Kuckucksei

Item

Title
Kuckucksei
The Coockoo's Egg
Description
Cliff Stolls Buch über die Jagd auf die Pentagon Hacker (englisches Original und deutsche Übertragung)
list of authors
1989
Clifford Stoll
abstract
Clifford Stoll arbeitet am Lawrence Berkeley National Laboratory (LBNL) als Astronom, wird jedoch in Ermangelung von Arbeit in die Computerabteilung versetzt, wo er Programme für seine ehemaligen Kollegen schreiben soll. Als ein Abrechnungsfehler von 75 Cent festgestellt wird, soll Stoll das aufklären, um sich in die Materie einzuarbeiten. Tatsächlich schafft Stoll es, einen Hacker im Netz des LBNL aufzuspüren und dessen Sitzungen jeweils mittels eines Druckers zu protokollieren. So wird er Zeuge erfolgreicher und erfolgloser Computereinbrüche in zahlreiche Militärcomputer. Da das FBI kein Interesse an dem Fall hat, schaltet Stoll die CIA ein, die jedoch nicht zuständig ist, und auch die NSA zeigt sich offiziell nur mäßig interessiert.
Als Stoll klar wird, dass er die Verbindung des Hackers zurückverfolgen kann, startet er Operation Showerhead: Das LBNL ist angeblich verantwortlich für SDINET, ein Netzwerk über die Strategic Defense Initiative, nach welcher der Hacker häufig sucht. Stoll legt – als einen 'Honeypot' – Dateien mit sehr großem Datenvolumen an, darunter bürokratische Anordnungen seiner Universität, in denen er die akademischen Titel bzw. Anreden in militärische umtauscht (Dr. wird zu Colonel usw.). Mit Hilfe von Steve White, einem Mitarbeiter des Unternehmens Tymnet, welches Leitungen über den Atlantik betreibt, verfolgt Stoll diese Langzeitverbindungen bis nach Europa. In Deutschland hilft Wolfgang Hoffmann von der Deutschen Bundespost bei der Verfolgung. Ein großes Problem ist dabei die relativ alte Vermittlungstechnik in Deutschland. Weil in den USA die meisten Vermittlungsstellen bereits digitalisiert sind, kann dort eine „Malicious Call Identification“ in nur wenigen Sekunden einen Anrufer ermitteln. In Deutschland jedoch muss noch eine spezielle analoge Fangschaltung in der betreffenden Vermittlungsstelle eingerichtet werden. Die Ermittlung des Anrufers dauert so viele Minuten, da die Ursprungsschaltung einmal durch die gesamte Vermittlungsstelle von einem Techniker durchgemessen werden muss. Aber die Verbindungszeit reicht für die Bundespost aus, um die Schaltung zurückzuverfolgen und den Anrufer so zu ermitteln.
Der Titel des Buches rührt aus der an ein Kuckucksei erinnernden Tatsache, dass der Hacker, der auf verschiedenen Rechnern Zugriff auf Benutzerkonten durch das systematische Erraten von Passwörtern erlangt, mit einem Trick Superuser-Rechte auf Root-Ebene erhält. Er nutzt einen Konfigurationsfehler im Programm Emacs und ersetzte damit kurzfristig ein Systemprogramm, welches in regelmäßigen Abständen bestimmte Dateien verarbeitet. Dieses Programm änderte er so ab, dass er Root-Rechte erlangt, sobald die Datei erneut verarbeitet wird. Diesen Vorgang beschreibt Stoll mit „Ausbrüten des Kuckuckseis“.
Author Clifford Stoll, an astronomer by training, managed computers at Lawrence Berkeley National Laboratory (LBNL) in California. One day in 1986 his supervisor asked him to resolve an accounting error of 75 cents in the computer usage accounts. Stoll traced the error to an unauthorized user who had apparently used nine seconds of computer time and not paid for it. Stoll eventually realized that the unauthorized user was a hacker who had acquired superuser access to the LBNL system by exploiting a vulnerability in the movemail function of the original GNU Emacs.

Early on, and over the course of a long weekend, Stoll rounded up fifty terminals, as well as teleprinters, mostly by “borrowing” them from the desks of co-workers away for the weekend. These he physically attached to the fifty incoming phone lines at LBNL. When the hacker dialed in that weekend, Stoll located the phone line used, which was coming from the Tymnet routing service. With the help of Tymnet, he eventually tracked the intrusion to a call center at MITRE, a defense contractor in McLean, Virginia. Over the next ten months, Stoll spent enormous amounts of time and effort tracing the hacker's origin. He saw that the hacker was using a 1200 baud connection and realized that the intrusion was coming through a telephone modem connection. Stoll's colleagues, Paul Murray and Lloyd Bellknap, assisted with the phone lines.

After returning his “borrowed” terminals, Stoll left a teleprinter attached to the intrusion line in order to see and record everything the hacker did. He watched as the hacker sought – and sometimes gained – unauthorized access to military bases around the United States, looking for files that contained words such as “nuclear” or “SDI” (Strategic Defense Initiative). The hacker also copied password files (in order to make dictionary attacks) and set up Trojan horses to find passwords. Stoll was amazed that on many of these high-security sites the hacker could easily guess passwords, since many system administrators had never bothered to change the passwords from their factory defaults. Even on military bases, the hacker was sometimes able to log in as “guest” with no password.

This was one of the first ⁠— ⁠if not the first ⁠— documented cases of a computer break-in, and Stoll seems to have been the first to keep a daily logbook of the hacker's activities. Over the course of his investigation, Stoll contacted various agents at the Federal Bureau of Investigation (FBI), the Central Intelligence Agency (CIA), the National Security Agency (NSA) and the United States Air Force Office of Special Investigations (OSI). At the very beginning there was confusion as to jurisdiction and a general reluctance to share information; the FBI in particular was uninterested as no large sum of money was involved and no classified information host was accessed.

Studying his log book, Stoll saw that the hacker was familiar with VAX/VMS, as well as AT&T Unix. He also noted that the hacker tended to be active around the middle of the day, Pacific time. Eventually Stoll hypothesized that, since modem bills are cheaper at night and most people have school or a day job and would only have a lot of free time for hacking at night, the hacker was in a time zone some distance to the east, likely beyond the US East Coast.

With the help of Tymnet and agents from various agencies, Stoll found that the intrusion was coming from West Germany via satellite. The West German post office, the Deutsche Bundespost, had authority over the phone system there, and traced the calls to a university in Bremen. In order to entice the hacker to reveal himself, Stoll set up an elaborate hoax – known today as a honeypot – by inventing a fictitious department at LBNL that had supposedly been newly formed by an “SDI“ contract, also fictitious. When he realized the hacker was particularly interested in the faux SDI entity, he filled the “SDInet” account (operated by an imaginary secretary named ‘Barbara Sherwin’) with large files full of impressive-sounding bureaucratese. The ploy worked, and the Deutsche Bundespost finally located the hacker at his home in Hanover. The hacker's name was Markus Hess, and he had been engaged for some years in selling the results of his hacking to the Soviet Union’s intelligence agency, the KGB. There was ancillary proof of this when a Hungarian agent contacted the fictitious SDInet at LBL by mail, based on information he could only have obtained through Hess. Apparently this was the KGB's method of double-checking to see if Hess was just making up the information he was selling.

Stoll later flew to West Germany to testify at the trial of Hess.
Rights Holder
deutsche Ausgabe: © 1989 S. Fischer Verlag GmbH, Frankfurt am Main
© 1989 Clifford Stoll
isbn
3-596-13984-8
Tag
KGB
Identifier
ark:/45490/bSi9jN