Session Recording: https://vimeo.com/253972632
This week, we finished the book to include chapters 47-56.
The attacker had dialed in for brief moments during the few weeks that followed but didn’t do anything notable. They also ignored the new SDINET files. At one point Cliff notices someone login through a new account belonging to a professor. He verifies that the login was not done by the professor. Cliff uses the power of deduction to figure out that the attacker must have cracked the professor’s password from the stolen password file by using a dictionary attack. Cliff is stunned to talk to Bob Morris (who he met previously at NSA) and find that dictionary attacks are “child’s play” and have been in existence for 5-10 years.
Cliff visits DC again and gives a talk to the NSA X-1 team and several high ranking flag officers. He is asked to visit Teejay at the CIA and is introduced to the deputy director. It turns out they’ve been following this case daily. They present Cliff with a certificate of appreciation.
Cliff receives a letter in the mail addressed to Barbara Sherwin, the fake administrator name he made up in the SDINET files. It is a nearly exact copy of the template form he placed with the files to request more information. It is postmarked with a return address from Pittsburgh and uses the name Laszlo J, Balogh. Cliff informs the FBI about this who request he handle it very carefully and send it to them. An OSI investigator also shows up to inspect it, and Teejay at the CIA is informed as well. The FBI asks cliff for a copy of the LBL letterhead. It sounds like they are going to send a reply back to the attacker.
Evidence Collection
When Cliff receives this letter he doesn’t do a great job of preserving it as evidence. Anything that might result in litigation must be treated carefully so that the investigating team can get the most value out of the facet of reality it represents. This means handling things with care and preserving a chain of custody. These concerns don’t only apply to physical evidence however, they apply to computer evidence too.
With this in mind, I provided a brief overview of concerns related to preservation of digital evidence. This included discussions about permission, volatility and whether you should shut computers off, pollution of evidence that happens when installing software or interacting with a system, and chain of custody. I also discussed the practicality of treating systems as evidence and when that doens’t necessarily happen in practice.
More Reading:
- NIST Incident Handling Guide: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
- Best Practices when Seizing Electronic Evidence: http://www.crime-scene-investigator.net/SeizingElectronicEvidence.pdf
- Practical Forensic Imaging book (No Starch): https://nostarch.com/forensicimaging
The attacker breaks into a few more networks via LBL including Unisys and NASA. Cliff continues tracking these and initiating traces while also creating SDINET files that serve the purpose of keeping the attacker on the network longer.
Finally, on June 21st, Cliff observes the attacker login for the last time. Shortly after that, he gets a note from the FBI that the Germans were positioning officers outside the attacker’s location and would arrest him the next time he connected to LBL. Cliff was to monitor and call when this occurred. Cliff monitored for a few days but the attacker never connected back. He received a call from the FBI that the investigation was over. An arrest warrant had been issued, and the attacker would not be back. No more information was provided but Cliff was told to keep this to himself and he would learn more in time once the case was mostly closed.
Cliff eventually gets tired of waiting around and submits an article about these events to the ACM. Before it is published, a German magazine publishes a story about it citing his log book. The only person who had a copy of his log book was the FBI, who must have sent it to the German legal attache, and now who knows where it has been. LBL conducts a press conference for Cliff to talk about the events that have transpired since the cat is out of the bag.
Oddly enough, it’s the press who expose the name of the attacker: Markus Hess. Cliff eventually pieces together the full story of what happened. In short, a group of five young German hackers got together and used their skills to find vulnerabilities and compromise networks. They did it for many reasons: the thrill of success, financial gain, and even to support drug habits. Eventually, this led them to sell information to the KGB. It was the KGB who were responsible for requesting information by mail to LBL via a Hungarian criminal in Pittsburgh. All five hackers were eventually prosecuted, although they had very different stories.
Questions to Consider
What has changed about computer security since the 1980s? What hasn’t?
Has our ability to secure information been outpaced by our reliance on it?