Dark Territory (39 page)
Authors: Fred Kaplan
The first nightmare case:
For more on the Morris Worm, see Cliff Stoll,
The Cuckoo's Egg
(New York: Doubleday, 1989), 385ff; Mark W. Eichin and Jon A. Rochlis, “With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988” (MIT, Feb. 9, 1989), presented at the 1989 IEEE Symposium on Research in Security and Privacy,
http://www.utdallas.edu/~edsha/UGsecurity/internet-worm-MIT.pdf
.
Todd Heberlein's innovation:
Richard Bejtlich,
The Practice of Network Security Monitoring
(San Francisco: No Starch Press, 2013), esp. the foreword (by Todd Heberlein) and Ch. 1; Richard Bejtlich, TAO Security blog, “Network Security Monitoring History,” April 11, 2007,
http://taosecurity.blogspot.com/2007/04/network-security-monitoring-history.html
; and interviews. Bejtlich, who was an officer at the Air Force Information Warfare Center, later became chief security officer at Mandiant, one of the leading private cyber security firms. The founding president, Kevin Mandia, rose through Air Force ranks as a cyber crime specialist at the Office of Special Investigations;
during that time, he frequently visited AFIWC, where he learned ofâand was greatly influenced byâits network security monitoring system.
A junior officer:
That was Bejtlich. See a version of his review at
http://www.amazon.com/review/RLLSEQRTT5DIF
.
“banner warning”:
Letter, Robert S. Mueller III, Assistant Attorney General, Criminal Division, to James H. Burrows, Director, Computer Systems Laboratory, National Institute of Standards and Technology, Department of Commerce, Oct. 7, 1992,
http://www.netsq.com/Documents_html/DOJ_1992_letter/
.
by the time he left the Pentagon:
Bejtlich, “Network Security Monitoring History.”
These systems had to clear a high bar:
In the 1980s, the Information Assurance Directorate's Computer Security Center wrote a series of manuals, setting the standards for “trusted computer systems.” The manuals were called the “Rainbow Series,” for the bright colors of their covers. The key book was the first one, the so-called Orange Book, “Trusted Computer Systems Evaluation Criteria,” published in 1983. Most of the work was done by the Center's director, Roger Schell, who, a decade earlier, had helped the intelligence community penetrate adversary communications systems and thus knew that U.S. systems would soon be vulnerable too.
On February 16, 1997:
CJCS Instruction No. 3510.01, “No-Notice Interoperability Exercise (NIEX) Program,” quoted in Zhou, “Findings on Past US Cyber Exercises for âCyber Exercises: Yesterday, Today and Tomorrow.'â”
The game laid out a three-phase scenario:
Wright, “Eligible Receiver 97,” PowerPoint briefing, The rest of the section is based on interviews with participants.
The person answering the phone:
Matt Devost of the Coalition Vulnerability Assessment Team had experienced similar problems when he tried to find the American commander's computer password during one of the five eyes nations' war games. First, he unleashed a widely available software program that, in roughly one second's time, tried out every word in the dictionary with variations. Then he phoned the commander's office, said he was with a group that wanted him to come speak, and asked for a biographical summary. He used the information on that sheet to generate new passwords, and broke through with “Rutgers” (where the commander's son was going to college) followed by a two-digit number.
it only briefly alluded to:
White House,
Critical Foundations: Protecting America's Infrastructures: The Report of the President's Commission on Critical Infrastructure Protection
, Oct. 1997, 8,
http://fas.org/irp/offdocs/nsdd145.htm
.
CHAPTER 5: SOLAR SUNRISE, MOONLIGHT MAZE
On February 3, 1998:
The tale of Solar Sunrise comes mainly from interviews but also from Richard Power, “Joy Riders: Mischief That Leads to Mayhem,”
InforMIT
, Oct. 30, 2000,
http://www.informit.com/articles/article.aspx?p=19603&seqNum=4
;
Solar Sunrise: Dawn of a New Threat
, FBI training video,
www.wired.com/2008/09/video-solar-sun/
; Michael Warner, “Cybersecurity: A Pre-history;” and sources cited below.
“the first shots”:
Bradley Graham, “US Studies a New Threat: Cyber Attack,”
Washington Post
, May 24, 1998.
“concern that the intrusions”:
FBI, Memo, NID/CID to all field agents, Feb. 9, 1998 (declassified, obtained from the Cyber Conflict Studies Association).
“going to retire”:
Power, “Joy Riders.”
“the most organized”:
Rajiv Chandrasekaran and Elizabeth Corcoran, “Teens Suspected of Breaking into U.S. Computers,”
Washington Post
, Feb. 28, 1998.
Israeli police arrested Tenenbaum:
Dan Reed and David L. Wilson, “Whiz-Kid Hacker Caught,”
San Jose Mercury News
, March 19, 1998,
http://web.archive.org/web/20001007150311/http://www.mercurycenter.com/archives/reprints/hacker110698.htm
; Ofri Ilany, “Israeli Hacker Said Behind Global Ring That Stole Millions,”
Haaretz
, Oct. 6, 2008,
http://www.haaretz.com/print-edition/news/israeli-hacker-said-behind-global-ring-that-stole-millions-1.255053
.
“not more than the typical hack”:
FBI, Memo, [sender and recipient redacted], “Multiple Intrusions at DoD Facilities,” Feb. 12, 1998 (obtained from the Cyber Conflict Studies Association files).
“Who's in charge?”:
“Lessons from Our Cyber PastâThe First Military Cyber Units,” symposium transcript, Atlantic Council, March 5, 2012,
http://www.atlanticcouncil.org/news/transcripts/transcript-lessons-from-our-cyber-past-the-first-military-cyber-units
.
“responsible for coordinating”:
Maj. Gen. John H. Campbell, PowerPoint presentation, United States Attorneys' National Conference, June 21, 2000.
Meanwhile, the FBI was probing all leads:
See the many FBI memos, to and from various field offices, in the declassified documents obtained by the Cyber Conflict Studies Association.
5.5 gigabytes of data:
The figure of 5.5 gigabytes comes from Maj. Gen. John H. Campbell, PowerPoint briefing on computer network defense, United States Attorneys' National Conference, June 21, 2000.
Days later, the news leaked to the press:
“Cyber War Underway on Pentagon
ComputersâMajor Attack Through Russia,” CNN, March 5, 1999; Barbara Starr, “Pentagon Cyber-War Attack Mounted Through Russia,” ABC News, March 5, 1999,
http://www.rense.com/politics2/cyberwar.htm
.
They flew to Moscow on April 2:
Declassified FBI memos, in the files of the Cyber Conflict Studies Association, mention the trip: for instance, FBI, Memo, from NatSec, “Moonlight Maze,” March 31, 1999; FBI, Memo (names redacted), Secret/NoForn, “Moonlight Maze Coordinating Group,” April 15, 1999. The rest of the material comes from interviews. (The April 15 memo also mentions that Justice and Defense Department officials, including Michael Vatis and Soup Campbell, briefed key members of House and Senate Intelligence Committees on Feb. 21, 1999, and that the first public mention of Moonlight Maze was made by John Hamre on March 5, 1999, one year after the first intrusions.)
CHAPTER 6: THE COORDINATOR MEETS MUDGE
The collective had started:
The section on Mudge and the L0pht comes mainly from interviews, though also from Bruce Gottlieb, “HacK, CouNterHaCk,”
New York Times
, Oct. 3, 1999; Michael Fitzgerald, “L0pht in Transition,”
CSO
, April 17, 2007,
http://www.csoonline.com/article/2121870/network-security/lopht-in-transition.html
; “Legacy of the L0pht,”
IT Security Guru
,
http://itsecurityguru.org/gurus/legacy-l0pht/#.VGE-CIvF_QU
. Clarke later wrote a novel,
Breakpoint
(New York: G. P. Putnam's Sons, 2007), in which one of the main characters, “Soxster,” is based on Mudge; and a hacker underground called “the Dugout” is modeled on the L0pht.
He'd been a hacker:
His guitar playing at Berklee comes from Mark Small, “Other Paths: Some High-Achieving Alumni Have Chosen Career Paths That Have Led Them to Surprising Places,”
Berklee
, Fall 2007,
http://www.berklee.edu/bt/192/other_paths.html
.
He and the other L0pht denizens:
The hearing can be seen on YouTube,
http://www.youtube.com/watch?v=VVJldn_MmMY
.
Three days after Mudge's testimony:
Bill Clinton, Presidential Decision Directive/NSC-63, “Critical Infrastructure Protection,” May 22, 1998,
http://fas.org/irp/offdocs/pdd/pdd-63.htm
.
FIDNET, as he called it:
John Markoff, “U.S. Drawing Plan That Will Monitor Computer Systems,”
New York Times
, July 28, 1999; and interviews.
“Orwellian”:
Tim Weiner, “Author of Computer Surveillance Plan Tries to Ease Fears,”
New York Times
, Aug. 16, 1999; and interviews.
“While the President and Congress can order”:
Bill Clinton,
National Plan for
Information Systems Protection
, Jan. 7, 2000,
http://cryptome.org/cybersec-plan.htm
.
Still, Clarke persuaded the president to hold a summit:
Most of this comes from interviews, but see also Gene Spafford, “Infosecurity Summit at the White House,” Feb. 2000,
http://spaf.cerias.purdue.edu/usgov/pres.html
; CNN,
Morning News
, Feb. 15, 2000,
http://transcripts.cnn.com/TRANSCRIPTS/0002/15/mn.10.html
; Ricardo Alonso-Zaldivar and Eric Lichtblau, “High-Tech Industry Plans to Unite Against Hackers,”
Los Angeles Times
, Feb. 16, 2000.
A few weeks earlier, Mudge had gone legit:
Kevin Ferguson, “A Short, Strange Trip from Hackers to Entrepreneurs,”
Businessweek Online Frontier
, March 2, 2000,
http://www.businessweek.com/smallbiz/0003/ep000302.htm?scriptframed
.
CHAPTER 7: DENY, EXPLOIT, CORRUPT, DESTROY
“the first of its kind”:
U.S. Air Force,
609 IWS: A Brief History, Oct 1995âJun 1999
,
https://securitycritics.org/wp-content/uploads/2006/03/hist-609.pdf
.
“any action to deny, exploit”:
U.S. Air Force,
Cornerstones of Information Warfare
, April 4, 1997,
www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA323807/
.
J-39 got its first taste of action:
On Operation Tango (though not J-39's role), see Richard H. Curtiss, “As U.S. Shifts in Bosnia, NATO Gets Serious About War Criminals,”
Christian Science Monitor
, July 18, 1997; and interviews.
more than thirty thousand NATO troops:
NATO, “History of the NATO-led Stabilisation Force (SFOR) in Bosnia and Herzegovina,”
http://www.nato.int/sfor/docu/d981116a.htm
.
“at once a great success”:
Admiral James O. Ellis, “A View from the Top,” PowerPoint presentation, n.d.,
http://www.slideserve.com/nili/a-view-from-the-top-admiral-james-o-ellis-u-s-navy-commander-in-chief-u-s-naval-forces-europe-commander-allied
.
CHAPTER 8: TAILORED ACCESS
In the summer of 1998:
The Air Force tried to take ownership of Joint Task Force-Computer Network Defense, arguing that its Information Warfare Center had unique resources and experience for the job, but Art Money and John Hamre thought it needed to be an organization that either included all services or transcended them. (Interviews.)
So, on April 1, 2000:
U.S. Space Command, “JTF-GNO HistoryâThe Early Years of Cyber Defense,” Sept. 2010; and interviews.
A systematic thinker who liked:
GEDA is cited by Richard Bejtlich, “Thoughts on Military Service,”
TAO Security
blog, Aug. 3, 2006,
http://taosecurity.blogspot.com/2006/08/thoughts-on-military-service.html
; and interviews.
Suddenly, if just to stake a claim:
William M. Arkin, “A Mouse That Roars?,”
Washington Post
, June 7, 1999; Andrew Marshall, “CIA Plan to Topple Milosevic âAbsurd,'â”
The Independent
, July 8, 1999; and interviews.
To keep NSA at the center of this universe:
NSA/CSS,
Transition 2001
, Dec. 2000,
http://www2.gwu.edu/~nsarchiv/NSAEBB/NSAEBB24/nsa25.pdf
; George Tenet, CIA Director, testimony, Senate Select Committee on Government Affairs, June 24, 1998,
https://www.cia.gov/news-information/speeches-testimony/1998/dci_testimony_062498.html
; Arkin, “A Mouse That Roars?”; and interviews.
The report was written by the Technical Advisory Group:
Much of the section on TAG comes from interviews; the TAG report is mentioned in Douglas F. Garthoff,
Directors of Central Intelligence as Leaders of the U.S. Intelligence Community, 1946â2005
(Washington, D.C.: CIA Center for the Study of Intelligence, 2005), 273.
The Senate committee took his report very seriously:
Senate Select Committee on Intelligence,
Authorizing Appropriations for Fiscal Year 2001 for the Intelligence Activities of the United States Government
, Senate Rept. 106-279, 106th Congress, May 4, 2000,
https://www.congress.gov/congressional-report/106th-congress/senate-report/279/1
; and interviews.
