04-17-88 2103 EDT
WEST GERMAN SECRETLY GAINS ACCESS TO U.S. MILITARY COMPUTERS
By JOHN MARKOFF
c.1988 N.Y. Times News Service
NEW YORK - For almost two years, a West German citizen used global
communications networks to secretly gain access to more than 30
computers belonging to the United States military and military
contractors, according to computer security experts.
The intruder, whose identity and motives remain uncertain,
methodically searched for data related to nuclear weapons, intelligence
satellites, the Strategic Defense Initiative, the space shuttle, and
the North American Air Defense Command. The computer security experts
said that the intruder did not gain access to any classified
information, nor did he successfully break into what government
officials call a ''secure'' government computer where classified
information was stored.
The computer security experts are alarmed because of the systematic
and widespread nature of the break-ins. They said there was evidence
that the West German intruder had tried to gain access to a total of
450 computers.
The episode raises the possibility that the intruder may have been
able to assemble classified data by piecing together material that was
sensitive but unclassified. The Reagan administration has been
concerned that foreign intelligence agents could piece together
classified information by assembling a ''mosaic'' of computerized data.
''This kind of penetration could clearly have been used for
espionage,'' said Peter G. Neumann, a computer security expert who is
familiar with the case. He works at SRI International, a non-profit
research center in Menlo Park, Calif.
''I think most of the attacks before this have been relatively benign
on a global scale,'' Neumann said. ''This one is much more insidious.''
A spokesman for the Federal Bureau of Investigation in Washington
confirmed on Sunday that the intrusions were investigated, but he
declined to comment further.
Last week, an article in a West German weekly magazine, Quick,
detailed the case, identifying the intruder as Mathias Speer, 24, a
computer science student in the city of Hanover. FBI officials,
however, would not confirm the identity.
The intrusions may have occurred for as long as a year before being
discovered by computer managers at the Lawrence Berkeley Laboratory, in
Berkeley, Calif., one of the United States' national research
laboratories. The laboratory, the site of broad-based unclassified
scientific research, is a sister to the Lawrence Livermore Laboratory,
in nearby Livermore, which is heavily involved in research on secret
nuclear weapons and the Strategic Defense Initiative, or SDI. The
laboratories are operated by the University of California for the
federal government.
Rather than taking steps to deny further computer access to the
intruder, the Lawrence Berkeley security experts - working with other
government computer security personnel - organized a system to monitor
the intrusions. At one point, to trace the intruder, the Lawrence
Berkeley officials offered false but seemingly classified information
as part of an electronic sting operation. The intruder loaded that
information into his computer in West Germany, staying on line long
enough for authorities in the United States and West Germany to trace
him. Later, as part of the same operation, an apparent accomplice based
in the United States appeared to become involved.
The identity of the American citizen was not divulged by the Lawrence
Berkeley officials or by the FBI. He is believed to have been
questioned by the FBI in June 1987, about the same time that the West
German was detained and questioned by authorities there. The electronic
break-ins ended about the same time.
''We knew the key words he was looking for when he read electronic
mail on our computers,'' said Dr. Clifford Stoll, the computer systems
manager at Lawrence Berkeley who initially discovered the break-ins in
August 1986 and monitored them for approximately 12 months. ''He
searched all of the files at LBL for the word 'nuclear.' Then he
started looking for 'Star Wars' and SDI. We realized that he had us
confused with Lawrence Livermore.''
Not long after the intrusions were discovered, the Lawrence Berkeley
computer managers considered that the intrusions might be a prank,
perpetrated by a sophisticated computer enthusiast, or ''hacker.''
Stoll said that, after watching the intrusions for several months, he
became convinced that they were more than that.
The break-ins parallel another set of incidents last year in which a
group of West German computer enthusiasts, called the Chaos Computer
Club, broke into several international computer networks of the
National Aeronautics and Space Administration and rummaged freely among
the data for at least three months before being discovered. However,
the computer managers at Lawrence Berkeley said they believed that the
West German intruder was not associated with the Chaos group.
Stoll, who is also an astronomer, has written an article about the
incident that is scheduled for publication next month in the technical
journal Communications of the Association of Computing Machinery.
Lawrence Berkeley has also scheduled a news conference on Tuesday to
discuss the intrusions.
According to the Lawrence Berkeley officials, the yearlong
investigation involved the FBI and security experts from the Air Force
and the Army, as well as private security investigators. Under West
German law, not enough evidence was obtained for prosecution, the
Lawrence Berkeley officials said.
According to Stoll, the West German compromised the military computers
by taking advantage of security loopholes in several different
operating systems, the software programs that manage data in a
computer. On computers operating under the Unix system, he frequently
used a loophole to give himself ''superuser'' status, which allowed him
to read and alter all material stored in the computer.
The intrusions involved a variety of U.S. military computer systems in
this country, Europe, and Japan. The Lawrence Berkeley Laboratory
became a starting point for connecting to two unclassified military
networks, known as Milnet and Arpanet. They link computers at military
bases and military contractors.
At one computer at the Naval Coastal Systems Command, in Panama City,
Fla., the intruder transferred to a computer in West Germany an
encyrpted file containing user passwords. The intruder broke some of
the codes and called back to search through files protected by the
passwords. The intruder also gained acess to computers at the Army's
Fort Buckner base in Japan and at the Anniston Army Depot, a supply
base for the Army's Redstone Arsenal, in Huntsville, Ala.
At the Air Force Systems Command, in El Segundo, Calif., the intruder
managed to attain the status of system manager. ''I watched as he
scanned all of their SDI references and the usual pile of things and
then started printing out information on the space shuttle,'' said
Stoll. ''The Air Force later told me it was not classifed information.''
Other systems entered included military computers in San Diego, the
Pentagon's Optimus data base, and a computer at NASA's Jet Propulsion
Laboratory, in Pasadena, Calif.
The officials at the Lawrence Berkeley Laboratory said that they
monitored attempted intrusions into a total of 450 military computers.
''Basically, he was walking down the street twisting the doorknob of
each house,'' Stoll said. ''He wouldn't push hard, but then he would go
around and do the electronic equivalent of trying the back door and the
side windows. If they didn't budge, he would go to the next house on
the street.''
Shortly after discovering the intrusions, Stoll, aided first by City
of Berkeley officials and later by federal law-enforcement officers,
began trying to trace their origin. They were traced to a computer at a
U.S. military contractor in McLean, Va., near Washington. The Lawrence
Berkeley officials declined to identify the company.
They then discovered that the intruder was dialing from Hanover to a
university computer in Bremen, West Germany. That computer was used to
connect to machines in the United States.
The intruder's location was masked by dialing into the military
contractor's computer in Virginia and then using that computer's
capability to call other computers around the country, including those
at Lawrence Berkeley. The Lawrence Berkeley computer was used to
connect to the military networks - Arpanet and Milnet - to gain access
to the military installations.
In tracing the intruder, the security investigators created an
automatic alarm system. Stoll wrote a computer program that would dial
his pager whenever the West German gained access to the computer at
Lawrence Berkeley. The pager automatically called a security official
from the Tymnet McDonnell-Douglas Network Systems Co., a computer
network company based in San Jose, Calif. The Tymnet official then
notified West German law enforcement officials.
But the investigators traced the calls back to Hanover, where it took
as long as 30 minutes to set up a trace because of antiquated
equipment. The intruder's calls generally lasted no longer than five
minutes.
In January of 1987, the security managers at Lawrence Berkeley created
an electronic sting operation using a large file of fictitious,
seemingly secret information. The file contained a reference to an
address at the Berkeley laboratory where further information related to
the Strategic Defense Initiative could be obtained.
Once the file was discovered, the intruder remained connected to the
Lawrence Berkeley computer for more than an hour. Three months later,
according to the Lawrence Berkeley officials, a letter was mailed from
a United States citizen living in the Northeast to the address given by
the lab, inquiring about the false SDI information.
The letter was given to the FBI.
