Free Republic
Browse · Search
Topics · Post Article

Skip to comments.

Internet Attack Called Broad and Long Lasting by Investigators

Posted on 05/10/2005 12:36:20 AM PDT by FairOpinion

SAN FRANCISCO, May 9 - The incident seemed alarming enough: a breach of a Cisco Systems network in which an intruder seized programming instructions for many of the computers that control the flow of the Internet.

Now federal officials and computer security investigators have acknowledged that the Cisco break-in last year was only part of a more extensive operation - involving a single intruder or a small band, apparently based in Europe - in which thousands of computer systems were similarly penetrated.

Investigators in the United States and Europe say they have spent almost a year pursuing the case involving attacks on computer systems serving the American military, NASA and research laboratories.

The break-ins exploited security holes on those systems that the authorities say have now been plugged, and beyond the Cisco theft, it is not clear how much data was taken or destroyed. Still, the case illustrates the ease with which Internet-connected computers - even those of sophisticated corporate and government networks - can be penetrated, and also the difficulty in tracing those responsible.

Government investigators and other computer experts sometimes watched helplessly while monitoring the activity, unable to secure some systems as quickly as others were found compromised.

The case remains under investigation. But attention is focused on a 16-year-old in Uppsala, Sweden, who was charged in March with breaking into university computers in his hometown. Investigators in the American break-ins ultimately traced the intrusions back to the Uppsala university network.

The F.B.I. and the Swedish police said they were working together on the case, and one F.B.I. official said efforts in Britain and other countries were aimed at identifying accomplices. "As a result of recent actions" by law enforcement, an F.B.I. statement said, "the criminal activity appears to have stopped."

The Swedish authorities are examining computer equipment confiscated from the teenager, who was released to his parents' care. The matter is being treated as a juvenile case.

Investigators who described the break-ins did so on condition that they not be identified, saying that their continuing efforts could be jeopardized if their names, or in some cases their organizations, were disclosed.

Computer experts said the break-ins did not represent a fundamentally new kind of attack. Rather, they said, the primary intruder was particularly clever in the way he organized a system for automating the theft of computer log-ins and passwords, conducting attacks through a complicated maze of computers connected to the Internet in as many as seven countries.

The intrusions were first publicly reported in April 2004 when several of the nation's supercomputer laboratories acknowledged break-ins into computers connected to the TeraGrid, a high-speed data network serving those labs, which conduct unclassified research into a range of scientific problems.

The theft of the Cisco software was discovered last May when a small team of security specialists at the supercomputer laboratories, trying to investigate the intrusions there, watched electronically as passwords to Cisco's computers were compromised.

After discovering the passwords' theft, the security officials notified Cisco officials of the potential threat. But the company's software was taken almost immediately, before the company could respond.

Shortly after being stolen last May, a portion of the Cisco programming instructions appeared on a Russian Web site. With such information, sophisticated intruders would potentially be able to compromise security on router computers of Cisco customers running the affected programs.

There is no evidence that such use has occurred. "Cisco believes that the improper publication of this information does not create increased risk to customers' networks," the company said last week.

The crucial element in the password thefts that provided access at Cisco and elsewhere was the intruder's use of a corrupted version of a standard software program, SSH. The program is used in many computer research centers for a variety of tasks, ranging from administration of remote computers to data transfer over the Internet.

The intruder probed computers for vulnerabilities that allowed the installation of the corrupted program, known as a Trojan horse, in place of the legitimate program.

In many cases the corrupted program is distributed from a single computer and shared by tens or hundreds of users at a computing site, effectively making it possible for someone unleashing it to reel in large numbers of log-ins and passwords as they are entered.

Once passwords to the remote systems were obtained, an intruder could log in and use a variety of software "tool kits" to upgrade his privileges - known as gaining root access. That makes it possible to steal information and steal more passwords.

The operation took advantage of the vulnerability of Internet-connected computers whose security software had not been brought up to date.

In the Cisco case, the passwords to Cisco computers were sent from a compromised computer by a legitimate user unaware of the Trojan horse. The intruder captured the passwords and then used them to enter Cisco's computers and steal the programming instructions, according to the security investigators.

A security expert involved in the investigation speculated that the Cisco programming instructions were stolen as part of an effort to establish the intruder's credibility in online chat rooms he frequented.

Last May, the security investigators were able to install surveillance software on the University of Minnesota computer network when they discovered that an intruder was using it as a staging base for hundreds of Internet attacks. During a two-day period they watched as the intruder tried to break into more than 100 locations on the Internet and was successful in gaining root access to more than 50.

When possible, they alerted organizations that were victims of attacks, which would then shut out the intruder and patch their systems.

As the attacks were first noted in April 2004, a researcher at the University of California, Berkeley, found that her own computer had been invaded. The researcher, Wren Montgomery, began to receive taunting e-mail messages from someone going by the name Stakkato - now believed by the authorities to have been the primary intruder - who also boasted of breaking in to computers at military installations.

"Patuxent River totally closed their networks," he wrote in a message sent that month, referring to the Patuxent River Naval Air Station in Maryland. "They freaked out when I said I stole F-18 blueprints."

A Navy spokesman at Patuxent River, James Darcy, said Monday said that "if there was some sort of attempted breach on those addresses, it was not significant enough of an action to have generated a report."

Monte Marlin, a spokeswoman for the White Sands Missile Range in New Mexico, whose computers Stakkato also claimed to have breached, confirmed Monday that there had been "unauthorized access" but said, "The only information obtained was weather forecast information."

The messages also claimed an intrusion into seven computers serving NASA's Jet Propulsion Laboratory in Pasadena, Calif. A computer security expert investigating the case confirmed that computers at several NASA sites, including the propulsion laboratory, had been breached. A spokesman said the laboratory did not comment on computer breaches.

Ms. Montgomery, a graduate student in geophysics, said that in a fit of anger, Stakkato had erased her computer file directory and had destroyed a year and a half of her e-mail stored on a university computer.

She guessed that she might have provoked him by referring to him as a "quaint hacker" in a communication with system administrators, which he monitored.

"It was inconvenient," she said of the loss of her e-mail, "and it's the thing that seems to happen when you have malicious teenage hackers running around with no sense of ethics."


Walter Gibbs, in Oslo, and Heather Timmons, in London, contributed reporting for this article.

TOPICS: Front Page News; News/Current Events; Technical; War on Terror
KEYWORDS: 200503; cisco; ciscosystems; hackers; internet; internetattack; internetattacks; labs; military; nasa; stakkato; swede; sweden; teragrid; terrorweb; uppsala
"Investigators in the United States and Europe say they have spent almost a year pursuing the case involving attacks on computer systems serving the American military, NASA and research laboratories."
1 posted on 05/10/2005 12:36:20 AM PDT by FairOpinion
[ Post Reply | Private Reply | View Replies]

To: FairOpinion

This article makes no reference to potential terrorist connection, but there is an earlier article, from 2002, which discusses potential connections, and we don't know whether there is one here or not, but they say this was a much wider attack, than orginally thought.

Cyber-Attacks by Al Qaeda Feared.
Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say

June 27, 2002

Late last fall, Detective Chris Hsiung of the Mountain View, Calif., police department began investigating a suspicious pattern of surveillance against Silicon Valley computers. From the Middle East and South Asia, unknown browsers were exploring the digital systems used to manage Bay Area utilities and government offices. Hsiung, a specialist in high-technology crime, alerted the FBI's San Francisco computer intrusion squad.

Working with experts at the Lawrence Livermore National Laboratory, the FBI traced trails of a broader reconnaissance. A forensic summary of the investigation, prepared in the Defense Department, said the bureau found "multiple casings of sites" nationwide. Routed through telecommunications switches in Saudi Arabia, Indonesia and Pakistan, the visitors studied emergency telephone systems, electrical generation and transmission, water storage and distribution, nuclear power plants and gas facilities.

Some of the probes suggested planning for a conventional attack, U.S. officials said. But others homed in on a class of digital devices that allow remote control of services such as fire dispatch and of equipment such as pipelines. More information about those devices -- and how to program them -- turned up on al Qaeda computers seized this year, according to law enforcement and national security officials.

U.S. analysts believe that by disabling or taking command of the floodgates in a dam, for example, or of substations handling 300,000 volts of electric power, an intruder could use virtual tools to destroy real-world lives and property. They surmise, with limited evidence, that al Qaeda aims to employ those techniques in synchrony with "kinetic weapons" such as explosives.

2 posted on 05/10/2005 12:40:58 AM PDT by FairOpinion
[ Post Reply | Private Reply | To 1 | View Replies]

To: FairOpinion

Wow! Pretty amazing. It reminds me of the Russian gangs that use children and teens for this stuff. I suppose they are the best at it.

The vulnerability of the systems is mind-boggling.

3 posted on 05/10/2005 12:45:02 AM PDT by strategofr (One if by land, two if by sea, three if by the Internet)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FairOpinion

ebay was messed up tonight (and as I looked at thier status, they've had problems recently).

Any big target can be taken down.

4 posted on 05/10/2005 12:48:09 AM PDT by weegee (WE FOUGHT ZOGBYISM November 2, 2004 - 60 Million Voters versus 60 Minutes - BUSH WINS!!!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: weegee

I read that Google was down for a period of time on Saturday too.

5 posted on 05/10/2005 12:51:10 AM PDT by FairOpinion
[ Post Reply | Private Reply | To 4 | View Replies]

To: weegee

Google Knocked Offline Saturday, But Not A Hack (so the title says, but read the article)
May 9, 2005

Google was off-line for a short time Saturday evening due to an undisclosed DNS problem.
The search service was unavailable from 6:45 p.m. to 7:00 p.m. EDT, Saturday, May 7

Krane denied that the problem was caused by a hack or other attack, and only said it was related to the DNS, or Domain Name System. Some security firms have recently warned of DNS cache poisoning attacks as a way for phishers to make their identity thievery less detectable.

Talk of a hack was fueled by users who reported being diverted to during the Google outage. Additional investigation, however, found that that site had registered the domain, and when some browsers were unable to resolve, they tried

Other Google services, such as Gmail, were also offline for a time on Saturday.

6 posted on 05/10/2005 12:53:51 AM PDT by FairOpinion
[ Post Reply | Private Reply | To 4 | View Replies]

To: FairOpinion

Widespread Internet Attack Cripples Computers with Spyware

Experts say at least 20,000 PCs already have been affected. Is your company next?

April 21, 2005

An insidious new Internet attack that hijacks a victim's Internet connection and stealthily installs a barrage of adware and spyware is targeting businesses and organizations across the United States.

The two-pronged attack, which has been ongoing since early March, has afflicted an estimated 20,000 computers, according to Ken Dunham, director of malicious code at IDefense, a Virginia-based Internet security company.

It starts with an assault known as DNS poisoning: Domain name system servers, which guide Internet traffic, are fooled into directing anyone heading to any .com Web site--for example, or a malicious Web site that the attackers control. That Web site then surreptitiously installs a wide range of adware and spyware on the victim's computer.

Companies suffer from the attack in a number of ways. First, the Internet connection for anyone using the poisoned DNS server--often the entire company in the case of smaller businesses--is completely disrupted. All Web traffic and e-mail trying to go to any .com site gets hijacked for as long as the DNS server remains compromised.

Even after the DNS server is fixed, the company has to clean the adware and spyware from any affected computers, an onerous task that can keep IT people like David Parsons, who supports about 7000 people in his help-desk job at a Boston hospital, extremely busy. Parsons says his hospital was "slammed for about two days straight" by the DNS poisoning attacks starting March 29.

Dunham conservatively estimates that 3000 DNS servers at a range of U.S. companies, including at least two with more than 8000 employees, were compromised over the past month.

7 posted on 05/10/2005 12:57:10 AM PDT by FairOpinion
[ Post Reply | Private Reply | To 6 | View Replies]

To: FairOpinion

If these companies were smart they'd try to hire these hackers and pay them to find the security flaws in their systems.

8 posted on 05/10/2005 2:42:50 AM PDT by MisterRepublican
[ Post Reply | Private Reply | To 1 | View Replies]

To: FairOpinion

Problem is your source. Nothing the NY Times says can be trusted, they ahve lied to many times.

9 posted on 05/10/2005 4:33:38 AM PDT by newsgatherer
[ Post Reply | Private Reply | To 1 | View Replies]

To: FairOpinion; backhoe; piasa; Oorang; Velveeta; Godzilla

Note: The following text is a quote:

Swedish National Charged with Hacking and Theft of Trade Secrets Related to Alleged Computer Intrusions at NASA and Cisco

Philip Gabriel Pettersson, aka “Stakkato,” 21, a Swedish national, was indicted today on intrusion and trade secret theft charges.

The five-count indictment includes one intrusion count and two trade secret misappropriation counts involving Cisco Systems Inc. (Cisco), of San Jose, Calif., which is a provider of computer network equipment and producer of Internet routers. According to the allegations in the indictment Pettersson intentionally committed an intrusion between May 12, 2004, and May 13, 2004, into the computer system and network of Cisco. During the alleged intrusion some Cisco Internetwork Operating System code was allegedly misappropriated.

The indictment also charges two intrusion counts involving the National Aeronautics and Space Administration (NASA), including computers at the Ames Research Center and the NASA Advanced Supercomputing Division, located at Moffett Field, Calif. The indictment alleges Pettersson committed these intrusions on May 19, 2004, May 20, 2004 and Oct. 22, 2004.

Cisco and NASA cooperated in the government’s investigation. Following the incident, Cisco reported that it did not believe that any customer information, partner information or financial systems were affected.

The Department of Justice will continue to work cooperatively with the Swedish authorities on the case.

An indictment is merely an accusation. All defendants are presumed innocent until proven guilty at trial beyond a reasonable doubt. The maximum penalty for each charge of intrusion and theft of trade secrets is 10 years in prison, a three year term of supervised release, and a fine of $250,000.

The prosecution is the result of an investigation by the FBI; U.S. Secret Service; NASA Office of Inspector General, Office of Investigations, Computer Crimes Division; and numerous additional federal agencies. Mark L. Krotoski, presently at the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS), is prosecuting the case with the assistance of Paralegal Lauri Gomez and Assistant Netterie Lewis. CCIPS Senior Counsel Kimberly Peretti also assisted in the prosecution. The Criminal Division’s Office of International Affairs has assisted on international coordination issues in the case.



10 posted on 05/06/2009 12:49:45 AM PDT by Cindy
[ Post Reply | Private Reply | To 1 | View Replies]

To: Cindy

It is getting harder and harder for computer securty to keep ahead of the technology that enables it to be cracked.

11 posted on 05/06/2009 7:40:12 AM PDT by Godzilla (TEA: Taxed Enough Already)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Godzilla

Yes, I agree.

12 posted on 05/06/2009 12:57:35 PM PDT by Cindy
[ Post Reply | Private Reply | To 11 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794 is powered by software copyright 2000-2008 John Robinson