It takes a computer hacker to catch one. (sent to me - I asume the author is Markoff)

[David Farber <farber () central cis upenn edu>]

New York Times


RALEIGH, N.C. (8.59 p.m. 15 Feb 95) -- It takes a computer hacker to
catch one.


And if, as federal authorities contend, 31-year-old computer outlaw
Kevin D. Mitnick is the person behind a recent spree of break-ins to
dozens of corporate, university and personal computers on the global
Internet, his biggest mistake was raising the interest and ire of
Tsutomu Shimomura.


Shimomura, who is 30, is a computational physicist with a reputation
as a brilliant cyber-sleuth in the tightly knit community of
programmers and engineers who defend the country's computer networks.


And it was Shimomura who raised the alarm in the Internet world after
someone used sophisticated hacking techniques on Christmas Day to
remotely break into the computers he keeps in his beach cottage near
San Diego and steal thousands of his data files.


Almost from the moment Shimomura discovered the intrusion, he made it
his business to use his own considerable hacking skills to aid the
FBI's inquiry into the crime spree.


He set up stealth monitoring posts, and each night over the last few
weeks, Shimomura used software of his own devising to track the
intruder, who was prowling around the Internet. The activity usually
began around mid-afternoon, Eastern time, broke off in the early
evening, then resumed shortly after midnight and continued through
dawn.


Shimomura's monitoring efforts enabled investigators to watch as the
intruder commandeered telephone company switching centers, stole
computer files from Motorola, Apple Computer and other companies, and
copied 20,000 credit-card account numbers from a commercial computer
network used by some of the computer world's wealthiest and
technically savviest people.


And it was Shimomura who concluded last Saturday that the intruder was
probably Mitnick, whose whereabouts had been unknown since November
1992, and that he was operating from a cellular telephone network in
Raleigh, N.C.


Sunday morning, Shimomura took a flight from San Jose to
Raleigh-Durham International Airport. By 3 a.m. Monday, he had helped
local telephone company technicians and federal investigators use
cellular-frequency scanners to pinpoint Mitnick's location: a 12-unit
apartment building in the northwest Raleigh suburb of Duraleigh Hills.


Over the next 48 hours, as the FBI sent in a surveillance team from
Quantico, Va., obtained warrants and prepared for an arrest, cellular
telephone technicians from Sprint Corp. monitored the electronic
activities of the man they believed to be Mitnick.


The story of the investigation, particularly, Shimomura's role, is a
tale of digital detective work in the ethereal world known as
cyberspace.




A COMPUTER SLEUTH BECOMES A VICTIM


On Christmas Day, Tsutomu Shimomura was in San Francisco, preparing to
make the four-hour drive to the Sierra Nevadas, where he spends most
of each winter as a volunteer on the cross-country ski patrol near
Lake Tahoe.


But the next day, before he could leave for the mountains, he received
an alarming telephone call from his colleagues at the San Diego
Supercomputer Center, the federally funded research center that
employs him. Someone had broken into his home computer, which was
connected to the center's computer network.


Shimomura returned to his beach cottage near San Diego, in Solana
Beach, Calif., where he found that hundreds of software programs and
files had been taken electronically from his powerful work station.
This was no random ransacking: the information would be useful to
anyone interested in breaching the security of computer networks or
cellular phone systems.


Taunting messages for Shimomura were also left in a computer-altered
voice on the Supercomputer Center's voice-mail system.


Almost immediately, Shimomura made two decisions. He was going to
track down the intruders. And Lake Tahoe would have to wait awhile
this year.


The Christmas attack exploited a flaw in the Internet's design by
fooling a target computer into believing that a message was coming
from a trusted source.


By masquerading as a familiar computer, an attacker can gain access to
protected computer resources and seize control of an otherwise
well-defended system. In this case, the attack had been started from a
commandeered computer at Loyola University of Chicago.


Though the vandal was deft enough to gain control of Shimomura's
computers, he, she or they had made a clumsy error. One of Shimomura's
machines routinely mailed a copy of several record-keeping files to a
safe computer elsewhere on the network -- a fact that the intruder did
not notice.


That led to an automatic warning to employees of the San Diego
Supercomputer Center that an attack was under way. This allowed the
center's staff to throw the burglar off the system, and it later
allowed Shimomura to reconstruct the attack.


In computer-security circles, Shimomura is a respected voice. Over the
years, software security tools that he has designed have made him a
valuable consultant not only to corporations, but also to the FBI, the
Air Force and the National Security Agency.




WATCHING AN ATTACK FROM A BACK ROOM


The first significant break in the case came on Jan. 28, after Bruce
Koball, a computer programmer in Berkeley, Calif., read a newspaper
account detailing the attack on Shimomura's computer.


The day before, Koball had received a puzzling message from the
managers of a commercial on-line service called the Well, in
Sausalito. Koball is an organizer for a public-policy group called
Computers, Freedom and Privacy, and the Well officials told him that
the group's directory of network files was taking up millions of bytes
of storage space, far more than the group was authorized to use.


That struck him as odd, because the group had made only minimal use of
the Well. But as he checked the group's directory on the Well, he
quickly realized that someone had broken in and filled it with
Shimomuru's stolen files.


Well officials eventually called in Shimomura, who recruited a
colleague from the Supercomputer Center, Andrew Gross, and an
independent computer consultant, Julia Menapace.


Hidden in a back room at the Well's headquarters in an office building
near the Sausalito waterfront, the three experts set up a temporary
headquarters, attaching three laptop computers to the Well's internal
computer network.


Once Shimomura had established his monitoring system, the team had an
immediate advantage: it could watch the intruder unnoticed.


Though the identity of the attacker or attackers was unknown, within
days a profile emerged that seemed increasingly to fit a well-known
computer outlaw: Kevin D. Mitnick, who had been convicted in 1989 of
stealing software from Digital Equipment Corp.


Among the programs found at the Well and at stashes elsewhere on the
Internet was the software that controls the operations of cellular
telephones made by Motorola, NEC, Nokia, Novatel, Oki, Qualcomm and
other manufacturers. That would be consistent with the kind of
information of interest to Mitnick, who had first made his reputation
by hacking into telephone networks.


And the burglar operated with Mitnick's trademark derring-do. One
night, as the investigators watched electronically, the intruder broke
into the computer designed to protect Motorola Corp.'s internal
network from outside attack.


But one brazen act helped investigators. Shimomura's team, aided by
Mark Seiden, an expert in computer fire walls, discovered that someone
had obtained a copy of the credit-card numbers for 20,000 members of
Netcom Communications Inc., a service based in San Jose that provides
Internet access.


To get a closer look, the team moved its operation last Thursday to
Netcom's network operation center in San Jose.


Netcom's center proved to be a much better vantage point for watching
the intruder. To let its customers connect their computer modems to
its network with only a local telephone call, Netcom provides dozens
of computer dial-in lines in cities across the country.


Hacking into the long-distance network, the intruder was connecting a
computer to various dial-in sites to elude detection. Still, every
time the intruder would connect to the Netcom system, Shimomura was
able to capture the computer keystrokes.


Late last week, FBI surveillance agents in Los Angeles were almost
certain that the intruder was operating somewhere in Colorado. Yet
calls were also coming into the system from Minneapolis and Raleigh.


The big break came late last Saturday night in San Jose, as Shimomura
and Gross, red-eyed from a 36-hour monitoring session, were eating
pizza. Subpoenas issued by Kent Walker, the U.S. assistant attorney
general in San Francisco, had begun to yield results from telephone
company calling records.


And now came data from Walker showing that telephone calls had been
placed to Netcom's dial-in phone bank in Raleigh through a cellular
telephone modem.


The calls were moving through a local switching office operated by GTE
Corp. But GTE's records showed that the calls had looped through a
nearby cellular phone switch operated by Sprint.


Because of someone's clever manipulation of the network software, the
GTE switch thought that the call had come from the Sprint switch, and
the Sprint switch thought that the call had come from GTE. Neither
company had a record identifying the cellular phone.


When Shimomura called the number in Raleigh, he could hear it looping
around endlessly with a "clunk, clunk" sound. He called a Sprint
technician in Raleigh and spent five hours comparing Sprint's calling
records with the Netcom log-ins. It was nearly dawn in San Jose when
they determined that the cellular phone calls were being placed from
near the Raleigh-Durham International Airport.


By 1 a.m. Monday, Shimomura was riding around Raleigh with a second
Sprint technician, who drove his own car so as not to attract
attention. From the passenger seat, Shimomura held a
cellular-frequency direction-finding antenna and watched a
signal-strength meter display its readings on a laptop computer
screen. Within 30 minutes the two had narrowed the site to the Players
Court apartment complex in Duraleigh Hills, three miles from the
airport.


At that point, it was time for law-enforcement officials to take over.
At 10 p.m. Monday, an FBI surveillance team arrived from Quantico, Va.


In order to obtain a search warrant it was necessary to determine a
precise apartment address. And although Shimomura had found the
apartment complex, pinning down the apartment was difficult because
the cellular signals were creating a radio echo from an adjacent
building. The FBI team set off with its own gear, driven by the Sprint
technician, who this time was using his family van.


On Tuesday evening, the agents had an address -- Apartment 202 -- and
at 8:30 p.m. a federal judge in Raleigh issued the warrant from his
home. At 2 a.m. Wednesday, while a cold rain fell in Raleigh, FBI
agents knocked on the door of Apartment 202.


It took Mitnick more than five minutes to open it. When he did, he
said he was on the phone with his lawyer. But when an agent took the
receiver, the line went dead.