Roanoke Times
Copyright (c) 1995, Landmark Communications, Inc.
DATE: FRIDAY, February 17, 1995 TAG: 9502180041
SECTION: NATL/INTL PAGE: A1 EDITION: METRO
SOURCE: JOHN MARKOFF THE NEW YORK TIMES
DATELINE: RALEIGH, N. C. LENGTH: Long
It takes a computer hacker to catch one.
And if, as federal authorities contend, 31-year-old computer outlaw Kevin D. Mitnick is the person behind a recent spree of break-ins to dozens of corporate, university and personal computers on the global Internet, his biggest mistake was raising the interest and ire of Tsutomu Shimomura.
Shimomura, 30, is a computational physicist with a reputation as a brilliant cyber-sleuth in the tightly knit community of programmers and engineers who defend the country's computer networks.
And it was Shimomura who raised the alarm in the Internet world after someone used sophisticated hacking techniques on Christmas Day to remotely break into the computers he keeps in his beach cottage near San Diego and steal thousands of his data files.
Almost from the moment Shimomura discovered the intrusion, he made it his business to use his own considerable hacking skills to aid the FBI's inquiry into the crime spree.
He set up stealth monitoring posts, and each night over the last few weeks, Shimomura used software of his own devising to track the intruder, who was prowling around the Internet. The activity usually began around midafternoon, Eastern time, broke off in the early evening, then resumed shortly after midnight and continued through dawn.
Shimomura's monitoring efforts enabled investigators to watch as the intruder commandeered telephone company switching centers, stole computer files from Motorola, Apple Computer and other companies, and copied 20,000 credit-card account numbers from a commercial computer network used by some of the computer world's wealthiest and technically savviest people.
And it was Shimomura who concluded last Saturday that the intruder was probably Mitnick, who uses the code name "Condor" from a movie starring Robert Redford as a man on the run from the government.
Shimomura decided Mitnick was operating from a cellular telephone network in Raleigh, N.C. Mitnick's whereabouts had been unknown since November 1992, when he fled as the FBI showed up at a California private investigations firm where he was working. The agents were investigating break-ins to telephone-company computers.
Sunday morning, Shimomura took a flight from San Jose to Raleigh-Durham International Airport. By 3 a.m. Monday, he had helped local telephone company technicians and federal investigators use cellular-frequency scanners to pinpoint Mitnick's location: a 12-unit apartment building in the northwest Raleigh suburb of Duraleigh Hills.
Over the next 48 hours, as the FBI sent in a surveillance team from Quantico, Va., obtained warrants and prepared for an arrest, cellular telephone technicians from Sprint Corp. monitored the electronic activities of the man they believed to be Mitnick.
The story of the investigation, particularly, Shimomura's role, is a tale of digital detective work in the ethereal world known as cyberspace.
Sleuth becomes victim
On Christmas Day, Shimomura was in San Francisco, preparing to make the four-hour drive to the Sierra Nevadas, where he spends most of each winter as a volunteer on the cross-country ski patrol near Lake Tahoe.
But the next day, before he could leave for the mountains, he received an alarming telephone call from his colleagues at the San Diego Supercomputer Center, the federally funded research center that employs him. Someone had broken into his home computer, which was connected to the center's computer network.
Shimomura returned to his beach cottage near San Diego, in Solana Beach, Calif., where he found that hundreds of software programs and files had been taken electronically from his powerful work station. This was no random ransacking: the information would be useful to anyone interested in breaching the security of computer networks or cellular phone systems.
Taunting messages for Shimomura had been left in a computer-altered voice on the Supercomputer Center's voice-mail system.
Almost immediately, Shimomura made two decisions. He was going to track down the intruders. And Lake Tahoe would have to wait awhile this year.
The Christmas attack exploited a flaw in the Internet's design by fooling a target computer into believing that a message was coming from a trusted source.
In this case, the attack had been started from a commandeered computer at Loyola University of Chicago.
The vandal made a clumsy error, though. One of Shimomura's machines routinely mailed a copy of several record-keeping files to a safe computer elsewhere on the network - a fact that the intruder did not notice.
That led to an automatic warning to employees of the San Diego Supercomputer Center that an attack was under way. This allowed the center's staff to throw the burglar off the system, and it later allowed Shimomura to reconstruct the attack.
In computer-security circles, Shimomura is a respected voice. Over the years, security tools he has designed have made him a valuable consultant to corporations, and also to the FBI, the Air Force and the National Security Agency.
Laptop stakeout
The first significant break came on Jan. 28, after Bruce Koball, a computer programmer in Berkeley, Calif., read a newspaper account detailing the attack on Shimomura's computer.
The day before, Koball had learned from managers of a commercial on-line service called the Well that his public-policy group called Computers, Freedom and Privacy was taking up millions of bytes of storage space, far more than it was authorized to use.
As Koball checked the group's directory on the Well, he quickly realized that someone had broken in and filled it with Shimomura's stolen files.
Well officials eventually called in Shimomura, who recruited a colleague from the Supercomputer Center, Andrew Gross, and an independent computer consultant, Julia Menapace.
Hidden in a back room at the Well's headquarters, the three experts set up a temporary headquarters, attaching three laptop computers to the Well's internal computer network.
The team had an immediate advantage: It could watch the intruder unnoticed.
Though the identity of the attacker was unknown, within days a profile emerged that seemed increasingly to fit a well-known computer outlaw: Kevin D. Mitnick, who had been convicted of stealing software from Digital Equipment Corp.
Among the programs found at the Well and at stashes elsewhere on the Internet was the software that controls the operations of cellular telephones made by Motorola, NEC, Nokia, Novatel, Oki, Qualcomm and other manufacturers. That was consistent with information of interest to Mitnick, who had made his reputation by hacking into telephone networks.
The burglar operated with Mitnick's trademark derring-do. One night, as the investigators watched electronically, the intruder broke into the computer designed to protect Motorola Corp.'s internal network from outside attack.
But one brazen act helped investigators. Shimomura's team discovered that someone had obtained a copy of the credit-card numbers for 20,000 members of Netcom Communications Inc., a service in San Jose that provides Internet access.
To get a closer look, the team moved its operation last Thursday to Netcom's operation center.
Netcom was a much better vantage point for watching the intruder. To let customers connect their modems to its network with a local telephone call, Netcom provides dozens of dial-in lines in cities across the country.
Hacking into the long-distance network, the intruder was connecting a computer to various dial-in sites to elude detection. Still, every time the intruder connected to the Netcom system, Shimomura captured the computer keystrokes.
The big break came late Saturday night in San Jose, as Shimomura and Gross, red-eyed from a 36-hour monitoring session, were eating pizza. Subpoenas issued by Kent Walker, the U.S. assistant attorney general in San Francisco, had begun to yield results from telephone company calling records.
And now came data from Walker showing that telephone calls had been placed to Netcom's dial-in phone bank in Raleigh through a cellular telephone modem.
The calls were moving through a local switching office operated by GTE Corp. But GTE's records showed that the calls had looped through a nearby cellular phone switch operated by Sprint.
Because of someone's manipulation of the network software, the GTE switch thought the call had come from the Sprint switch, and the Sprint switch thought that the call had come from GTE. Neither company had a record identifying the cellular phone.
When Shimomura called the number in Raleigh, he could hear it looping around endlessly with a ``clunk, clunk'' sound. He called a Sprint technician in Raleigh and spent five hours comparing Sprint's calling records with the Netcom log-ins. It was nearly dawn in San Jose when they determined that the cellular phone calls were being placed from near the Raleigh-Durham International Airport.
By 1 a.m. Monday, Shimomura was riding around Raleigh with a second Sprint technician, who drove his own car so as not to attract attention. In the passenger seat, Shimomura held a cellular-frequency direction-finding antenna and watched a signal-strength meter display its readings on a laptop computer. Within 30 minutes the two had narrowed the site to the Players Court apartments in Duraleigh Hills, three miles from the airport.
It was time for law-enforcement officials to take over. At 10 p.m. Monday, an FBI surveillance team arrived from Quantico.
To obtain a search warrant, it was necessary to determine a precise apartment address. The FBI team set off with its own gear, driven by the Sprint technician, who this time was using his family van.
On Tuesday evening, the agents had an address - Apartment 202, where Mitnick was living alone under a false name.
At 8:30 p.m. a federal judge in Raleigh issued the warrant from his home. At 2 a.m. Wednesday, while a cold rain fell, FBI agents knocked on the door of Apartment 202.
After five minutes, Mitnick opened the door.
He was arraigned Wednesday on charges of violating the terms of his probation from a previous hacking conviction, as well as new charges of computer fraud originating in North Carolina.
``He's an electronic terrorist,'' said a onetime friend who turned Mitnick in to authorities in 1988.
His escapades began in high school, where he learned to hack into the Los Angeles School District's main computers. Eventually, he broke into a North American Air Defense Command computer in Colorado Springs, Colo.
The threat that Mitnick posed was described in a recent circular distributed by U.S. marshals to federal authorities pursuing him:
``Please be aware that if Mitnick is taken into custody, he possesses an amazing ability to disrupt one's personal life through his computer knowledge.''
by CNB