Stalking the Wily Hacker - Case Study Example

Stalking the Wily Hacker Introduction The Internet is a resource that has brought about massive changes in the way people live and organizations perform their activities. Although the Internet has improved the way business is conducted across the world, it has also been associated with several security risks. In many jurisdictions, such crimes as identity theft, Internet scams, hoaxes and virus attacks are not uncommon. Many organizations have suffered great losses as a result of security threats associated with Internet use. This paper will discuss one major security attack that occurred over the internet - the case of Lawrence Berkeley National Laboratory in California. Cliff Stoll, an astronomer became the Systems Manager at Lawrence Berkeley lab when a high percentage accounting error alerted him of the presence of an illegal user on his system. The hacker’s code name was ‘hunter’ – a strange invader hiding inside an electronic labyrinth, breaking into the United States computer systems and stealing confidential military and security information. Stoll initiated a vigorous hunt of the hacker, spying the spy, and plunging into an incredible international investigation that finally caught the attention of the U.S counter-intelligence agents. The ‘Stalking the Wily Hacker’ is a description of Cliff Stoll’s pursuit of a prominent security breach at Lawrence Berkeley Laboratories (LBL). The record demonstrates how the hacker avoided traces of his invasion. (Stoll,1989, p.26). The author was a manager at Lawrence Berkeley National Laboratory in California. In august 1986, he was requested by his supervisor to resolve an accounting error that had occurred ion the computer usage accounts. The hacker had spent nine seconds of unpaid computer time, an error that made him realize the hacker’s access to the LBL system. The hacker had interfered with the move mail functioning of the original GNU Emacs. Cliff worked tirelessly for a period of ten months and successfully realized that the hacker was using a 1200 baud connection and that the infringement was emanating from a telephone modem connection. Paul Murray and Lloyd Belknap, his colleagues helped with the phone lines. With the absence of desks of co-workers Cliff rounded up fifty terminals within a fortnight. He attached the teleprinters to the fifty incoming telephone lines (Chaturvedi, 2000, p18). During the fateful weekend, the hacker dialed from the Tymnet routing service. With Stoll at the Tymnet, he succeeded in using it to track the hacker’s disruption to a call centre at MITRE, a defense contractor in Virginia. After returning the borrowed terminals, he left the teleprinter attached to the intrusion line so as to record everything the cracker attempted. He recorded the hacker’s as he looked for, and sometimes managed to access the military bases around the U.S, searching for files with the words like ‘nuclear’ or ‘SDI’. The hacker copied password files and installed Trojan horses to search for passwords. The hacker could easily guess the real passwords because they contained dictionary words. System administrators were less interested in changing the passwords from their factory defaults which made the hacker easily log in as ‘guest’ with no password even on military bases. Stoll was amazed by this. Various agents like NSA, CIA, FBI, and Air Force OSI were contacted following the documentation of the ordeal as hacking. Some inconsistency arose regarding jurisdiction and a general unwillingness to share information. Stoll eventually realized that the hacker had full knowledge of VMS, AT&T Unix. He was also active at mid day, Pacific Time. Most people are known to be working or schooling at day time and spend much time surfing at night. Modems are also cheaper at night. With this knowledge in mind, Stoll decided to trace the hacker. The Tymnet together with other agents from various agencies made Stoll realize that disruption was emerging from West Germany through satellite. The calls were traced from Bremen University by German post office. An imaginary LBL department had been formed operated by an imaginary secretary, since the hacker was interested in SDI, as he logged in to the ‘SDInet’ account. The secretary had extensive files full of impressive- sounding bureaucratese (Stoll, 1989, pp. 23-24). The imaginary SDI contract succeeded and the Deutesche Bundespost, a German post office located the hacker at his residence in Hanover. He was identified as Markus Hess, and was engaged in selling his hacking ordeals to soviet KGB. Further evidence was given by a Hungarian spy who contacted the SDI net at LBL by mail, using the information he had gotten from Hess, a method employed by KGB to double check if Hess was cooking the information he was selling to them. Stoll later flew to Germany to testify during the trial of Hess and a confederate (Chaturvedi, 2000, p.18). Recent Cases Recent computer attacks have involved improper acquisition of resources like reading data, theft of programs, surreptitious modification and denials of service especially by authorized users. There is also masquerading as in one user impersonating another, bypassing intended controls by means of password attacks and misuse of trapdoors. These attacks typically exploit the system flaws or hidden circumventive features. Another crime is setting up subsequent abuses like Trojan horses, logic bombs or viruses. Carrying out hardware and media abuses like physical attacks on equipment and scavenging information from discarded media or electronic interference and eavesdropping have also been detected. Another example is using a computer system as an indirect assistance in committing criminal act, as in auto-dialing telephone numbers in search of answering modems, cracking another system’s encrypted password files, or running an illegal business for example computerizing drug operations (United States National Research Council, 1991, pp. 62-68). Security events like user activity logs, network intrusion detection system alerts, server logs and network device information are indispensable footprints, enabling spies to keep track of activity and detect security problems. Without valid vent sources, monitoring is such a pointless exercise meaning that there is no way to understand or find out lack of activity from unrecorded activity. In stalking the Wily hacker, there is possibility of a planned outage. Perhaps the sensor was placed under service or its SPAN disconnected from the router for arranged servicing There is a possibility of some malicious explanation of this story but with a lot of security monitoring, the explanation is likely mundane. Irrespective of the source of this outage, one will be blocked to security alerts while the sensor is offline. Little can be done on catching the problems of keeping downtime to minimum (Fry & Nystrom, 2009, p.147). Other gaps may be systems or network segments which managers are not aware of. If you have a fairly large network, it is probably not constant. New networks are being added on weekly or monthly basis which illustrates another blind spot. New network areas and new systems make security intrusions go unnoticed and managers are not collecting events from these systems. With the absence of these events, there is nothing to trigger alerts in the monitoring system. One cannot fill such gaps while looking out for substantive changes in the environment. Responding To Breaches of Security The computer industry can be expected to respond to clearly articulated security needs provided that such needs relate to a broad enough bases of customers. However, there is not a clear widely accepted articulation of how computer systems should be designed to support these controls, and what sort of skill is required in the mechanisms. As a result, customers for computer security are faced with ‘take-it-or-leave-it’ marketplace. Customers appear to demand password-based identification because it is available, not because it has been verified as providing sufficient protection (ITL Bulletins, 2012, p.10). Recovery method controls helps in responding to and not preventing a security breach. The use of recovery mechanism does not necessarily indicate a system shortcoming. For some threats, detection and recovery may be more cost effective than attempts of complete prevention. Recovering from a breach of security can be done through deploying disciplinary or legal action, identifying suspected compromised parties or changing policies. From a technical standpoint for example, a security breach is tantamount to failure that results from faulty equipment, software or operations. Definitely, some work will have to be done away with and some system will have to be formatted. Causes of security breaches must be located especially where passwords are compromised, backups dirty or user activity compromise the system by mistake. To prevent recurrence, initiating new passwords, rebuilding the system from original drafts, blocking some communication challenging or introducing identification procedures on them and undertaking user education are all effective (United States National Research Council, 1991, 62-68). Individual accountability is very important. People make mistakes, systems have errors and vulnerable to certain attacks. When all is not well, it is good to know what has happened and who the cause is. The information is on the basis of assessing damage, recovering lost information, evaluating vulnerabilities, initiating compensation actions such as legal prosecution. To support the principle of personal accountability, user authentication is required because it is vital underpinning of information security. Many systems have been intruded when weak or poorly administered security services have been compromised, for example guessing poorly chosen passwords as in the case of stalking the Wily hacker. Auditing also supports accountability given the reality that any computer system is vulnerable to compromise from within. Auditing devices are in most cases the initial attacker target and must be protected (Fry & Nystrom, 2009, p.147). Systems are subject to constant change since personnel and equipment come and goes and new applications come along. From a security perspective, a changing system is less likely to be improving the system. To employ an active ground against gradual deployment of security restrictions, a supplement of dynamically collected audit trial with static audits must be provided to check the configuration to verify that it is not osusceptible to attack. Static audit services checks that software has not changed, file access controls are properly set, obsolete user accounts have nit been turned off, incoming and outgoing communication lines are correctly enabled and passwords are hard to guess. An audit trial is analyzed for suspicious patterns of access and so detects behavior by both legitimate users and masqueraders (Anderson, 1997, p.23). Combating Security Threats To deploy an effective security monitoring, the systems manager is supposed to deploy the correct event sources, and monitor them to capture interruptions. In addition, you must keep watch for new systems installed into your environment to ensure proper recording of events. The most effective way of keeping event sources working reliably is by managing configurations on the devices themselves. A NIDS deployed passively requires a copy of network traffic through a router switch port analyzer (SPAN) Port., a Unix server hosting an Apache web server must be configured to log authentication events to an event collector through its Syslog configuration file. If a network engineer takes away a SPAN or a system administer overwrites the Syslog configuration settings, events feed will suddenly stop. It is therefore important to document agreements with device administrators. It is advisable to leverage an automated configuration system as an assurance that all systems are in consistent with proper configuration of sending events (Fry & Nystrom, 2009, p.147). To monitor network performance, you should program the commands to run at frequent intervals, benchmarking them against normal values. A NIDS is one of the required event sources for security monitoring. To function properly, a NIDS must have bidirectional visibility to the network segments it monitors, must be capable of inspecting each single packet on the wire. To maintain the NIDS, so as to have uninterrupted stream of events, ensure that various areas are in proper operation: monitor the traffic feeds, sensor processes and previous alerts produced to ensure that the NIDS is operating as set. Watch the ports feeding into the NIDS to ensure you are getting traffic into it. If the NIDS is configured via a SPAN port, watch the SPAN to ensure they are still pointed to the NIDS. Even if traffic is reaching the NIDS ensure it can process the events. Watch the sensor processes to ensure they are running properly (United States National Research Council, 1991, pp.62-63). Securing the Whole System Since security is such a sensitive issue, a security program needs to be multidimensional. These are integrity, confidentiality and availability. Confidentiality is needed to protect passwords for example. Technology alone cannot provide security. A Security program should be real and able to maintain the knowledge and dedication of all involved. Concern for privacy arises from the need to protect private information about people that is stored in computer systems. To ensure that databases keep a continuous flow of message, monitor the processes that record events in the database, and monitor storage locations for the events. Before building any, a device logging policy must be established to document expectations in which devices that must log events, event types to be logged, and whoever must have access to such logs. The heart of security monitoring involves configuring systems to record and collect security events (Kizza, 2007, p.60). Conclusion As can be seen from the security breach in the case of Lawrence Berkeley National Laboratory in California, it is beyond doubt that the Internet users are subject to security threats especially if there are no measures to protect their systems. What this means is that Internet users should be careful when utilizing the vital resource. Considering that prevention is better than cure, both organizations and individuals need to apply security measures such as passwords, anti-virus software, security policies, security benchmarks, network intrusion detection systems and data encryption. References Anderson, K., 1997. ‘Criminal Threats to Business on the Internet: A White Paper’, Global Technology Research, Inc. Chaturvedi, A., 2000., ‘Fighting The Wily Hacker: Modeling Information Security Issues For Online Financial Institutions Using The SEAS Environment’. INET JAPAN 2000 Conference. Fry, C. and Nystrom, M., 2009. Security Monitoring. New York: O’Reilly Media. Kizza, J., 2007. Ethical Issues in the Information Age. New York: Springer Stoll, C., 1989. Cuckoo’s Egg: Tracking a Spy through the Maze of Computer Espionage. Doubleday. United States National Research Council, 1991. Computers at Risk: Safe Computing In the Information Age. New York. National Academies Press. Read More