How Shimomura snared prince of hackers

By John Markoff

Copyright © 1995, The New York Tiems

28 Feb 95

The capture of Kevin Mitnick, America's prince of hackers, is a story worthy of a Dick Francis thriller.

It takes a computer hacker to catch one. If, as United States federal authorities contend, 31-year-old computer outlaw Kevin Mitnick is the person behind a spate of break-ins to dozens of corporate, university and personal computers on the Internet, his biggest mistake was raising the interest and ire of Tsutomu Shimomura.

Shimomura, 30, is a physicist with a reputation as a brilliant cyber-sleuth in the tightly knit community of programmers and engineers who defend the country's computer networks.

It was Shimomura who raised the alarm in the Internet world after someone used sophisticated hacking techniques on Christmas day to remotely break into the computers he keeps in his beach cottage near San Diego and steal thousands of his files.

Almost from the moment Shimomura discovered the intrusion, he made it his business to use his own considerable hacking skills to aid the FBI's inquiry into the crime spree.

He set up monitoring posts, and used software of his own design to track the intruder prowling the Internet. Shimomura's monitoring efforts enabled investigators to watch as the intruder commandeered telephone company switching centres, stole computer files from Motorola, Apple Computer and other companies and copied 20,000 credit-card account numbers from a commercial computer network.

It was Shimomura who concluded that the intruder was probably Mitnick, whose whereabouts had been unknown since November 1992, and that he was operating from a cellular telephone network in Raleigh, North Carolina.

On a recent Sunday morning, Shimomura took a flight from San Jose to Raleigh-Durham International Airport. By 3am the next day, he had helped local telephone company technicians and federal investigators use cellular-frequency scanners to pinpoint Mitnick's location: a 12- unit apartment building in the Raleigh suburb of Duraleigh Hills.

Over the next 48 hours, as the FBI sent in a surveillance team, obtained warrants and prepared for an arrest, cellular telephone technicians from Sprint Corporation monitored the electronic activities of the man they believed to be Mitnick.

Last Christmas day, Tsutomu Shimomura was in San Francisco, preparing for a holiday in the Sierra Nevadas.

Before he could leave, he received a telephone call from colleagues at the San Diego Supercomputer Centre someone had broken into his home computer, which was connected to the centre's computer network.

Shimomura returned to his beach cottage at Solana Beach, California, where he found that hundreds of software programs and files had been taken electronically from his powerful work station.

This was no random ransacking: the information would be useful to anyone interested in breaching the security of computer networks or cellular phone systems.

The Christmas attack exploited a flaw in the Internet's design by fooling a target computer into believing that a message was coming from a trusted source.

By masquerading as a familiar computer, an attacker can gain access to protected computer resources and seize control of an otherwise well-defended system. In this case, the attack began from a commandeered computer at Loyola University, Chicago.

Although the vandal was deft enough to gain control of Shimomura's computers, he, she or they made an error. One of Shimomura's machines routinely mailed a copy of several record-keeping files to a safe computer elsewhere on the network a fact that the intruder did not notice.

That led to an automatic warning to employees of the supercomputer centre that an attack was under way. This allowed staff to throw the burglar off the system and it later allowed Shimomura to reconstruct the attack.

In computer-security circles, Shimomura is a respected voice. Over the years, software security tools that he designed have made him a consultant not only to corporations, but also to the FBI, the Air Force and the National Security Agency.

The first significant break in the case came on 28 January, after Bruce Koball, a computer programmer in Berkeley, California, read a newspaper account detailing the attack on Shimomura's computer.

The day before, Koball had received a puzzling message from the managers of a commercial online service called the Well. Koball is an organiser for a public-policy group called Computers, Freedom and Privacy, and the Well officials told him that the group's directory of network files was taking up millions of bytes of storage space, far more than the group was authorised to use.

That struck him as odd, because the group had made only minimal use of the Well. But as he checked the group's directory on the Well, he realised that someone had broken in and filled it with Shimomuru's stolen files.

Well officials eventually called in Shimomura, who recruited a colleague from the supercomputer centre and an independent computer consultant.

Hidden in a back room at the Well's headquarters, the three experts set up a temporary headquarters, attaching three laptop computers to the Well's internal computer network.

The team had an immediate advantage: it could watch the intruder unnoticed.

Although the identity of the attacker was unknown, within days a profile emerged that seemed increasingly to fit a well-known computer outlaw: Kevin Mitnick, who had been convicted in 1989 of stealing software from Digital Equipment Corporation.

Among the programs found at the Well and at hiding places elsewhere on the Internet was the software that controls the operations of cellular telephones made by Motorola, NEC, Nokia, Novatel, Oki, Qualcomm and others. That would be consistent with the kind of information of interest to Mitnick, who had first made his reputation by hacking into telephone networks.

The burglar operated with Mitnick's trademark derring-do. One night, as the investigators watched electronically, the intruder broke into the computer designed to protect Motorola's internal network from outside attack.

But one brazen act helped the investigators. Shimomura's team discovered that someone had obtained a copy of the credit-card numbers for 20,000 members of Netcom Communications, a service based in San Jose that provides Internet access.

To get a closer look, the team moved its operation to Netcom's network operation centre in San Jose.

To let its customers connect their computer modems to its network with only a local telephone call, Netcom provides dozens of computer dial-in lines in cities across the country.

Hacking into the long-distance network, the intruder was connecting a computer to various dial-in sites to elude detection. Still, every time the intruder connected to the Netcom system, Shimomura was able to capture the computer keystrokes.

FBI surveillance agents in Los Angeles were almost certain that the intruder was operating somewhere in Colorado. Yet calls were also coming into the system from Minneapolis and Raleigh.

The big break came in San Jose, as Shimomura and Gross, red-eyed from a 36-hour monitoring session, were eating pizza. Subpoenas issued by Kent Walker, the US assistant attorney-general in San Francisco, had begun to yield results from telephone company calling records.

Data came from Walker showing that telephone calls had been placed to Netcom's dial-in phone bank in Raleigh through a cellular telephone modem.

The calls were moving through a local switching office operated by GTE Corp. But GTE's records showed that the calls had looped through a nearby cellular phone switch operated by Sprint Corporation.

Because of someone's clever manipulation of the network software, the GTE switch thought that the call had come from the Sprint switch, and the Sprint switch thought that the call had come from GTE.

Neither company had a record identifying the cellular phone.

When Shimomura called the number in Raleigh, he could hear it looping around with a "clunk, clunk" sound. He called a Sprint technician in Raleigh and spent five hours comparing Sprint's calling records with the Netcom log-ins. It was almost dawn in San Jose when they determined that the cellular phone calls were being placed from near the Raleigh-Durham International Airport.

By 1am on Monday, Shimomura was riding around Raleigh with a Sprint technician, who drove his own car so as not to attract attention.

Shimomura held a cellular-frequency direction-finding antenna and watched a signal-strength meter on a laptop computer screen. Within 30 minutes the two had narrowed the site to an apartment complex in Duraleigh Hill, four kilometres from the airport.

The next evening, the agents had an address and a federal judge issued a warrant. When FBI agents knocked on the door of Apartment 202, it took Mitnick more than five minutes to open it.

When he did, he said he was on the phone with his lawyer. But when an agent took the receiver, the line went dead.