Kevin Mitnick Presenters: Eric Caspary and Bill

Giallourakis

“The World’s Most Famous Hacker”

The Kevin Mitnick/Tsutomu Shimomura Affair Presenter: Bill Giallourakis

The Players

Kevin Mitnick An accomplished hacker Had already been arrested for various

computer crimes

Tsutomu Shimomura Computer security researcher working at

the San Diego Supercomputer Center

The Target

Tsutomu’s Computers in San Diego Ariel: Contained research and technology

information about computer security and cellular technology.

This information could be used to anonymously break into many other systems.

Note: Hacker previously tried to get this cellular technology from another system, but failed.

The Attack

Took place on Christmas Day, 1994 Mitnick remotely took control of a PC

at Toad.com He used this PC to launch the attack

Note: Ironically, Tsutomu was spending time with a friend at Toad Hall during the exact time the hacker took over the computer and attacked his systems.

Attack Details

Two different attack mechanisms were used: IP source address spoofing TCP sequence number prediction

Gained access to a x-terminal workstation Mitnick got root access Hijacked an existing connection and got

access to the rest of the system

The Defense, Part 1

Shimomura did not have a firewall Thought they were too restrictive

Used encryption Used a set of log files to track activity

on his machines: Logs emailed to a research assistant to

check for intrusions During the break in, Mitnick deleted the

log file to cover his tracks

The Defense, Part 2

After the attack, the log files were emailed to the research assistant

An automated process compared all log files mathematically with one another.

An inconsistency was found and the assistant contacted Shimomura

Application to CSE 551

Obsolete Technology

No Firewall

Availability vs. Security

Log-based Intrusion Detection

Messages

Mitnick left taunting messages behind on Tsutomu’s computers

He also made taunting phone calls to Tsutomu’s voicemail “Kung Fu” Some of the calls threatened

Shimomura’s life

The Pursuit, Part 1

Tsutomu had his machines “halted” Took the disks to the San Diego

Supercomputing center to analyze them

He looked at the very basic data structure of the disk to recreate the deleted log file Tsutomu and his assistant created various

programs to analyze the bit patterns on the disk to retrieve the log information

The Pursuit, Part 2

Shimomura’s stolen files were found on a commercial network called The Well.

This network was a staging point for many of the intruder’s attacks.

Mitnick was using modified cellular technology to try to hide himself.

The Pursuit, Part 3

Shimomura teamed up with federal agents on February 8, 1994 as the hunt intensified.

It was discovered that Mitnick was accessing The Well through Netcom, a large ISP.

Mitnick’s phone activity was traced to the Raleigh-Durham area. The police could not trace the exact

location because Mitnick had engineered a looping switch.

The Capture

Shimomura’s used his own modified cellular technology to track Mitnick Semi-Legal

Once they found the source of the calls, Shimomura and his team called in the FBI.

Kevin Mitnick was arrested at his apartment in Raleigh, North Carolina at 1:30 am on February 15, 1995

Kevin Mitnick: “The Showdown in R-Town” Presenter: Eric Caspary

Nature of the Crime, Part 1 Kevin Mitnick committed a series of federal

offenses in a 2½-year computer hacking spree In 1993, California state police issued a

warrant for the arrest of Kevin Mitnick Accused of wiretapping calls from the FBI to

the California Department of Motor Vehicles and using law-enforcement access codes gleaned from the wiretaps to illegally gain entry to the driver’s license database

In December 1994, Mitnick was involved in stealing software, email and other files from a computer belonging to Tsutomu Shimomura, a computational physicist and computer security expert at the San Diego Supercomputer Center

Nature of the Crime, Part 2 In February 1995, Kevin Mitnick was

arrested in Raleigh, North Carolina, after more than two years on the run

Kevin Mitnick pleaded guilty to four counts of wire fraud, two counts of computer fraud and one count of illegally intercepting a wire communication

In a global plea agreement he admitted that he broke into a number of computer systems and stole proprietary software belonging to Motorola, Novell, Fujitsu, Sun Microsystems and other companies

How Information Security Was an Issue Mitnick admitted using a number of tools to

commit his crimes, including "social engineering“

He also use cloned cellular telephones, "sniffer" programs placed on victims' computer systems and hacker software programs

As part of his scheme, Mitnick acknowledged altering computer systems belonging to the University of Southern California

He also admitted that he stole E-mails, monitored computer systems and impersonated employees of victim companies

What Laws Were Applied 18 U.S.C. § 1030.  Fraud and Related Activity in

Connection with Computers Whoever:

Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains--(A) information contained in a financial record of a financial institution, or of a card issuer;

Knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value;

Knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

shall be punished as provided in subsection (c) of this section.

What Laws Were Applied, Part 2 18 U.S.C. § 2510 et seq. Wire and Electronic

Communications Interception and Interception of Oral Communications

Any person who: Intentionally intercepts, endeavors to intercept, or

procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication;

Intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection;

Intentionally uses, endeavors to use, or procures any other person to use or endeavor to use any electronic, mechanical, or other device to intercept any oral communication;

shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5).

What Laws Were Applied, Part 3 18 U.S.C. § 2701 et seq. Stored Wire and

Electronic Communications and Transactional Records Access

Whoever: Intentionally accesses without authorization a

facility through which an electronic communication service is provided;

Intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

What Laws Were Applied, Part 4 18 U.S.C. § 1029. Fraud and Related Activity in

Connection with Access Devices Whoever:

Knowingly and with intent to defraud produces, uses, or traffics in one or more counterfeit access devices;

Knowingly and with intent to defraud uses, produces, traffics in, has control or custody of, or possesses a telecommunications instrument that has been modified or altered to obtain unauthorized use of telecommunications services;

Knowingly uses, produces, traffics in, has control or custody of, or possesses hardware or software, knowing it has been configured to insert or modify telecommunication identifying information associated with or contained in a telecommunications instrument so that such instrument may be used to obtain telecommunications service without authorization;

shall, if the offense affects interstate or foreign commerce, be punished as provided in subsection (c) of this section.

Were Applicable Laws Well Thought-Out? The case against Mitnick tested then-nascent laws that had

been enacted for dealing with computer crime, and it raised public awareness of security issues involving networked computers

At the time of his capture and subsequent prosecution, I imagine the laws applicable to his case were not as thorough, well thought-out, or all-encompassing as they are now

Due in part to mass paranoia, Mitnick was held without bail for over two years before sentencing following his 1995 arrest

He has said that he set some kind of United States record by being held for four and a half years without a bail hearing, while also held in solitary confinement for eight months "in order to prevent a massive nuclear strike from being initiated by me via a prison payphone"

This gives one an idea about how computer criminals may have been treated in the 80’s and 90’s and how the legislation at that time may have been somewhat inappropriate

Missing Legislation? At the time of Mitnick’s trial, some

legislation was very likely incomplete The “new technological frontier,” was

just that, new, and it probably took a few years for legislation to catch up with technology

In later years, however, anti-hacking legislation was greatly expanded. I believe that the currently existing legislation applicable to Mitnick’s case is sufficient and that no further legislation is necessary at this time

Digital Evidence, Part 1 Here are excerpts of the letters sent to the FBI

that were used to help calculate the damages caused by Kevin Mitnick in which the companies involved specified damages: Sun Microsystems: values the current (Solaris

software) product in the hundreds of millions of dollars

NEC America, Inc: the (stolen) software design for a NEC cellular mobile telephone…is valued at one million seven hundred fifty thousand dollars ($1,750,000.00)

NOKIA Mobile Phones (UK) LTD: a minimum loss estimated to total US $135 Million

NOVELL: the cost associated with the development of the source code is well in excess of $75,000,000

Fujitsu: GRAND TOTAL: $5,517,389.61. Total recall cost (for source code rework) for 96,441 unit population

Evidence, Part 2

Evidence against Mitnick also includes: Voice mail messages to Tsutomu Call to Mark Lottor Mitnick’s on-line sessions Analysis of the machine state after the

break-in Photo from files stolen from Tsutomu Netcom login records for gkremen (a

stolen account)

How Evidence Was Handled Mitnick’s attorney, Donald Randolph, tried

repeatedly to get Mitnick a computer so he could review evidence that reportedly includes witness statements totaling 1,400 pages, 10 gigabytes of electronic evidence and 1,700 exhibits in all

But after one hearing, Randolph told reporters that Judge Pfaelzer "didn't seem to want to hear 'computer' and 'Mitnick' in the same sentence"

The court ultimately allowed Mitnick access to a laptop