The Cuckoo's Egg (book)

Last updated
The Cuckoo's Egg
The Cuckoo's Egg.jpg
Author Clifford Stoll
LanguageEnglish
Publisher Doubleday
Publication date
1989
Publication placeUnited States
Media typePrint
Pages326
ISBN 0-385-24946-2
OCLC 43977527
364.16/8/0973 21
LC Class UB271.R92 H477 2000

The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage is a 1989 book written by Clifford Stoll. It is his first-person account of the hunt for a computer hacker who broke into a computer at the Lawrence Berkeley National Laboratory (LBNL).

Contents

Stoll's use of the term extended the metaphor Cuckoo's egg from brood parasitism in birds to malware.

Summary

Author Clifford Stoll, an astronomer by training, managed computers at Lawrence Berkeley National Laboratory (LBNL) in California. One day in 1986 his supervisor asked him to resolve an accounting error of 75 cents in the computer usage accounts. Stoll traced the error to an unauthorized user who had apparently used nine seconds of computer time and not paid for it. Stoll eventually realized that the unauthorized user was a hacker who had acquired superuser access to the LBNL system by exploiting a vulnerability in the movemail function of the original GNU Emacs.

Early on, and over the course of a long weekend, Stoll rounded up fifty terminals, as well as teleprinters, mostly by "borrowing" them from the desks of co-workers away for the weekend. These he physically attached to the fifty incoming phone lines at LBNL. When the hacker dialed in that weekend, Stoll located the phone line used, which was coming from the Tymnet routing service. With the help of Tymnet, he eventually tracked the intrusion to a call center at MITRE, a defense contractor in McLean, Virginia. Over the next ten months, Stoll spent enormous amounts of time and effort tracing the hacker's origin. He saw that the hacker was using a 1200 baud connection and realized that the intrusion was coming through a telephone modem connection. Stoll's colleagues, Paul Murray and Lloyd Bellknap, assisted with the phone lines.

After returning his "borrowed" terminals, Stoll left a teleprinter attached to the intrusion line in order to see and record everything the hacker did. He watched as the hacker sought and sometimes gained unauthorized access to military bases around the United States, looking for files that contained words such as "nuclear" or "SDI" (Strategic Defense Initiative). The hacker also copied password files (in order to make dictionary attacks) and set up Trojan horses to find passwords. Stoll was amazed that on many of these high-security sites the hacker could easily guess passwords, since many system administrators had never bothered to change the passwords from their factory defaults. Even on military bases, the hacker was sometimes able to log in as "guest" with no password.

This was one of the first⁠—⁠if not the first⁠—documented cases of a computer break-in, and Stoll seems to have been the first to keep a daily logbook of the hacker's activities. Over the course of his investigation, Stoll contacted various agents at the Federal Bureau of Investigation (FBI), the Central Intelligence Agency (CIA), the National Security Agency (NSA), and the United States Air Force Office of Special Investigations (OSI). At the very beginning there was confusion as to jurisdiction and a general reluctance to share information; the FBI in particular was uninterested as no large sum of money was involved and no classified information host was accessed.

Studying his log book, Stoll saw that the hacker was familiar with VAX/VMS, as well as AT&T Unix. He also noted that the hacker tended to be active around the middle of the day, Pacific time. Eventually Stoll hypothesized that, since modem bills are cheaper at night and most people have school or a day job and would only have a lot of free time for hacking at night, the hacker was in a time zone some distance to the east, likely beyond the US East Coast.

With the help of Tymnet and agents from various agencies, Stoll found that the intrusion was coming from West Germany via satellite. The West German post office, the Deutsche Bundespost , had authority over the phone system there, and traced the calls to a university in Bremen. In order to entice the hacker to reveal himself, Stoll set up an elaborate hoax—known today as a honeypot—by inventing a fictitious department at LBNL that had supposedly been newly formed by an "SDI" contract, also fictitious. When he realized the hacker was particularly interested in the faux SDI entity, he filled the "SDInet" account (operated by an imaginary secretary named "Barbara Sherwin") with large files full of impressive-sounding bureaucratese. The ploy worked, and the Deutsche Bundespost finally located the hacker at his home in Hanover.

The hacker's name was Markus Hess, and he had been engaged for some years in selling the results of his hacking to the Soviet Union's civilian intelligence agency, the KGB. There was ancillary proof of this when a Hungarian agent contacted the fictitious SDInet at LBNL by mail, based on information he could only have obtained through Hess. Apparently this was the KGB's method of double-checking to see if Hess was just making up the information he was selling. Stoll later flew to West Germany to testify at the trial of Hess.

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security, or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Hacker</span> Person skilled in information technology

A hacker is a person skilled in information technology who achieves goals by non-standard means. The term has become associated in popular culture with a security hacker – someone with knowledge of bugs or exploits to break into computer systems and access data which would otherwise be inaccessible to them. In a positive connotation, though, hacking can also be utilized by legitimate figures in legal situations. For example, law enforcement agencies sometimes use hacking techniques to collect evidence on criminals and other malicious actors. This could include using anonymity tools to mask their identities online and pose as criminals. Likewise, covert world agencies can employ hacking techniques in the legal conduct of their work. Hacking and cyber-attacks are used extra-legally and illegally by law enforcement and security agencies, and employed by state actors as a weapon of legal and illegal warfare.

The Morris worm or Internet worm of November 2, 1988, is one of the oldest computer worms distributed via the Internet, and the first to gain significant mainstream media attention. It resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act. It was written by a graduate student at Cornell University, Robert Tappan Morris, and launched on 8:30 p.m. November 2, 1988, from the Massachusetts Institute of Technology network.

<span class="mw-page-title-main">Kevin Mitnick</span> American hacker (1963–2023)

Kevin David Mitnick was an American computer security consultant, author, and convicted hacker. He is best known for his high-profile 1995 arrest and five years in prison for various computer and communications-related crimes. Mitnick's pursuit, arrest, trial, and sentence along with the associated journalism, books, and films were all controversial. After his release from prison, he ran his own security firm, Mitnick Security Consulting, LLC, and was also involved with other computer security businesses.

<span class="mw-page-title-main">Karl Koch (hacker)</span> German hacker (1965-c. 1989)

Karl Werner Lothar Koch was a German hacker in the 1980s, who called himself "hagbard", after Hagbard Celine. He was involved in a Cold War computer espionage incident.

Wardialing is a technique to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for modems, computers, bulletin board systems and fax machines. Hackers use the resulting lists for various purposes: hobbyists for exploration, and crackers—malicious hackers who specialize in breaching computer security—for guessing user accounts, or locating modems that might provide an entry-point into computer or other electronic systems. It may also be used by security personnel, for example, to detect unauthorized devices, such as modems or faxes, on a company's telephone network.

Robert H. Morris Sr. was an American cryptographer and computer scientist.

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

<i>23</i> (film) 1998 German drama thriller film by Hans-Christian Schmid

23, original German title: 23 – Nichts ist so wie es scheint is a 1998 German drama thriller film about young hacker Karl Koch, who died on 23 May 1989, a presumed suicide. It was directed by Hans-Christian Schmid, who also participated in screenwriting. The title derives from the protagonist's obsession with the number 23, a phenomenon often described as apophenia. Although the film was well received by critics and audiences, its accuracy has been vocally disputed by several witnesses to the real-life events on which it was based. Schmid subsequently co-authored a book that tells the story of the making of 23 and also details the differences between the movie and the actual main events.

Clifford Paul "Cliff" Stoll is an American astronomer, author and teacher.

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files, should they ever be terminated from the company.

Markus Hess is a German hacker who was active in the 1980s. Alongside Dirk Brzezinski and Peter Carl, Hess hacked into networks of military and industrial computers based in the United States, Europe and East Asia, and sold the information to the Soviet KGB for US$54,000. During his time working for the KGB, Hess is estimated to have broken into 400 U.S. military computers. The hacked material included "sensitive semiconductor, satellite, space, and aircraft technologies".

A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or evaluation of a system weaknesses to assist in formulating defenses against potential hackers.

Jonathan Joseph James was an American hacker who was the first juvenile incarcerated for cybercrime in the United States. The South Florida native was 15 years old at the time of the first offense and 16 years old on the date of his sentencing. He died at his Pinecrest, Florida home on May 18, 2008, of a self-inflicted gunshot wound.

Phone hacking is the practice of exploring a mobile device, often using computer exploits to analyze everything from the lowest memory and CPU levels up to the highest file system and process levels. Modern open source tooling has become fairly sophisticated to be able to "hook" into individual functions within any running app on an unlocked device and allow deep inspection and modification of its functions.

<span class="mw-page-title-main">Operation AntiSec</span> Series of cyberattacks conducted by Anonymous and LulzSec

Operation Anti-Security, also referred to as Operation AntiSec or #AntiSec, is a series of hacking attacks performed by members of the hacking group LulzSec and Anonymous, and others inspired by the announcement of the operation. LulzSec performed the earliest attacks of the operation, with the first against the Serious Organised Crime Agency on 20 June 2011. Soon after, the group released information taken from the servers of the Arizona Department of Public Safety; Anonymous would later release information from the same agency two more times. An offshoot of the group calling themselves LulzSecBrazil launched attacks on numerous websites belonging to the Government of Brazil and the energy company Petrobras. LulzSec claimed to retire as a group, but on 18 July they reconvened to hack into the websites of British newspapers The Sun and The Times, posting a fake news story of the death of the publication's owner Rupert Murdoch.

The following outline is provided as an overview of and topical guide to computer security:

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

<span class="mw-page-title-main">Cuckoo's egg (metaphor)</span> Metaphor for brood parasitism

A cuckoo's egg is a metaphor for brood parasitism, where a parasitic bird deposits its egg into a host's nest, which then incubates and feeds the chick that hatches, even at the expense of its own offspring. That original biological meaning has been extended to other uses, including one which references spyware and other pieces of malware.

References