Hacker Trackers

OSI computer cops fight crime on-line

Special Agent Jim Christy is chief of the OSI's computer crime investigations unit. In 1988, he investigated the notorious "Hanover Hackers"--a band of West German digital delinquents who sold stolen information, looted from Defense Department computers, to the KGB. It was his first hacker case as an OSI agent.

by Tech. Sgt. Pat McKenna
photo by Tech Sgt. John K. McDowell

For 20 days in early spring 1994, Air Force cybersleuths stalked a digital delinquent raiding unclassified computer systems at Griffiss AFB, N.Y. The investigators had staked out the crime scene--a small, 12-by-12-foot computer room in Rome Laboratory's Air Development Center--for weeks, surviving on Jolt cola, junk food and naps underneath desks.

Traps were set by the Air Force Information Warfare Center to catch the bandit in the act, and "silent" alarms sounded each time their man slinked back to survey his handiwork. The suspect, who dubbed himself "Data Stream," was blind to the surveillance, but despite this, led pursuers on several high-speed chases that don't get much faster--the speed of light.

The outlaw was a computer hacker zipping along the ethereal lanes of the Internet, and tailing him was the information superhighway patrol--the Air Force Office of Special Investigations computer crime investigations unit.

Data Stream had installed six "sniffer" programs in Rome computers to intercept user IDs and passwords, and exploited them to gain control of root. "Root means you own the system. You're a 'superuser,' " said Special Agent Howard A. Schmidt, director of OSI computer crime investigations. "You can copy, alter or destroy data. You can set up free accounts for your friends; you can deny legitimate users service; and you can shut down the system if you want to. You control that system. And obviously, we don't want people doing that."

During his computer crime spree, Data Stream penetrated about 30 systems on Rome's network and violated more than 100 other victims downrange, including the South Korean Atomic Research Institute, NASA, the Jet Propulsion Laboratory in California and Wright-Patterson AFB, Ohio. Using a telephone company "blue box," he "looped and weaved" through eight countries and four continents to avoid detection.

But Data Stream's ego was his downfall. In an E-mail message sent to another hacker, the intruder boasted that he broke into "dot mil" sites (military computers) "because they were so easy." Data Stream's electronic pen pal turned out to be an OSI informant.

The manhunt led investigators to a flat in London, England. After agents gathered enough evidence to secure a search warrant, New Scotland Yard detectives stormed the house and caught the teen-age hacker red-handed. Crown prosecutors are still trying to decide how to proceed with the case.

The Rome Lab intrusion was only one of 60 cases the OSI computer crime investigations unit ran in 1994. Last year the number rose to almost 150. The increase is due to the explosion of the Internet, the worldwide network of loosely interconnected computers, which has between 30 million and 100 million users. Anyone with a computer, modem and phone has the potential of going on-line to commit crimes.

Armed and Dangerous
Today's virtual vandals and data thugs have traded in their crowbars, lock picks and bolt-cutters for personal computers, 28.8-baud modems and computer-jimmying software. These infobahn gangbangers--running with crews like the Legion of Doom, Masters of Deception, Inter-net Liberation Front and Chaos Computer Club--are cracking passwords instead of safe combinations, and smashing security firewalls instead of store-front windows.

Scrapping with these techno-savvy "Nerdz in the Hood" requires a special breed of law enforcement officer--an eclectic blend of street cop and computer geek. Imagine Bill Gates with a badge and a gun, or better yet, picture Joe Friday of "Dragnet" with a pocket protector and laptop.

"The bad guys in high-tech cases speak a different language," said Special Agent Jim Christy, OSI's chief of computer crime investigations. "So you need a high-tech guy to interview them and understand what they're saying."

The Office of Special Investigations was the first law enforcement agency in the world to create a unit dedicated solely to investigating computer-related crimes, Christy said. It began in 1978 with two people--computer systems officers trained as agents--and has grown to 23 agents and nine technicians. Offices are at 12 locations worldwide--10 in the States, including detachments at Patrick AFB, Fla.; Travis AFB, Calif.; and Randolph AFB, Texas; and two overseas at Yokota AB, Japan, and Kapaun AS, Germany.

The main contingent of computer crime fighters work out of the investigative operations center, located adjacent to OSI headquarters, Bolling AFB, Washington, D.C. That unit is divided into the computer intrusion squad and the computer forensic media analysis laboratory.

The intrusion squad tracks hackers, while the forensics lab performs "autopsies" on seized computer equipment, probing for evidence. These "computer coroners" poke, prod and dig for clues to capers that range from theft and fraud to sexual harassment and child pornography.

"Everything is being done on computers these days," said Schmidt. "People are writing suicide notes on them, detailing extortion plans on them, and drug dealers are using computers to keep their records--like names of buyers and shipment logs. So all the stuff that used to be done on paper is now being kept on computers ... even murder plots."

Dial 'Modem' for Murder
In February 1991, Julie Snodgrass was stabbed to death outside Clark Air Base in the Philippines. The prime suspect was the victim's husband, Joseph. During questioning by OSI agents in his office, Snodgrass pulled a pair of pinking shears from a box next to his desk, and began hacking apart two 5.25 floppy diskettes that were kept in his desk. The agents confiscated the diskettes, but not before Snodgrass had mangled the floppies into two dozen pieces.

Experts, including the National Security Agency, FBI and the diskette's manufacturer, told the Air Force computer cops that the information was irretrievably lost. Special Agent Ed Cutchins and Tech. Sgt. Dave Tindall, however, managed to splice pieces of the two diskettes and recover more than 85 percent of the data. The agents soon discovered the killer's motive.

The floppies stored love letters to a mistress, a database for a black-marketing operation and, most damaging of all, a letter asking his girlfriend to hire killers to murder his wife. This information along with a confession from the girlfriend was enough to convict Snodgrass of first-degree murder and sentence him to life in prison. (For more, see "Damaging Evidence" in May 1992's Airman.)

"Crime scenes are changing," Christy said. "About 75 to 85 percent of Air Force people, military and civilians, have computers in their homes. Whenever we execute a search warrant on a residence, we have a pretty good chance of encountering an electronic filing cabinet. It's not like the traditional filing cabinet, where I can say at the scene, 'You take this drawer, and I'll take that drawer,' and cull through it right there. You can't do that with electronic evidence.

"Once you have possession of the computer, the task of finding where the evidence is on it can be intricate, manpower intensive and time consuming," Christy said. "It's easier to do that in a controlled environment like our new computer forensic lab. Criminals will attempt to cover their tracks and hide evidence when they can. Among other things there are deleted files, compressed files and zip files. Sometimes software packages have built-in encryption devices. But as the criminals become more sophisticated, so do we."

And since everyone doesn't own the same brand of computer, the lab's digital detectives are whizzes in a host of operating systems--MS-DOS, Windows, Unix, OS2, Macintosh and Linux, to name a few. They keep in reserve an arsenal of snooping software and a stockpile of computer hardware, everything from the latest Sun Microsystems station and Pentium-chip PCs to a Commodore 64, Apple IIE and a 15-year-old Radio Shack Model III.

"We have to match the bad guys, equipment for equipment," said Schmidt. "Our gear has to be the latest and greatest, and we also need the best people to keep up. Or else the bad guys will have the edge."

The lab's media analyzers also support the intrusion squad's mission by shaking down hackers' machines, ferreting out logbooks, password files, cracking tools and scripts, and other evidence.

Breaking and Entering
Brig. Gen. Robert A. Hoffmann, OSI commander, said hacker intrusions are the most sophisticated computer crime cases his agency investigates.

"People committing hacker crimes and intrusions are pretty smart, very technical-minded and well-schooled in computer systems," said Hoff-mann. "Another problem we have is that although we might be able to find a hacker electronically, we have no idea where he is geographically. How do you get a warrant based on a legal system that's based on geography?

"The OSI is combating 21st century technology with 19th century laws. A hacker can be literally anywhere in the country or anywhere in the world. So it's a legal challenge as well as an investigative challenge."

One computer crime agent said that crackers (the term preferred by those in the computing field) "live in ether," never having to make physical contact with their victim or the crime scene. They can remain anonymous by fleecing their prey from the comfort of their own homes, and elude capture by bouncing from jurisdiction to jurisdiction in milliseconds.

"We catch a lot of the dumb ones, and the smart ones too," said Christy. "It takes awhile for law enforcement to get geared up, with all the approvals and the coordination that we have to do, but once we do, we'll catch the bad guy. But no matter what we do, some get away because they change their path each time and don't stay online long enough for us to trace them back."

Christy has snared his share of both varieties, one of whom was a Washington, D.C., teen-ager who pled guilty to breaking into the Air Staff's system just days before Iraq invaded Kuwait in 1989.

With tension building in the Persian Gulf, Christy feared the enemy could exploit computers under OSI jurisdiction, which includes all Air Force and Air Force-interest systems, the Defense Logistics Agency, Defense Security Assistance Agency, Ballistic Missile Defense Office and the Office of the Secretary of the Defense.

So the agent struck a bargain with the hacker, known as "Mr. Fusion." Christy would testify during sentencing on his behalf if the youth agreed to help the Air Force secure its networks.

Christy provided the cracker a workspace, computer and modem, and asked him to penetrate as many Air Force computers as he could while agents recorded his every keystroke. In three weeks, the youth breached more than 200 Air Force systems.

"Unfortunately, none of the victims reported the intrusions," Christy said. A more recent survey, conducted by the Defense Information Systems Agency, found that its technicians, using hacker methods and tools, were able to gain privileges on 88 percent of military systems, with only 4 percent detecting the intrusions. Of the 4 percent, only 5 percent reported the violations.

"That's not onesies and twosies; we're talking like over 12,000 systems," Christy said. "This is an invisible crime; people don't see this. Systems administrators and security people don't see it when it occurs."

The Air Force Information Warfare Center is trying to remove those blinders. AFIWC tracks network activity at 18 bases, using an "automated security incident measurement" program. The center, located in the Air Intelligence Agency at Kelly AFB, Texas, also has carte blanche from the Air Force to survey any of their computers for security holes.

An OSI computer crime investigator is permanently assigned to AFIWC. The center's technicians work shoulder-to-shoulder with agents in the field, setting electronic trip wires and data recorders to capture hacker sessions and other evidence crucial during prosecution. This stealthy software surveillance capability was first used during the Rome Lab intrusion.

"In the past, we weren't as covert as we would've liked," Christy said. "Basically, it was like turning the lights on and watching roaches scurry for the walls. You didn't have long to watch them and then they disappeared. This time, however, we basically went in without turning on the lights, wearing night-vision goggles and watched the roaches at work."

The Hacker Mindset
Christy characterized the hackers they've caught as 21st century equivalents to "the kid who runs down the street with a 10-penny nail scratching all the cars." And added, "But with a computer, you can cause a lot more damage."

Hoffmann said that none of the hackers, so far, has represented a true foreign intelligence threat, except one. In 1986, Christy's first intrusion case as an agent was investigating the Hannover Hackers, a group of West German cyberpunks who were selling information, illicitly gleaned on the net, to the KGB in East Germany.

"Right now, it's just the old 14- or 16-year-old hacker breaking in for the challenge or thrill," Christy said. "But they're the pioneers. They're developing techniques that are going to be utilized later by criminals and foreign intelligence agencies."

Christy led a study in 1992 that attempted to profile computer intruders. Behavioral psychologists and investigators interviewed convicted hackers to learn about their upbringing, backgrounds, goals and motives. They discovered that most hackers are younger males, who have historically had problems in elementary school, but excelled in high school. Another common theme was computers played an integral part in their lives--socially as well as professionally.

One OSI computer intrusion squad investigator has a very personal opinion about these hooligans. Off-duty, he is an Internet provider that sells net access to the public, and his company has fallen victim to hacker attacks.

"They have no view of a victim," said Special Agent Stephen Nesbitt. "I can wipe out your credit history, and I can destroy you. But I don't know you, I don't see the pain I caused, and I don't see what it's done to your family. All I see is that it's an ego trip for me, and I can go brag about it with the rest of my buddies. And I have a name for myself. I'm a supervillain.

"Maybe they don't have much in the way of looks or maybe they didn't succeed in school, but they can hide behind this computer screen and be anybody. They can be supermen," Nesbitt said. "They live, eat and breathe this stuff. That's where their importance lies. But what happens is they're pushed to the next challenge to be the best. That's where you see the hacker wars, one group against another, one hacker against another. Who's the best?

"The whole thing is we're the battlefield--our systems, the government systems and the commercial systems around the world. We're the battlefield in which they fight."

Nesbitt believes computer intrusions can only rise. "Today's generation is being raised on computers. The intruders we're seeing now are between 13 and 25," he said.

Add to that faster computers and faster modems, which allow computer crooks to haul their stolen goods to their lair within minutes. Plus more and more hacker tools are now automated, and publicly posted for all to download. This lets users with little skill--called lamers--to trash and crash computer systems.

"I see it as a growth industry," Hoffmann said. "We're reprogramming resources from other areas now to apply against the computer crime threat.

"We want the message to get out that if you hack into an Air Force system, and you're identified and caught, we will make an effort to prosecute. And if we can put a dollar figure on it, we'll attempt to recoup damages," the general said. "If you break into Air Force computer systems, it's not going to be a free ride."