Recent news reports in Bay Area newspapers
about the arrest of a Berkeley hacker on 15 counts of computer hacking
told most of the story -- but not quite all of it.
On March 23 in San Jose, California, Max Ray Butler was charged in
federal court with hacking into a number of universities, Department of
Defense, and Department of Energy facilities including Brookhaven and
Argonne national laboratories. Butler, 27, is a self-described
"ethical hacker" also known as Max Vision. According to the San
Francisco Chronicle, for two years, he had been a confidential source for
an elite FBI Computer Crime Squad.
Butler's attacks also included Lawrence Berkeley National Laboratory
(Berkeley Lab) and UC Berkeley. As it turns out, these intrusions helped
lead to his undoing.
The attacks occurred in May, 1998. At the time, Vern Paxson of Berkeley
Lab’s Network Research Group was using network monitoring software he
had developed to analyze traffic at the Lab and within part of the UC
Berkeley campus. The software -- called BRO which is short for "Big
Brother" -- was designed to monitor network traffic and unveil
security breaches. Paxson not only was protecting the Lab network but also
monitoring campus traffic as part of a research project into measuring
large-scale network traffic. He provided campus with his expertise in
detecting intruders and gained useful data in return.
BRO turned up evidence that campus routers were being probed in an
unusual way and Paxson stepped up tracing of related traffic. Soon after
that, there was an attack on 13 UC computers using an attack tool never
before seen. In fact, the tool was the first exploitation of a newly found
vulnerability in UNIX systems.
"The attacker left some interesting footprints and a lot of
pointers to where he was coming from," Paxson recalls. Because of the
unusualness of the attack, Paxson reported it to the Computer Emergency
Response Team and to the Department of Energy's Computer Incident Advisory
Capability.
The next day, someone using a U.S. Air Force computer attacked nine
Berkeley Lab machines. Since this was before the current capability to
block such intrusions was made a component of BRO, the machines were taken
offline and no significant harm was done. But the unusual traffic on the
campus system continued and UC machines were used to launch attacks on
other sites. Because of BRO, "We had records of these sessions and a
list of all the machines he had broken into," Paxson said.
Then, the unusual case took an even weirder turn -- the hacker sent
Paxson an anonymous e-mail, which was both boastful and self-justifying.
Paxson said he had never gotten a message from a hacker before or since.
In the message, the hacker claimed his intent was not to do damage but to
demonstrate the vulnerability of the Internet.
The data gathered by BRO were turned over to federal investigators, who
told Paxson the information was quite useful in building their case.
"BRO enabled a very thorough tracing and produced much more
information about the attacks than would have been otherwise
available," Paxson said. "Usually these guys are very hard to
catch."
Within the world of computer security, BRO has earned a growing
reputation. In 1998, the Usenix Security Symposium honored Paxson with its
best paper award for his work entitled "BRO: A System for Detecting
Network Intruders in Real-Time."
BRO is a layered system that seeks out certain types of network
traffic.
The first layer is a general packet filter, which decides which data
packets should be examined. The second layer is an "event
engine," which takes the first-level packets and pieces them together
into "events," such as the beginning or end of a connection; or,
for some applications such as FTP (file transfer protocol), high-level
events such as identifying user names. Above that is the policy layer,
which interprets scripts, written in a specialized language, that define
how to respond to different events. Should the policy layer detect
information amounting to an attempted security breach, the system notifies
computer security people in real time. It also archives summaries of the
network traffic into and out of Berkeley Lab in a permanent record.
For his part, Butler once billed himself as a computer security expert.
In 1997, he started a company that specialized in "penetration
testing'' and "ethical hacking." Butler reportedly would
simulate for clients how a hacker would penetrate their computer systems.
Paxson said Butler's arrest was ironic but not "totally
surprising."
Additional information:
|