Security

How much has cyber-spying changed since 1989? Not as much as you'd think

Bob Eisenhardt looks back at Clifford Stoll's classic cyber-spying true story from 1989 and poses the question, how much has really changed in the world of cyber-espionage? Not that much, as it turns out.

In 1989, Clifford Stoll wrote a fascinating spy story -- a cyber chase -- about catching a hacker in Germany, employed by the Soviet Union , who was blatantly hacking "secure" military systems in search of anything connected with the "Star Wars" defense initiative called The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. Back then, there was no real Internet as we know it. The ARPANET was just beginning to expand into the public arena, but still was the primary vehicle for the military mid-range and mainframe systems to communicate. As a cyber-sleuth, Stoll was by trade an astronomer with a hand in programming Berkeley Unix.

The trail began with the hacker entering systems through open, non-administrative accounts and planting a small program in the secure area of Unix through the GnuEmac word processor. This free program (remember shareware?) knew of no secure/non-secure areas of any system, thus it was ideal for copy-paste from a public patch to a secure patch. Then, every five minutes, Unix ran a daemon to check system resources and allocate them. The hacker's program granted him Administrator Super User access! SHAZAM! He would then erase his tracks and begin browsing whatever he could find. Stoll kept a log of his adventure and traced this "scum" (his word) around the world for 10 months as the data lead his search far beyond our shore, over the transatlantic satellites to Europe. Along the way Stoll learned that many "secure" systems were anything but -- wide open sometimes, badly managed most of the time. Eventually the spy was caught and served time in prison and Stoll became a much wiser guru of systems security.

I've been thinking about Stoll's book recently and wondered, in light of so many of the security issues we have in abundance today, how MUCH have we changed since 1989 and the planting of that elusive Unix egg?

The more things change, the more they stay the same

Two years ago, I noticed an employee from the Beijing Railroad in China trying to password blast my Windows 2003 server through an open FTP session. My password syntax is very secure so he was just door banging, but using much the same logic that Stoll's evil assailant might use on military systems: Try standard account names and throw passwords every second at it, repeat forever until a door opens. After five minutes of education, I stopped the FTP service and that was that. But yes, Virginia, there are hackers out there targeting YOU!

According to the TechRepublic blog post, "Why isn't everyone hacked every day," by Michael Kassner, Cormac Herley of Microsoft observed that passwords are still left on public Post-It notes and recycled every 30 days. Well, Stoll's villain would be right at home. In 1989 his hacker read public emails that contained lists of user names and passwords, i.e., "going on vacation, here are the keys to my kingdom." On the plus side, there is now an explosion of user accounts and passwords as compared to 1989, with billions of possible combinations. The percentage of obvious attacks has to drop by statistical law, so perhaps we feel safer than we really are.

After all, Stoll's ARPANET used the limited bandwidth available through the mighty 2400 baud modem, and while we are now connected internationally at far greater speed, underneath the hood of our 2012 fibre-optic, wireless rocketcar is (for the most part) our old friend - IPv4.

Complexity does not guarantee security, but rather offers new methods of penetration such as the incredible HP OfficeJet portal into secure IPv4 addresses. That was, to me, a stunner! There, displayed in a Google search, were dozens of OfficeJet printers with their hard-coded IP address displayed. To a determined hacker, this is delicious, and the game is already over. Stoll's 1989 hacker would know this playground by intuition.

It was a different world back in 1989. Sony Playstation? Bah, Humbug!! Malware did not exist. Internet credit card traffic was for the future as were ATM machines. But copying files to floppy disks from a secure station could be done, and Pvt. Bradley Manning just proved that USB keys are just as portable, giving us WikiLeaks. Technology does not protect us from the simple, stupid method. We are not so smart after all.

Stoll's hacker of today would not be limited to a count of one. The truly huge data breaches are done by "Hacktivists" -- groupings of dedicated, warped professionals out for revenge on a bad planet. The "Anonymous Collective" cries out for all the attention it has received. Sometimes, just publishing the theft is all the glory these scum (see 2nd paragraph above) are seeking as if it were all a game. But by publishing such data, charities and 501C3 groups have taken a huge hit in donations. "Ho Ho, Ha Ha, it is to laugh" said Daffy Duck.

Secure websites? Stoll did not have that one either. Another few billion doors just opened up and my writing another 90 paragraphs alone on this one is for another day. But secure systems and passwords were not needed when military subcontractor SAIC lost 4.9 million records for TriCare patients, data left on backup tapes in an open car. Stoll's hacker was, at least, in Germany and not Texas.

In 1989, the outsourcing of IT support for public and private data centers to firms such as Computer Sciences Corporation and Scientific Applications International Corp was an invention of hell for a future date. Bangalore was a backwater town. Today, 39% of all secure data breaches occur when trust is placed in the secure(?) control of third party vendors. Back then, Stoll was able to call, directly, military personnel in charge of a data center and advise them that somebody was, amazingly, trolling their files RIGHT NOW. Today, he would probably be on hold forever while someone in India frantically paged through a manual of tasks even as data is waltzing out the door.

In 1989, medical records were the property of your doctor, stored on shelves in file folders. Are we any more secure with HIPAA regulations mandating secure storage and disposal? I have seen hospital records that should have been shredded, dumped intact into dumpsters, and stood stunned when an outsourcing firm I worked for determined that thirty (30) computers just walked out of secure storage INSIDE a hospital. Heaven forbid electronic health records in the secure cloud.

All in all, I feel that Clifford Stoll's antagonist of 1989 would indeed feel right at home today. Our technology and software are vastly different from the enchanting simplicity of entering command line codes on a Unix mid-range system, and the ARPANET was truly ugly. Other than that, I do not see that we have changed all that much. For all the fancy tools and secure beauty of Windows, Linux and HTML on the top, the bottom still holds. Indeed, he would not have to use a University computer in Bremen connected via 2400 baud phone line to work his magic. Any Starbucks will do nicely, the coffee is good and those chocolate covered graham crackers are, well, just to die for.

9 comments
dinomutt
dinomutt

In the end, the only truly secure computer system is one that isn't connected to anything else. Which of course in today's world would be about as useful as a doorstop in most situations.

Robiisan
Robiisan

Was a very good read, particularly for its day. I was involved with a military R&D center at the time and was sys admin for about four local systems. It was enlightening at the time to realize how vulnerable many allegedly "secure" systems were. This was particularly true if the mainfraime was, for example, a Digital Equipment Corp (DEC) computer. The contractor techs routinely left the system's "back door" access set to "Field" and "Service" respectively for the username and password! By the way, Stoll pointed this out in his book. While the story is "old," the one point this article makes, although poorly, is that much of the same thing is going on today - multiplied many times over. For those of you who haven't read it, The Cuckoo's Egg is, at the very least, an excellent detective story. At best, it can be an eye-opener even today.

r_widell
r_widell

I agree with all of apotheon's points and wish to add a couple of my own. There was indeed an Internet (mostly as we know it) in 1989, with DNS, DHCP, email, newsgroups, FTP sites, etc. It had long sinced bypassed it's ARPANET roots. What we didn't have was a graphical Internet, i.e. the World Wide Web, or search engines like Google, Bing, Yahoo, Lycos, et. al. Our searches were done by spiders, or gopher. He also neglected to note that universities and large businesses significantly outnumbered the number of military installations with an Internet presence in 1989. Most of the connections in these institutions were via an Ethernet or Token-Ring 10Mbit connection, while the backbone connections were via T1 or (in rare cases) DS3. My personal (at home) connection was a 9600 baud Telebit Trailblazer modem. I'll concede that the Internet wasn't nearly as ubiquitous as it is today, and there was still a significant minority of machine-machine connections that were made with UUCP while a lot of email was sent using bang-path addressing. But I can recall universities in Finland, Japan, Australia and elsewhere coming online with always-on Internet connections through trans-oceanic cables. While most of the BBS systems of the day (Compuserve, etc.) were only available at 2400 baud, they weren't part of the Internet. Just because the author was ignorant of the Internet in 1989 doesn't mean that it didn't exist. ron

apotheon
apotheon

I ultimately just found myself overwhelmed with everything that was wrong and gave up listing problems. In retrospect, I even found problems in the single paragraph I addressed that I had overlooked, to say nothing of the rest of the article, but I had to get on with my life at some point. Between the two of us, we could probably write a short book about the problems with this article, but I'm not sure there's a point. While I haven't read it, I'm sure The Cuckoo's Egg already sets that record much straighter than this article suggests.

apotheon
apotheon

I think the abuse of the term "hacker" in this article is probably the least of its problems. It's kind of a train wreck of errors, confusion, and miscommunication (though the grammar and spelling are mostly okay), starting with the disastrous attempt to discuss GNU Emacs (or "the GnuEmac word processor").

HAL 9000
HAL 9000

Back then the Hackers where the ones protecting the systems unless some Bureaucrat was appointed and it was the Bureaucrats who left the systems wide open as that was how the [b]Book[/b] [i]if it even existed in their toolkits back them[/i] told them to implement Security. Though to be perfectly fair back then it wasn't common for the Crackers working from their basements at home to Break into Systems simply because the cost of computers was way too expensive and even Governments weren't trying overly hard to crack the Computer Systems as it was easier to get Physical Intelligence. Now on the other hand with the Proliferation of Windows Systems it's far easier to crack Computer Systems to gain information rather than get the Physical Intelligence. Not to mention far safer for the operatives involved. ;) Col

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I received an alert about a virus that was causing a lot of problems and after some research almost thought it was a joke (four to six months ago). The virus was password guessing on an RDP connection with a list of about 20 "common" passwords like "admin" "admin". The alert was rated a medium or sever. Really? People are still using admin admin on their servers? Bill

apotheon
apotheon

The basic premise of the article -- that people are still idiots about security, in depressingly large droves -- is correct. It's the content that is completely screwed. Pick just about any paragraph and I can probably offer a laundry list of problems. The first paragraph, being nothing but an introduction, isn't so bad, of course. I'll explain some issues with the second, though, just to give you a hint of what's wrong with this mess. That paragraph says: QUOTE: The trail began with the hacker entering systems through open, non-administrative accounts and planting a small program in the secure area of Unix through the GnuEmac word processor. This free program (remember shareware?) knew of no secure/non-secure areas of any system, thus it was ideal for copy-paste from a public patch to a secure patch. Then, every five minutes, Unix ran a daemon to check system resources and allocate them. The hacker's program granted him Administrator Super User access! SHAZAM! He would then erase his tracks and begin browsing whatever he could find. Stoll kept a log of his adventure and traced this "scum" (his word) around the world for 10 months as the data lead his search far beyond our shore, over the transatlantic satellites to Europe. Along the way Stoll learned that many "secure" systems were anything but wide open sometimes, badly managed most of the time. Eventually the spy was caught and served time in prison and Stoll became a much wiser guru of systems security. 1. What the heck is "the secure area of Unix"? Is this supposed to refer to parts of the filesystem only the root account is supposed to be able to access? Does he mean something related to kernel space? What exactly does he mean? 2. WTF is "the GnuEmac word processor"? I've heard of GNU Emacs, a text editor so broadly extensible and configurable that it has been jokingly called an operating system -- but it's not called "GnuEmac", and not only is it not anything most of us would call a "word processor", but many habitual GNU Emacs users might be offended (or at least doubled over in laughter) to find someone calling it a "word processor". 3. Someone explain to this guy that "shareware" has nothing to do with the GNU Project's conception of "Free Software". 4. This explanation of how the "shareware" "word processor" "GnuEmac" somehow performed a privilege escalation (or whatever the heck exploit he's trying to describe here) by being ignorant (or whatever the heck dysfunction he's trying to describe there) is so hokey and incoherent I'm not really sure what the heck he's trying to convey. (Let's call point four here the "heck point", considering how much I used the word "heck".) 5. What are "public patches" and "secure patches" in this context, anyway? Is this some computer-related use of the word "patch" to which I have never been exposed, or is he just using terms he's heard in relation to programming and/or security matters the way Star Trek script writers used terms they vaguely recalled from Popular Science headlines? (Hint: it's the latter.) 6. The bit about "every five minutes" sounds technically possible at least, which is a big improvement over some of the rest of what he bungles, but I'm skeptical this explanation survived translation from The Cuckoo's Egg. I'm especially skeptical given the fact that a daemon is a piece of software that runs in the background, generally waiting for specific events to which they are designed to respond. Think "server". You almost certainly don't want your OS to start a new daemon process every five minutes. That just sounds like the world's slowest fork bomb, not a standard behavior of Unix. So . . . if we strip away the bizarre phrasing (using terms familiar to Unix admins everywhere in ways that sound suspiciously odd), we might end up with something that could conceivably be normal on Unix systems of that day (conceivably, but not terribly likely), if for some reason all Unix systems performed a system resource management sweep of some kind every five minutes exactly. I wasn't using Unix back then. I just really, really doubt that's an accurate description of the circumstances, based on the fact it doesn't make a whole lot of sense. 7. "Administrator Super User!" I want to be one of those! Poor little ol' me, I'm just root, the super user account, with administrative access to the whole system, and that only once in a while -- not Administrator Super User! Maybe we could even spice it up by making it Administrator Super Root User! (This isn't so much an error as just a hilarious display of naive phrasing.) 8. Re: the statement that "He would then erase his tracks . . ." I have a question. How exactly did he get from an automated task executed every five minutes to being logged in (as the Administrator Super User! account, presumably) personally, anyway? I guess it was magic -- or he left out perhaps the most important part of the entire explanation. --- One last thing about that paragraph -- not really about the technical failings of the article at all, but just a minor peeve of mine. In the words "the data lead his search" he obviously means the past tense form of the verb "lead". That past tense form is spelled "led", not "lead". The article continues to make errors of terminology, understanding, and presentation throughout its length. Its spelling and grammar issues (e.g. "lead" instead of "led") are pretty minimal, though; most of the errors are the kinds of things prone to leading readers astray, rather than merely looking unprofessional. edit: By the way, the actual vulnerability was evidently related to mailmove, and not GNU Emacs. While I'm not 100% certain of my memory of the matter, I think the problem was with the way mailmove was installed, and not with mailmove itself inherently ignoring the privilege separation enforced by the OS (something that should be effectively impossible; it's not up to software to obey only if it wants to do so, but to beg for permission, in this case).

Editor's Picks