[Before it is publicized, KM describes for Littman the Christmas 1994 attack on Shimomura's systems as a "TCP/IP prediction packet attack." (. . .) below are by Littman.] Three days later, on January 23, Shimomura will describe the attack in a widely distributed public Internet post. IP source address spoofing and TCP/IP sequence number prediction are the technical terms Shimomura uses to describe it, much like Mitnick's description. But his analysis is extremely technical, and even some UNIX security experts find it tough going. That same day, about 2 P.M., CERT will blast out an advisory to its international mailing list of 12,000 Internet sites in the United States, Germany, Australia, the United Kingdom, Japan, and other countries. The vaguely worded report is much less specific than Mitnick's one-minute explanation on the telephone. Most likely, CERT is trying to provide enough detail so Internet sites can protect themselves against future attacks without providing so much detail that it could encourage copycat attacks. On one level, the hack is simple, a clever strike at a basic weakness of the Internet. Computers on the Internet are often programmed to trust other computers. The Internet was created to share information, and the attack on Shimomura, just like the Robert Morris Internet Worm attack seven years before, exploits that trust. The Internet has its own way of sending e-mail or files. Messages or files are split into smaller digital chunks or packets, each with its own envelope and address. When each message is sent, it's like a flock of birds that migrates to a planned location and reunites as a flock at the destination. Computers on the Internet often act like great flocks of birds that trust one another too. And all it takes is one enemy bird to infiltrate the flock. . . . On Christmas Day 1994 the attack begins. First, the intruder breaks into a California Internet site that bears the cryptic name toad.com. Working from this machine, the intruder issues seven commands to see who's logged on to Shimomura's workstation, and if he's sharing files with other machines. Finger is one of the common UNIX commands the intruder uses to probe Shimomura's machine. As a security professional Shimomura should have disabled the feature. Finger is so commonly used by hackers to begin attacks that 75 percent of Internet sites, or about 15 million of the more than 20 million Internet users, block its function to increase security. The intruder's making judgment calls on the fly about which commands will help him uncover which machines Shimomura's workstation might trust. He works fast. In six minutes he deduces the pattern of trust between Shimomura's UNIX workstation and an unknown Internet server. Then the automatic spoofing attack begins. It will all be over in sixteen seconds. The prediction packet attack program fires off a flurry of packets to busy out the trusted Internet server so it can't respond. Next, the program sends twenty more packets to Shimomura's UNIX workstation. The program is looking for a pattern in the initial sequence numbers -- the numbers used to acknowledge receipt of data during communications. The program deciphers the returned packets by subtracting each sequence number from the previous one. It notes that each new initial sequence number has grown by exactly 128,000. The program has unlocked the sequence number key. Shimomura's machine has to be idle for the attack to succeed. New Internet connections would change the initial sequence number and make it more difficult to predict the key. That's why the hacker attacks on Christmas Day. The attack program sends packets that appear to be coming from the trusted machine. The packet's return or source address is the trusted machine's Internet address. Shimomura's workstation sends a packet back to the trusted machine with its initial sequence number. But flooded by the earlier flurry of packets, the trusted server is still trying to handle the earlier traffic. It's tangled up. Taking advantage of the gagged server, the attacking program sends a fake acknowledgment. It looks real because it's got the source address of the trusted server, and the correct initial sequence number. Shimomura's workstation is duped. It believes it's communicating with a trusted server. Now the attacking program tells Shimomura's obedient workstation to trust everyone. It issues the simple UNIX "Echo" command to instruct Shimomura's workstation to trust the entire Internet. At that point, Shimomura's personal and government files are open game to the world. It's more than a humiliating blow to the security expert. By making Shimomura's machine accessible from any Internet site, the intruder has masked his own location. He can return from anywhere. The hacker can't believe his good luck. The attack is only successful because Shimomura has not disabled the "R" commands, three basic commands that allow users to remotely log-in or execute programs without a password. Tens of thousands of security-conscious Internet sites, representing well over a million users, routinely block access to the R commands to avoid its well publicized abuse by hackers. It takes a few keystrokes and about thirty seconds to shut off the R commands on an Internet server. You don't even have to turn off the machine. Why didn't Shimomura do it? . . . Mitnick laughs. "He's [Shimomura's] not happy. I have nothing to do with it. I'm just telling you what I hear through the grapevine." [Littman] "Who do you think might have done it?" I ask the likely suspect. "How did he figure it out himself?" "He [Shimomura] realized that somebody had edited his wrapper log, which shows incoming connections. Somebody actually modified those logs, and then he was able to reconstruct what happened through these logs that were mailed to another site unbeknownst to the intruder." Mitnick's actually telling me the evidence Shimomura collected to figure out the attack. The wrapper is supposed to control connections to Shimomura's server and log all connection attempts. It failed to protect Shimomura but still it logged the hacker's spoofed connection, and a copy of the log was e-mailed off-site. "So you were asking me if there's a secure e-mail site?" Mitnick continues, his voice suddenly hard. "My answer is no. This guy in my estimation is the brightest in security on the whole Internet. He blows people like Neil Clift away. I have a lot of respect for this guy. 'Cuz I know a lot about him. He doesn't know anything about me, hopefully, but he's good. "On the Internet, he's one of the best in the world." [pp. 222-25] ----- [KM] "I don't know what his motive is. I don't know the man at all. Alls I know is he's very technical and he's very good at what he does. He's in the top five." [JL] "What makes Shimomura so good?" [M] "When someone penetrates his system he knows what to look for. When you compile a program, it uses external files and libraries. This is the type of guy that would look at the access times of the files to try to figure out what type of program somebody was compiling. The guy's sharp." On UNIX systems it's possible to tell the last time a file was read. Mitnick's guessing that Shimomura could determine the type of application that was compiled (converted into the computer's most basic machine language) by examining the date stamps in certain system directories. He's also acknowledging he knows that the intruder compiled a program while he was on Shimomura's machine. Once again, Kevin Mitnick seems to have an amazing amount of detail on how Shimomura analyzes an attack. [M] "He's just very good at -- well, he's a spook. What do you expect? This is only what I hear in the grapevine." ... [L] "But does the grapevine say he's primarily a spook?" [M] "Unknown. He's good in security and he consults with companies like Trusted Information Systems, the people that develop Internet fire walls, and a lot of people in D.C. and the Virginia area." Trusted Information -- the name strikes a bell. Markoff quoted someone from Trusted Information in his front-page "Data Threat" article. [L] "Where is Trusted Information?" [M] "Oh, in Maryland, 301 area code. Baltimore, I believe." [L] "What are some of the Virginia companies Shimomura works with?" [M] "I just have the phone numbers," Mitnick reveals casually. "I haven't called them yet to see." [pp. 252-53] ----- Why not ask John Markoff about the real reason he called me twice this morning? So I ask him about the Shimomura Newsweek story, and the odd reference to cellular phones. He comes back with a stunning revelation. "Somebody hit a different Tsutomu machine last summer and the NSA was pissed," Markoff tells me. "They freaked out. There's no question about it." Why didn't he mention this in his New York Times stories? Why create the false appearance Shimomura was first hacked Christmas Day? "But it was a different machine?" I ask. "Am I being interviewed here?" It strikes me as an odd question. Markoff was the one who called me twice in the space of an hour. Who's interviewing whom? "Let's get on the same wavelength," Markoff suggests. "I'm glad to share this stuff with you, but I want to know where it's going to show up. 'Cuz I'm pretty close to Shimo and it's an issue for me." Before I can respond, he starts talking about Shimomura again. "I wrote that profile of Tsutomu because after I mentioned him in the bottom of my story ["Data Threat"] I basically outed him and a million reporters were all over him." "He wasn't happy about that?" "No, Tsutomu loves it," Markoff says. "He's playing his own games. "I'II tell you it's unclear what was taken [referring to the Christmas hack], and point two, I can send you a public posting by an Air Force information warfare guy who described what was taken and their assessment of the damage. "And there are lots of little snips of code that a brilliant hacker could probably use. But Tsutomu's mind works in very cryptic ways. It's not clear that without Tsutomu you're going to be able to do anything with it. "Now in this break-in I don't actually think a lot of stuff was taken." This break-in? Just how many times was Shimomura hacked before Christmas? But I ask a different question. "Why would an Air Force guy post something?" "Oh, Tsutomu," Markoff casually replies. "He produced a lot of software for the Air Force." "Where would he post this?" "Oh, to a mailing list. A lot of people were concerned about what was taken from his [Shimomura's] machine. What they [the hacker] got was a lot of his electronic mail. Some of it's kind of embarrassing. [But] I don't think people are going to find new ways to attack the network based on this particular attack. "There is another issue," Markoff cautions in a serious tone. "Tsutomu is a very sharp guy, and it is not impossible that that was a bait machine, which is why I stayed away from the issue." Is Markoff implying Shimomura, a rumored NSA spy, laid a trap? And what about Markoff's New York Times articles? Were they part of the trap, too? "Think about it for a second," Markoff pauses dramatically. "And you get into this wilderness-of-mirrors kind of world. And a lot of people that are writing don't know everything, and I don't know everything. "I've been protecting him [Shimomura] for five years. I get the profile and the [Wall Street] Journal is on him. They don't know how close he is to the military. It would make perfect sense. Who knows what's on the code? The guy is in the counterintelligence business." [pp. 258-60]