In previous chapters, CERT^®/CC incidents were examined statistically with the populations being either all incidents, a subgroup of all incidents, all incidents at Site A, or a subgroup of the incidents at Site A. This chapter provides a more detailed description of a small number of the most severe incidents. This is preceded by a discussion of various measures of severity that might be used to determine which are the most "severe" incidents.

10.1 Selection of the Severe Incidents

As was discussed in Chapter 7, there is not one obvious measure of the severity of an Internet security incident. Two examples will make this point more clearly. In one incident reported to the CERT^®/CC, the number of sites involved was 1,563. This incident also involved root break-ins. Using these measures, this was the most severe incident in the CERT^®/CC records. Closer examination reveals, however, that this incident was actually relatively minor. The incident's duration was only 8 days, while the average duration for all CERT^®/CC incidents was 16.5 days. The 23 messages to and from the CERT^®/CC for this incident was only slightly above the average for all incidents (and well within the 54.4 standard deviation). The primary reason for this unusual set of numbers was that this incident involved a sniffer and the sites involved were recorded in the sniffer logs, but apparently not actually attacked. The incident was also quickly resolved.

A second example illustrates a more severe incident. This incident was characterized by the following data: 712 days duration, 383 sites, 158 messages to/from the CERT^®/CC, and root-level break-ins. This incident had the longest duration of any incident in the CERT^®/CC records, but all of the measures for this incident were also more than one standard deviation above their respective means. The intruders used numerous methods of operation including password cracking, Trojan horse login programs, deleting files, exploitation of open servers, social engineering, trusted hosts attacks, exploitation of sendmail bugs, mail spoofing and software piracy. It is the combination of all of these measures that makes this incident more severe than the first example given.

Figures 10.1 and 10.2 illustrate another difficulty with the individual measures of severity. In these plots, the number of sites for each incident are plotted from the greatest to the smallest number. Figure 10.1 plots the first 4,000 incidents. It is not clear from this Figure where the logical separation would be between the "severe" and "non-so-severe" incidents, based on the number of sites involved.

The "knee" of the plot in Figure 10.1 is expanded in Figure 10.2. Again this does not give an obvious separation point between severe and non-severe incidents. The center of the knee occurs when the incident number approximately equals the number of sites. This criteria identifies the first 62 incidents, but examination of these incident records shows that this includes many incidents that were not severe. Of these 62 incidents, 50 (81%) involved root break-ins, but 7 (11%) involved only account break-ins, 1 (2%) involved only access attempts, and 4 (7%) involved only FTP abuse and software piracy. One alternative to using the number of sites as the single criteria would be to also restrict the incidents to only those involving root break-ins.

A similar approach can be taken with the duration of incidents as shown in Figure 10.3. The "knee" of this curve is expanded in Figure 10.4.

The center of the knee for incident duration occurs at 99 incidents, although only 74 involved root break-ins. Another 20 incidents involved account break-ins, three incidents involved access attempts, one incident involved source spoofing, and one incident involved FTP abuse and software piracy. Again, one alternative would be to also restrict these incidents to root break-ins.

Another dimension that may give some indication of severity is the number of messages to and from the CERT^®/CC. As stated in Chapter 4, this may reflect CERT^®/CC workload.

Figure 10.5 plots the number of messages sent to the CERT^®/CC relative to the number of incidents. These data show the same distribution as the corresponding plots for duration and number of sites. Figure 10.6 isolates and expands the "knee" of Figure 10.5.

The center of the knee in Figures 10.5 and 10.6 occurred at the 87^th incident. Of these incidents, 74 incidents (85.1%) were root break-ins, 9 incidents (10.3%) were account break-ins, 1 incident (1.1%) was an access attempt, 1 incident (1.1%) was a denial-of-service attack, and 2 incidents (2.3%) involved FTP abuse and software piracy.

None of these measures individually appears to be able to consistently isolate the most severe incidents. Combining these measures has the potential to improve the selection. There were 20 incidents (0.5%) that involved root break-ins and were also above the "knee" of all three dimensions.

An alternative to using the knee of these graphs to determine the severe incidents is to use the mean and standard deviations of the measurements. As shown in Table 10.1, if the standard deviation is added to the mean of each of the measurements, the resulting values are less than the respective values using the knee of the curves. There were 42 incidents with these minimum values.

Even if we go to two standard deviations above the mean, one of the measurements, duration, is still below the value determined from the graphs. Only 19 incidents met this criteria. Of these 19, 17 were also in the 20 incidents identified from the graphs ( 99 days duration, 62 sites, and 87 messages). If three standard deviations is chosen, all of the measurements are above the criteria from the graphs, but only 11 incidents meet this more restrictive criteria. The criteria from the knee of the graphs for duration (99 days) is 2.64 standard deviations above the mean, for the number of sites (62 sites) it is 1.45 standard deviations above the mean, and for the number of messages (87 messages) it is 1.34 standard deviations above the mean.

It is not clear which of these criteria would be the most appropriate to use to identify the severe incidents. Since this chapter is intended to be descriptive and not statistical, accuracy is not strictly critical. As such, we could use the lower of the values for the measurements from either criteria. Using the criteria from the graphs (the "knees"), along with two standard deviations above the mean, the lower values yield the following criteria: 79 days duration, 62 sites, and 87 messages. This selects 22 incidents as shown in Table 10.2. The average measurements of these 22 incidents were 203 days duration, 169 sites, and 466 messages.

10.2. Description of the Severe Incidents Chosen

Figure 10.7 presents how these incidents are distributed over time in the CERT^®/CC records (using the year from the middle dates of Table 10.2). It is important to emphasize that this should not be taken as a statistical sample of the CERT^®/CC incidents. There was a lot of variability in these data and the selection of these particular incidents as the most "severe" incidents was, at best, merely an approximation. Nevertheless, it is likely that a description of these incidents will provide valuable insight into the incidents reported to the CERT^®/CC.

The distribution of these incidents over time is further broken down in Figure 10.8 which plots a rectangle representing each incident. The horizontal dimension of each incident corresponds to the duration, and the height corresponds to the average sites per day as listed in Table 10.2.

Figure 10.8. Sites per Day versus Duration for 22 "Severe" Incidents

Figure 10.8 gives a preliminary classification of the 22 severe incidents according to the predominant techniques intruders used during the incidents. Three classifications make up the bulk of the incidents (19 of the 22). In the early years, intruders in these severe incidents used primarily "manual" techniques through a command line interface. These techniques included individual user commands, simple shell scripts, and password cracking programs. Beginning in 1993, intruders became more sophisticated by gaining access to host computers using sniffers and then in 1994, they also used toolkits (such as rootkit). Three incidents did not fit into these categories. In the first half of 1993 there was a large incident that, although it involved some root break-ins, was primarily an incident of FTP abuse and software piracy. In the latter half of 1993, one severe incident primarily involved the use of a TFTP vulnerability which allowed an intruder to obtain a site's password file. Finally, one severe incident in 1995 involved primarily the use of sophisticated IP spoofing techniques.

In addition to this trend in intruder techniques, the 22 incidents show two other underlying trends. The first of these is that in the early incidents, the attackers tended to be a few individuals, tended to be confined to a specific location or group of locations, and as a consequence, tended to be easily identifiable. The later severe incidents tended to have more attackers operating in many different locations. This, combined with the more sophisticated techniques used by intruders, resulted in the intruders being harder to identify in the later incidents.

The other underlying characteristic of these severe incidents was the consistent use of a three-phase process of attack [ABH96:436-438]. In the first phase, the goal was to gain access to an account on the target system. For this, the intruder could obtain a user ID and password combination in a variety of ways, such as through various methods to crack passwords or in later incidents, through the use of a sniffer program. In the second phase, the intruder exploited vulnerabilities in the host system to gain privileged or root access on that system. In the final phase, the intruder often used this privileged access to attack other systems across the network. For these 22 severe incidents, this pattern of attack was consistent. Later incidents used more sophisticated tools, but the three phases were generally followed. The exception to this was the one incident of these 22 which was primarily characterized by IP spoofing. Using this method of attack , the intruder does not need to break into an account before gaining privileged access.

The following sections present more details about these 22 incidents.

10.2.1. Incident #1 - Dutch Hackers - The longest incident in the CERT^®/CC records began April 1, 1990 with attempted penetrations at a U.S. .mil site. The attacks appeared to come from a U.S. .edu site, but this proved to be compromised. This was the beginning of an odyssey that lasted nearly two years, occupied countless hours of site administrator, law enforcement, and incident response personnel time, and caused damage and frustration for people using computers and networks on at least 383 commercial, educational, and military sites all over the world.

Two other characteristics combined to make this incident particularly unique. First, records show these attacks were carried out by a group of 4 young hackers operating out of their homes in a small area of the Netherlands. The later severe incidents generally involved more attackers located in many different areas. Also unlike later incidents, when it became increasingly difficult to identify intruders, in this incident the intruders were identified early in the incident - yet they were not arrested for nearly two years. The primary reason for this was the lack of Dutch laws against computer crime.

This Dutch hacker incident was one of the few CERT^®/CC incidents to be widely reported in the press and in books. For example, Tsutomu Shimomura, a senior fellow at the San Diego Supercomputer Center, and John Markoff of the New York Times, wrote a book in 1996 giving an account of "the pursuit and capture of Kevin Mitnick," a well known hacker. In this book and in an April 21, 1991 Times article, they describe hacking activity at Stanford University through an account with user ID of adrian and at Bell Labs in Murray Hill, New Jersey, through an account with user ID of berferd [ShM96:96-101]. These 1991 attacks were part of this CERT^®/CC incident.

Unknown to Shimomura and Markoff, however, the hackers and this incident had been known to CERT^®/CC since the previous year. CERT^®/CC personnel and Wietse Venema, a systems administrator at one of the Dutch Universities, had been monitoring the hacker's activities. Their efforts were recorded in over 2,500 pages of text in the CERT^®/CC record for this incident. Table 10.3 shows the top level domains for the reporting sites and other sites involved in the Dutch hacker incident. The majority of the attacked sites were in the U.S.

Throughout this incident, the intruders followed a specific pattern for their attacks. First they would compromise a site, usually in the U.S., which would be used for attacks on other sites. Every few months they would move this base of operations to another site. During the initial months of the incident, security was limited at most sites. The intruders were often able to find accounts with default, weak, or missing passwords. Tracing of the attacks was relatively easy, and by May, 1990, both the FBI and local law enforcement agencies were actively investigating the incident.

The keywords used in the CERT^®/CC record of this incident (Incident #1) to describe the methods of operation were as follows:

weak passwords, no passwords, password files, password cracking, Trojan login, FTP, deleted files, open servers, social engineering, user accounts, system accounts, login attempts, hosts.equiv, .rhosts, sendmail attacks, debug, chsh/chfn, mail spoofing, rm -rf /, 87 socket, software piracy

These methods were implemented either by typing individual commands, or by using simple scripts or programs, such as password cracking programs. Most of these were well known methods. The exception is the "87 socket," which was unique to this incident. Intruders were often found to be telneting to socket 87. By the end of May, 1990, it was determined this was where the intruders placed a process which was a backdoor method for gaining root privileges.

During this incident, the hacking activities of these intruders were not specifically unlawful according to Dutch law. The intruders were very open about their activities. For example, at the beginning of May, 1990, one of the hackers gave a demonstration of their techniques by breaking into sites in France and the U.S. This demonstration included in-band signaling on the phone lines, which was a technique used to avoid toll charges. The hackers bragged about their activities on Usenet groups, signing their posts with the name rchack (the initials "rc" are used in the Netherlands to mean "computing center"). The hackers talked on-line about their activities with systems administrators like Wietse Venema. And finally, in June, 1990, one of the hackers requested a job in computer security at a U.S. military site in Europe. He sent that site a resume with his correct name and address.

There was a high level of activity by the Dutch hackers in May and June, 1990. This was followed by a period of inactivity until a "general wipeout" of all file systems at a Dutch University computing center toward the end of August. Break-in activity continued at this same Dutch site in September, and at several French sites and several U.S. .edu and .mil sites in November. This was followed by another quiet period until near the end of the year.

On December 30, 1990, numerous sites around the Internet received a message from one of the hackers requesting an account for himself on their system. One of these messages was sent to the CERT^®/CC, which caused response personnel to investigate. This hacker would come to be known as fidelio because this was the user ID of his account on one open U.S. site. He made no attempt, however, to disguise his identity, so his actual name was also widely known.

The period from January through April, 1991, was one of intense activity by the Dutch hackers, and of intense activity by CERT^®/CC personnel, systems administrators and law enforcement agencies. Techniques used by the hackers became more sophisticated, including "trusted hosts" attacks involving hosts.equiv and .rhosts files. Sites attacked were military and civilian sites in the U.S., Europe and Japan. This was when Stanford, Bell Labs, Tsutomu Shimomura (SDSC), and John Markoff (NY Times) became involved.

In this time period Venema worked closely with Dutch law enforcement, but they were of little help because they "don't understand what a computer crime is." The situation in the U.S. was not much better. For example, the FBI was also unsure of what a computer crime was, and therefore, the CERT^®/CC records indicate they were not very interested. Warrants were difficult to obtain. One site was reluctant to monitor the intruders within their own network because they were uncertain if a warrant was required for internal monitoring.

In February, 1991, the Dutch hackers broke into a site that was tracking them, and they found out the extent to which they had been monitored. They responded with increased attacks at already compromised sites, and at new sites. Some attacks were destructive. Venema contacted the group of hackers and tried to "scare" them with information about investigations by CERT^®/CC and law enforcement agencies. This appeared to have little effect. During this same month, Dutch television news reported on the hacker group and even showed one member of the group breaking into what appeared to be a U.S. military computer [Mar91].

On April 21^st, the New York Times reported on the Dutch hackers [Mar91], and on April 24^th, Stanford was identified as a site by the Stanford Daily [Sta91]. That same day, one of the hackers exchanged e-mail with a system administrator at a U.S. site frequented by hackers. In it, he detailed the activities of the Dutch hackers over the previous 18 months.

Attacks continued from this group of intruders at a steady pace through July, 1991. The attacks resumed in October, 1991 and continued into 1992. During these periods, a debate was conducted among the attacked sites regarding selected sites that did not, as a matter of policy, secure their servers. These insecure servers were used by the intruders. Some applied pressure to have the sites secured. Others felt that the sites should be left open either because information and systems should be "free," or because it was easier to monitor intruders if they all funneled through only a few sites.

On January 27, 1992, two of the Dutch hackers were arrested by Dutch police. At the time, Dutch law was still in preparation and therefore, charges against the hackers were based on existing law: forgery (corrupting systems files in order to obtain root privileges), vandalism (rendering a computer system unusable), and racketeering (using stolen passwords). Following these arrests, there was an increase in intruder activity for the next few weeks, perhaps as a response by other members of the group, or by other hackers.

On February 17, 1992, the CERT^®/CC issued an advisory of "Internet Intruder Activity" based on this incident (CA-92:03). For the next month, sites investigated and reported back to the CERT^®/CC as to whether they had been attacked. In March, 1992, Wietse Venema sent a message to the CERT^®/CC summarizing his recent interview with the hackers, who indicated the incident had involved 4 individuals. This is the last entry in the CERT^®/CC record for this incident.

10.2.2. Incident #9 - Danish Hackers - A smaller, but still severe incident began on the Internet in August, 1993. This incident was similar to the Dutch hacker incident in that it primarily consisted of attacks by a small group of individuals in a geographically small area -- Denmark in this case. Table 10.4 lists the top-level domain names for the sites known to be involved.

The attack methods consisted of user command and small scripts, and primarily involved exploiting vulnerabilities in the sendmail program as described in CERT^® Advisories in October and November, 1993 (CA-93:15 and CA-93:16). The keywords used in the CERT^®/CC record of Incident #9 to describe the methods of operation were as follows: sendmail, ISS attack, password files, password cracking, files deleted, mail spoofing, and Trojans.

Law enforcement agencies became involved early in this incident. Their activities included phone tracing of the hackers. The hackers were arrested by Danish Police in December, 1993. The Danish press reported the incident as the "biggest Danish incident ever."

10.2.3. Incidents #2, 3, 4, and 8 - Other Command Line Incidents - There were 4 other severe incidents with intruders using primarily user commands and small scripts as methods of attack. These incidents were all similar to each other. The sites involved in Incident #2 are listed in Table 10.5.

Attacks during this incident were successful many times because of lax security. In the early part of the incident, sites attacked were primarily in the U.S. This changed toward the end of the incident, when attacks concentrated more on overseas military sites and sites in Germany.

The keywords used in the CERT^®/CC record of Incident #2 to describe the methods of operation were as follows: password cracking, crack, FTP abuse, software piracy, open server, NIS.

In June, 1992, a significant incident began (Incident #3) that used techniques described in CERT^® Advisory CA-92:14, "Altered System Binaries Incident." The top-level domain of the sites involved are listed in Table 10.6.

Incident #3 activity occurred primarily in the U.S., Australia, and Canada, employing holes in the Unix rdist utility. One widely used method of exploiting this vulnerability was to use a program called gimme which was written by Tsutomu Shimomura. Law enforcement agencies involved in this incident included the FBI, Secret Service, Australian National Police, Royal Canadian Mounted Police, and local police. The keywords used in the CERT^®/CC record of Incident #3 to describe the methods of operation were as follows:

rdist, modify logs, hosts.equiv, gimme, TFTP attack, NFS attack, Trojan login, password cracking, no password, password file, deleted files, Trojan telnet, sendmail

Rdist attacks were also used extensively in Incident #4 to attack the sites listed in Table 10.7.

The keywords used in the CERT^®/CC record of Incident #4 to describe the methods of operation were as follows:

rdist, password files, password cracking, .rhosts, hosts.equiv, configuration, NFS exports, IRC, weak passwords, no passwords

In the final incident in this category, Incident #8, the rdist hole was again used against sites with top-level domains as listed in Table 10.8.

The FBI and local police were reluctant to get involved Incident #8 until several days into the incident when the first military site was attacked. The keywords used in the CERT^®/CC record of Incident #8 to describe the methods of operation were as follows:

NIS attack, NFS attack, Trojan login, rdist, expreserve, .rhosts, ypserv, password file, password cracking, hosts.equiv, configuration

10.2.4. Incident #5 - FTP Abuse and Software Piracy - FTP abuse and software piracy were not generally considered security problems for the Internet by CERT^®/CC personnel. Nevertheless, CERT^®/CC recorded what information it received about these incidents, and one of these, Incident #5, met the criteria for classification as a severe incident. The top-level domains of the sites involved are listed in Figure 10.9.

The keywords used in the CERT^®/CC record of Incident #5 to describe the methods of operation were as follows: FTP abuse, software piracy, configuration, wuarchive ftpd, warez, password cracking, password files. The CERT^®/CC issued advisories on FTP abuse in April, 1993 (CA-93:06, "wuarchive ftpd Vulnerability"), and in July, 1993 (CA-93:10, "Anonymous FTP Activity"). Incident #8 began in August, 1993.

10.2.5. Incident #7 - TFTP Attacks - In October, 1991, the CERT^®/CC issued an advisory on a vulnerability in the AIX TFTP Daemon (CA-91:19). Unless TFTP was properly restricted, this vulnerability allowed attackers to copy files, such as /etc/passwd, from the site using TFTP. Nearly two years later, in July, 1993, Incident #7 began. In this incident, the intruders' primary method of attack was to exploit this TFTP vulnerability. The top-level domains of sites involved are listed in Table 10.10.

The keywords used in the CERT^®/CC record of Incident #7 to describe the methods of operation were as follows: TFTP attack, password files, password cracking, crack, fraud, configuration. In this incident, the Secret Service became involved, and one of the intruders was arrested early in the incident (a 17 year old). The incident, however, continued for more than 4 months after that, with attacks from other intruders.

10.2.6. Incidents #6, 10, 11, 12, 13, 14, 17 - Sniffer Attacks - All of the remaining severe incidents used sniffers to attack Internet sites. For seven of these, this was the primary means of attack. The first of these seven incidents began in March, 1993 and involved sites primarily in the U.S., Europe, and South America with top-level domains as listed in Table 10.11.