -----

   [KM] "I don't know what his motive is. I don't know
   the man at all. Alls I know is he's very technical and he's
   very good at what he does. He's in the top five."

   [JL] "What makes Shimomura so good?"

   [M] "When someone penetrates his system he knows what to
   look for. When you compile a program, it uses external
   files and libraries. This is the type of guy that would
   look at the access times of the files to try to figure out
   what type of program somebody was compiling. The guy's
   sharp."

   On UNIX systems it's possible to tell the last time a file
   was read. Mitnick's guessing that Shimomura could determine
   the type of application that was compiled (converted into
   the computer's most basic machine language) by examining
   the date stamps in certain system directories. He's also
   acknowledging he knows that the intruder compiled a program
   while he was on Shimomura's machine.

   Once again, Kevin Mitnick seems to have an amazing amount
   of detail on how Shimomura analyzes an attack.

   [M] "He's just very good at -- well, he's a spook. What do
   you expect? This is only what I hear in the grapevine." ...

   [L] "But does the grapevine say he's primarily a spook?"

   [M] "Unknown. He's good in security and he consults with
   companies like Trusted Information Systems, the people that
   develop Internet fire walls, and a lot of people in D.C.
   and the Virginia area."

   Trusted Information -- the name strikes a bell. Markoff
   quoted someone from Trusted Information in his front-page
   "Data Threat" article.

   [L] "Where is Trusted Information?"

   [M] "Oh, in Maryland, 301 area code. Baltimore, I believe."

   [L] "What are some of the Virginia companies Shimomura
   works with?"

   [M] "I just have the phone numbers," Mitnick reveals
   casually. "I haven't called them yet to see."

   [pp. 252-53]

   -----


   Why not ask John Markoff about the real reason he called me
   twice this morning?

   So I ask him about the Shimomura Newsweek story, and the
   odd reference to cellular phones. He comes back with a
   stunning revelation.

   "Somebody hit a different Tsutomu machine last summer and
   the NSA was pissed," Markoff tells me. "They freaked out.
   There's no question about it."

   Why didn't he mention this in his New York Times stories?
   Why create the false appearance Shimomura was first hacked
   Christmas Day?

   "But it was a different machine?" I ask.

   "Am I being interviewed here?"

   It strikes me as an odd question. Markoff was the one who
   called me twice in the space of an hour. Who's interviewing
   whom?

   "Let's get on the same wavelength," Markoff suggests. "I'm
   glad to share this stuff with you, but I want to know where
   it's going to show up. 'Cuz I'm pretty close to Shimo and
   it's an issue for me."

   Before I can respond, he starts talking about Shimomura
   again.

   "I wrote that profile of Tsutomu because after I mentioned
   him in the bottom of my story ["Data Threat"] I basically
   outed him and a million reporters were all over him."

   "He wasn't happy about that?"

   "No, Tsutomu loves it," Markoff says. "He's playing his own
   games.

   "I'II tell you it's unclear what was taken [referring to
   the Christmas hack], and point two, I can send you a public
   posting by an Air Force information warfare guy who
   described what was taken and their assessment of the
   damage.

   "And there are lots of little snips of code that a
   brilliant hacker could probably use. But Tsutomu's mind
   works in very cryptic ways. It's not clear that without
   Tsutomu you're going to be able to do anything with it.

   "Now in this break-in I don't actually think a lot of stuff
   was taken."

   This break-in? Just how many times was Shimomura hacked
   before Christmas?

   But I ask a different question. "Why would an Air Force guy
   post something?"

   "Oh, Tsutomu," Markoff casually replies. "He produced a lot
   of software for the Air Force."

   "Where would he post this?"

   "Oh, to a mailing list. A lot of people were concerned
   about what was taken from his [Shimomura's] machine. What
   they [the hacker] got was a lot of his electronic mail.
   Some of it's kind of embarrassing. [But] I don't think
   people are going to find new ways to attack the network
   based on this particular attack.

   "There is another issue," Markoff cautions in a serious
   tone.

   "Tsutomu is a very sharp guy, and it is not impossible that
   that was a bait machine, which is why I stayed away from
   the issue."

   Is Markoff implying Shimomura, a rumored NSA spy, laid a
   trap? And what about Markoff's New York Times articles?
   Were they part of the trap, too?

   "Think about it for a second," Markoff pauses dramatically.
   "And you get into this wilderness-of-mirrors kind of world.
   And a lot of people that are writing don't know everything,
   and I don't know everything.

   "I've been protecting him [Shimomura] for five years. I get
   the profile and the [Wall Street] Journal is on him. They
   don't know how close he is to the military. It would make
   perfect sense. Who knows what's on the code? The guy is in
   the counterintelligence business."

   [pp. 258-60]