A Cyberspace Dragnet Snared Fugitive Hacker

Computers: After his files were stolen, a San Diego man
joined federal agents to track down Kevin Mitnick.

by John Johnson

Copyright © 1995 LA Times

Feb 19 1995

RALEIGH, N.C. Legendary computer hacker Kevin Mitnick's two years as a federal fugitive did not end because he got too greedy or careless.

He got caught because he messed with the wrong person, someone as familiar with the dark corners of cyberspace as he is.

Tsutomu Shimomura, a top computer security expert at the San Diego Supercomputing Center, had followed Mitnick's exploits with interest, but he decided to get involved in the case, and in Mitnick's capture, only after the San Fernando Valley hacker decided to break into Shimomura's files, authorities said.

"It wasn't until Mitnick personally attacked him that Tsutomu decided to on - line and go after him, " said Eathy Cunningham, a deputy U.S. marshal who has been searching for Mitnick for almost a year.

And so Shimomura signed up with FBI agents and federal marshals to track down Mitnick, who had been convicted of causing millions of dollars in damage by stealing computer information and disrupting firms and their computer operations all over the country.

For two years, FBI agents have been investigating Mitnick in a host of alleged computer-related crimes, and along with the U.S. Marshals Service, have been hunting him for a parole violation on an earlier hacking conviction.

But Shimomura, 30, estimates that it only took four days of hard work in California to track Mitnick to Raleigh. Even before Shimomura flew to North Carolina last Sunday night, he knew where Mitnick was within two kilometers.

"He wasn't very hard to catch, " Shimomura said. As for his reputation as a super-hacker, Shimomura said Mitnick "did nothing imaginative. I can see nothing new."

Mitnick's fatal error appears to have been his cockiness. With the same kind of arrogance that caused him to begin leaving taunting messages on Shimomura's voice mail bragging that "my technique is the best, " he left his own electronic back door open.

The cellular phone he was using, even though he took extraordinary precautions to constantly clone new numbers and hide his attacks by routing his calls through far-flung dialing areas, was nothing but a kind of radio whose frequency could be followed as easily as luminous footprints, if you knew how.

The way Shimomura tells it, catching Mitnick was a virtual snap. But considering that he was able to do in a couple of weeks what government agents had failed to do for two years, there is ample reason to conclude that the man who wandered Raleigh in a pair of Birkenstocks and a T-shirt memorializing his participation in the Echo to Kirkwood ski race is a special breed.

Shimomura, a senior fellow at the Supercomputer Center, and a consultant who has worked for the super-secret National Security Agency, is a man of compelling contrasts. He talks so fast that his words have a tendency to run together and become garbled. He has a gaze as direct and unflinching as a supermarket scanner and a personal intensity that is reinforced by the way his dark eyebrows nearly meet above his slen- der nose. He has a well-defined sense of right and wrong and a delicate sense of good and bad manners.

"That's not very polite, " he said of Mitnick's attack on the computer at Shimomura's San Diego beach house.

He wears his hair long enough that he could sit in on guitar with most rock bands without attracting attention. He would rather be on the ski slopes than answering questions from writers. And when he does submit, he sprawls in a chair rather than standing at a podium.

He appears particularly put off by efforts to cast his hunt for Mitnick as a kind of wrestling match, the dark-side hacker versus the computer version of an old-fashioned Texas Ranger keeping the electronic frontier free of outlaws. He found Mitnick's sloppiness in leaving clues distasteful. The closest he came to empathy for the nation's most wanted hacker is pity.

"I feel sorry for him, " he said. "I wish we could do something more elegant than simply put him in jail."

Mitnick's career as a hacker began when he was very young. While a student at Monroe High School in North Hills, he broke into Los Angeles Unified School District computers. As a prank, he invaded the North American Air Defense Command computers. As a juvenile, he was convicted of stealing Pacific Bell computer manuals. And in 1988 he was convicted of infiltrating MCI telephone computers and accessing long-distance codes.

On two occasions since July, marshals traveled to Las Vegas, hoping to persuade his mother and grandmother to urge Mitnick to turn himself in.

"I said things are just getting worse and that he should come in and make the best for himself, " Cunningham said of the last visit Feb. 8. "His grandmother said he really feared incarceration, it was so hard on him the first time. He was sensitive, she said, and hated the eight months he had spent in solitary confinement, that he couldn't go through it again."

"I told them he is just digging a deeper hole, " Cunningham said. "They said it's out of their control."

In fact, Shimomura did not go looking for Mitnick. On Christmas Day, Mitnick allegedly came hunting for him.

An intruder broke into Shimomura's Osiris system and read his e-mail and took files relating to cellular phones and other security software. The thief also copied a file called Berkeley Packet Filter, which was developed for the NSA and can be inserted into to an operating system without shutting it down with a re-boot.

The attack was accomplished by taking over a computer that was "friendly" to the target computer, enabling the attacker to enter undetected.

Shimomura said the attack lasted from 2 p.m. on Christmas Day until about 6 p.m. the next day. Shimomura, who was in Northern California, flew home to assess the damage. At this point, he did not know whom he was dealing with.

The trail went cold for several weeks. Shimomura's files had been stashed in a dormant account on the Well, a commercial network in South San Francisco that provides Internet access to 11, 000 subscribers. The Well's technical staff discovered the unauthorized entry on Jan. 27 during a routine system check and notified the subscriber, Bruce Koball, a Berkeley computer programmer who operates a conference called Computers, Freedom and Privacy.

Koball found Shimomura's name on some of the files in his account, and the next day realized who it was after reading a story in the New York Times about the theft from the computer expert.

In all, technicians at the Well discovered 11 accounts compromised by the intruder, most of them dormant, but there was no evidence that he was using them for any purpose but storage.

"He was playing, " said Melissa Walia, spokeswoman for the Well. "After he'd been out on the Internet being a thief, he would just throw his stuff on the Well."

Convinced that they could protect their subscribers' privacy, administrators of the Well agreed to work with Shimomura and the FBI, and set up 24-hour monitoring hoping that Mitnick would break into the system to store more purloined files.

"Although they probably could have cut him off, he would have walked free, " Walia said. "They could have taken away the confidential files, but he wasn't doing anything with them, and they wanted to get him."

It was at this point that the security expert began to suspect who the intruder was. He witnessed an electronic exchange between the hacker and.a friend in which the intruder talked about his picture appearing on the front page of the New York Times. Shimomura sent Andrew Gross, a colleague at the San Diego research center, to the Well to investigate.

Gross discovered that the thief had deposlted a lot more besides the files he took from Shimomura. There were password files and source codes from many companies, including copies of at least 20, 000 credit card numbers from a large Internet provider named Netcom.

In one suspicious file on the Well was e-mail from Dan Farmer to Wietse Venema, well-known authorities in computer security, according to a U.S. government affidavit.

"The cellular phone source codes intrigued us, " Shimomura said, "because we knew Kevin was after that."

The technique some hackers use is to modify cellular telephones to disguise themselves. They then connect their computers to a cellular compatible modem and dial into a targeted phone line, often a network remote or a public access line. From there, hiding in the Internet, the attacker begins the assault on the target computer feeling safe that he has covered his tracks.

On Feb. 7, the hunt intensified. Shimomura, along with his friend, Julia Menapace, a software consultant, went to San Francisco and pitched in to help untangle the electronic web. The next day, Shimomura met with federal prosecutors in San Francisco, and they decided they would attempt to pursue the individual.

Federal agents have declined to discuss the specifics of the unusual relationship between Shimomura and the iconoclastic team of techies and amateur sleuths that he assembled to bring Mitnick to the ground.

Agents agreed to supply secret investigative information to Shimomura's team in exchange for continuing updates on the progress of their search. The most basic rule, Shimomura said, was that they were not to do anything illegal. rule, Shimomura said, was that they were not to do anything illegal.

Shimomura set up his operation at the Well. But by Feb. 8, concluding that the intruder was getting into the Well through Netcom Shimomura and his team set up new monitoring stations there.

They worked 20 hours a day, much of it at "listening stations, " computers set up to sound an alarm when Mitnick's calls came through.

When an intrusion was detected they used Shimomura's sophisticated security programs to trace the call through a maze of computer connections.

They discovered that the intruder was gaining access through several public hookups in various cities, which allow users to access a system without incurring long-dis tance charges. After connecting to Netcom, the intruder used it as a platform from which to launch attacks on other computers.

Shimomura noticed that there was heavy traffic from two places, Denver and Research Triangle Park, a technology and scholastic hub in the Raleigh-Durham area. Shimomura's team was able to track the activity by homing in on relay stations transmitting the attacker's calls as he dialed in remotely.

Federal agents did a "track and trace" on a phone connection in Raleigh for Shimomura, but they discovered that the line looped around and around, leading nowhere.

"We suspect Kevin monkeyed with the switch, " Shimomura said. Nevertheless, they were able to narrow the search to a two-kilometer area on the grassy, forested outskirts of Raleigh.

Forgetting to pack socks, Shimomura caught a plane for Raleigh on Feb. 12. An engineer from Sprint Cellular picked him up and they began driving along the treelined roads with equipment that homes in on the electronic beacon the attacker's cellular phone emitted every time he went to work.

Taking precautions, the target abandoned Sprint and switched to Cellular One, the same company Mitnick was suspected of harassing in Seattle in October. When police raided the house he was living in, they found a police scanner and signs that Mitnick had fled in a hurry.

Fearing that Mitnick might be monitoring police radio traffic in Raleigh, Shirnomura suggested that all trackers' radios be turned off in the area of the Players Club apartments, the spot to which they had narrowed their search.

The group tracking Mitnick had now grown to include New York Times reporter John Markoff, who had written a book about Mitnick and other hackers.

"John was our Kevin expert, " Shimomura said. For instance, Menapace said, if Mitnick's signal went silent, they would turn to Markoff and ask what Mitnick would probably be doing now. If he was eating, where would he go?

"John estimated he would go to the cheapest possible place and he wouldn't worry about" the quality of the food, Menapace said.

Mitnick once had a reputation as the quintessential junk food junkie, but as his fame spread, he developed a personal style more fitting for a romantic renegade. He lost more than 100 pounds, dressed in hipper fashion and got rid of his clunky black-framed glasses, substituting a pair of wire-rimmed spectacles.

Markoff acknowledged trading information with Shimomura, but denied being a member of the team. "I wasn't involved. I am a reporter. Tsutomu and Julia call me a member of their team, and that's fine if they want to call me that. But I was a reporter, " Markoff said. He said he gave them nothing beyond what was available in his book.

In early February, a man using the name Glenn Thomas Case rented a one-bedroom apartment for $550 a month at Players Club, a massive Raleigh development of three-story, neocolonial buildings separated by lawns and fountains. One habit remained from Mitnick's early days, however, and it proved a particular irritant for Shimomura and Menapace.

Mitnick liked to sleep late and do his hacking late at night and into the early morning.

Because the federal agents who were working in the background with Shimomura worked a 9 to 5 routine, keeping them informed and also tracking the target's activities meant that Shimomura and Menapace had to put in 20-hour days.

This was not the only difficulty presented by trying to manage the disparate personalities and agencies assembled in Raleigh. In fact, catching Mitnick was not the most difficult part of the project.

"The hardest part was keeping everyone going, " Shimomura said.

After informing the federal agents of the probable location of Mitnick, Shimomura and Menapace withdrew and waited, keeping a vigil nearby. Menapace took up a station across the street from the Players Club in a strip mall, where she monitored the target's activities.

As it turned out, Shimomura's strict precautions about radio silence turned out to be wise.

Late on Valentine's Day, federal Judge Wallace Dixon signed a search warrant for Apartment 202 at Players Club.

At 1:30 a.m. on Wednesday, agents knocked on the door after Shimomura determined that Mitnick was on the phone. About five minutes later, Mitnick opened the door and was arrested.

When Mitnick appeared in court he acknowledged Shimomura and Menapace, saying to her, "You look familiar to me. Where are you from?"

Although the Justice Department has credited Shimomura's role in the case, Assistant U.S. Attys. David Schindler in Los Angeles and John Bowler in Raleigh declined to comment except to say that federal agents have been pursuing the fugitive hacker for several years.

One law enforcement authority tracking Mitnick said Shimomura did make the difference in bringing him to justice.

"If Kevin hadn't screwed with Shimomura, he'd still be out there. I hate to pump up his ego, but it's true, " said the official, who asked that his identity not be used.

Although Mitnick apparently respects the man who tracked him down, Shimomura does not reciprocate. "From what I have seen, he doesn't have a whole lot of expertise, " he said.

"Kevin is not the problem, " he said. The problem, in his view, is that most systems are not very secure. What Mitnick did, he said, remains very doable today.