The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 68

Sunday 24 April 1988


o [By request: Special issue on LBL and Cliff Stoll for those in the outback]
o Lawrence Berkeley Lab computer break-ins
John Markoff
o Cops Catch Clumsy Computer ``Criminal''
Curtis C. Galloway
o Cliff's Little Black Book
Joseph M. Beckman
o Info on RISKS (comp.risks)

Lawrence Berkeley Lab computer break-ins

Peter G. Neumann <> Thu 21 Apr 88 23:17:11-PDT
   [For those who missed it, there was a terrific flurry of news on this 
   subject in the press throughout the week.  Here are two of the highlights.
   I have not tried to edit out the redundancy in the Pittsburgh article
   that follows.]  

04-17-88 2103 EDT
c.1988 N.Y. Times News Service

    NEW YORK - For almost two years, a West German citizen used global
communications networks to secretly gain access to more than 30
computers belonging to the United States military and military
contractors, according to computer security experts.
    The intruder, whose identity and motives remain uncertain,
methodically searched for data related to nuclear weapons, intelligence
satellites, the Strategic Defense Initiative, the space shuttle, and
the North American Air Defense Command. The computer security experts
said that the intruder did not gain access to any classified
information, nor did he successfully break into what government
officials call a ''secure'' government computer where classified
information was stored.
    The computer security experts are alarmed because of the systematic
and widespread nature of the break-ins. They said there was evidence
that the West German intruder had tried to gain access to a total of
450 computers.
    The episode raises the possibility that the intruder may have been
able to assemble classified data by piecing together material that was
sensitive but unclassified. The Reagan administration has been
concerned that foreign intelligence agents could piece together
classified information by assembling a ''mosaic'' of computerized data.
    ''This kind of penetration could clearly have been used for
espionage,'' said Peter G. Neumann, a computer security expert who is
familiar with the case. He works at SRI International, a non-profit
research center in Menlo Park, Calif.
    ''I think most of the attacks before this have been relatively benign
on a global scale,'' Neumann said. ''This one is much more insidious.''
    A spokesman for the Federal Bureau of Investigation in Washington
confirmed on Sunday that the intrusions were investigated, but he
declined to comment further.
    Last week, an article in a West German weekly magazine, Quick,
detailed the case, identifying the intruder as Mathias Speer, 24, a
computer science student in the city of Hanover. FBI officials,
however, would not confirm the identity.
    The intrusions may have occurred for as long as a year before being
discovered by computer managers at the Lawrence Berkeley Laboratory, in
Berkeley, Calif., one of the United States' national research
laboratories. The laboratory, the site of broad-based unclassified
scientific research, is a sister to the Lawrence Livermore Laboratory,
in nearby Livermore, which is heavily involved in research on secret
nuclear weapons and the Strategic Defense Initiative, or SDI. The
laboratories are operated by the University of California for the
federal government.
    Rather than taking steps to deny further computer access to the
intruder, the Lawrence Berkeley security experts - working with other
government computer security personnel - organized a system to monitor
the intrusions. At one point, to trace the intruder, the Lawrence
Berkeley officials offered false but seemingly classified information
as part of an electronic sting operation. The intruder loaded that
information into his computer in West Germany, staying on line long
enough for authorities in the United States and West Germany to trace
him. Later, as part of the same operation, an apparent accomplice based
in the United States appeared to become involved.
    The identity of the American citizen was not divulged by the Lawrence
Berkeley officials or by the FBI. He is believed to have been
questioned by the FBI in June 1987, about the same time that the West
German was detained and questioned by authorities there. The electronic
break-ins ended about the same time.
    ''We knew the key words he was looking for when he read electronic
mail on our computers,'' said Dr. Clifford Stoll, the computer systems
manager at Lawrence Berkeley who initially discovered the break-ins in
August 1986 and monitored them for approximately 12 months. ''He
searched all of the files at LBL for the word 'nuclear.' Then he
started looking for 'Star Wars' and SDI. We realized that he had us
confused with Lawrence Livermore.''
    Not long after the intrusions were discovered, the Lawrence Berkeley
computer managers considered that the intrusions might be a prank,
perpetrated by a sophisticated computer enthusiast, or ''hacker.''
Stoll said that, after watching the intrusions for several months, he
became convinced that they were more than that.
    The break-ins parallel another set of incidents last year in which a
group of West German computer enthusiasts, called the Chaos Computer
Club, broke into several international computer networks of the
National Aeronautics and Space Administration and rummaged freely among
the data for at least three months before being discovered. However,
the computer managers at Lawrence Berkeley said they believed that the
West German intruder was not associated with the Chaos group.
    Stoll, who is also an astronomer, has written an article about the
incident that is scheduled for publication next month in the technical
journal Communications of the Association of Computing Machinery.
Lawrence Berkeley has also scheduled a news conference on Tuesday to
discuss the intrusions.
    According to the Lawrence Berkeley officials, the yearlong
investigation involved the FBI and security experts from the Air Force
and the Army, as well as private security investigators. Under West
German law, not enough evidence was obtained for prosecution, the
Lawrence Berkeley officials said.
    According to Stoll, the West German compromised the military computers
by taking advantage of security loopholes in several different
operating systems, the software programs that manage data in a
computer. On computers operating under the Unix system, he frequently
used a loophole to give himself ''superuser'' status, which allowed him
to read and alter all material stored in the computer.
    The intrusions involved a variety of U.S. military computer systems in
this country, Europe, and Japan. The Lawrence Berkeley Laboratory
became a starting point for connecting to two unclassified military
networks, known as Milnet and Arpanet. They link computers at military
bases and military contractors.
    At one computer at the Naval Coastal Systems Command, in Panama City,
Fla., the intruder transferred to a computer in West Germany an
encyrpted file containing user passwords. The intruder broke some of
the codes and called back to search through files protected by the
passwords. The intruder also gained acess to computers at the Army's
Fort Buckner base in Japan and at the Anniston Army Depot, a supply
base for the Army's Redstone Arsenal, in Huntsville, Ala.
    At the Air Force Systems Command, in El Segundo, Calif., the intruder
managed to attain the status of system manager. ''I watched as he
scanned all of their SDI references and the usual pile of things and
then started printing out information on the space shuttle,'' said
Stoll. ''The Air Force later told me it was not classifed information.''
    Other systems entered included military computers in San Diego, the
Pentagon's Optimus data base, and a computer at NASA's Jet Propulsion
Laboratory, in Pasadena, Calif.
    The officials at the Lawrence Berkeley Laboratory said that they
monitored attempted intrusions into a total of 450 military computers.
    ''Basically, he was walking down the street twisting the doorknob of
each house,'' Stoll said. ''He wouldn't push hard, but then he would go
around and do the electronic equivalent of trying the back door and the
side windows. If they didn't budge, he would go to the next house on
the street.''
    Shortly after discovering the intrusions, Stoll, aided first by City
of Berkeley officials and later by federal law-enforcement officers,
began trying to trace their origin. They were traced to a computer at a
U.S. military contractor in McLean, Va., near Washington. The Lawrence
Berkeley officials declined to identify the company.
    They then discovered that the intruder was dialing from Hanover to a
university computer in Bremen, West Germany. That computer was used to
connect to machines in the United States.
    The intruder's location was masked by dialing into the military
contractor's computer in Virginia and then using that computer's
capability to call other computers around the country, including those
at Lawrence Berkeley. The Lawrence Berkeley computer was used to
connect to the military networks - Arpanet and Milnet - to gain access
to the military installations.
    In tracing the intruder, the security investigators created an
automatic alarm system. Stoll wrote a computer program that would dial
his pager whenever the West German gained access to the computer at
Lawrence Berkeley. The pager automatically called a security official
from the Tymnet McDonnell-Douglas Network Systems Co., a computer
network company based in San Jose, Calif. The Tymnet official then
notified West German law enforcement officials.
    But the investigators traced the calls back to Hanover, where it took
as long as 30 minutes to set up a trace because of antiquated
equipment. The intruder's calls generally lasted no longer than five
    In January of 1987, the security managers at Lawrence Berkeley created
an electronic sting operation using a large file of fictitious,
seemingly secret information. The file contained a reference to an
address at the Berkeley laboratory where further information related to
the Strategic Defense Initiative could be obtained.
    Once the file was discovered, the intruder remained connected to the
Lawrence Berkeley computer for more than an hour. Three months later,
according to the Lawrence Berkeley officials, a letter was mailed from
a United States citizen living in the Northeast to the address given by
the lab, inquiring about the false SDI information.
    The letter was given to the FBI.

nyt-04-17-88 2157edt

Cops Catch Clumsy Computer ``Criminal''

"Curtis C. Galloway" <>
Sun, 24 Apr 88 15:23:02 -0400 (EDT)
From the Pittsburgh Post-Gazette, 24 April 1988, by Roger Stuart.
(Used without permission)


A South Park man who was stung seeking bogus computer-stored information
about U.S. military secrets has a long history of mysterious associations,
ranging from foreign intrigue to local garbage.

As with past incidents, authorities don't know — or won't say --
what Laszlo J. Balogh was up to this time when his name surfaced in a
sting that caught a West German computer hacker who repeatedly gained
access to classified military files.

As with past exploits, Balogh, 43, emerged again as part-clever and

Although he has claimed extensive foreign government contacts and driven
expensive foreign cars, he once testified that he had difficulty recording an
undercover conversation for the FBI because the recorder kept slipping beneath
his sweat suit.

In the past, Balogh has billed himself as a Hungarian refugee; a draftsman; a
credit corporation employee; a trucking company owner; a diamond dealer; a
world traveler; a bodyguard for Kuwaiti princesses; a CIA hit man; and an FBI

But longtime neighbors on Ventura Drive said they had no clear picture of
Balogh's activities because he is "quiet," "keeps to himself" and is "often
gone for weeks at a time."

...Balogh in 1978 was an officer in a now-defunct company when another company
official was accused of giving Penn Hills officials a forged check drawn on a
non-existent bank.  The check was to be used as security in an unsuccessful
effort to obtain a garbage-hauling contract.  ... Balogh also was involved in a
Pittsburgh trucking firm that filed for bankruptcy in 1980.

His name surfaced again last week in connection with Marcus Hess, identified by
The San Francisco Examiner as the West German computer student who broke access
codes to snoop in to U.S. military files a half-world away in Berkeley, Calif.

Earlier, a West German weekly magazine, Quick, identified the computer intruder
as Mathias Speer, 24.  Clifford Stoll, a researcher at the Berkeley Laboratory
and Leroy Kerth, a Lawrence Berkeley Laboratory director who oversaw the
investigation, said that name may have been a pseudonym.

In this case, Balogh, in what investigators believe was an attempt to get more
information about confidential military files, took the bait investigators
dangled in the hopes of learning who was gaining illegal access to the computer

Having discovered that an intruder had been reading their computer records,
officials at the U. S. Department of Energy's Lawrence Berkeley Laboratory
planted a fictitious file to bait the hacker's interest.

The purpose was to keep the hacker on the line long enough for authorities to
trace his phone call.  The hacker tapped into the coputer using a telephone and
computer modem.  In the event that the call coudln't be traced, authorities
also included in the fictitious file an address for the snooper to write for
additional information.

Berkeley officials thought they had solved their security problem in January
1987, when West German officials were able to trace the phone call to a
computer student in Hanover.

They were surprised four months later when they received a letter from Balogh,
who requested the information offered in the fictitious file.

...Although caught, the West German student has not been charged with
any crime.  The extent of Balogh's involvement has not been revealed.

The FBI isn't saying what, if anything, it knows about Balogh, who in
1983 served them as an informant and government witness.

[More about Balogh's involvement in schemes to steal $38,000 in
diamonds, secure garbage-hauling contracts with a phony check, and
steal computer equipment to sell to the Soviets.]

        Curt Galloway
        UUCP: ...!{seismo, ucbvax, harvard}!!cg13+

Cliff's Little Black Book

"Joseph M. Beckman" <Beckman@DOCKMASTER.ARPA>
Mon, 18 Apr 88 18:52 EDT
I have heard Mr. Stoll talk several times on the "Phantom of the ARPANET"
[RISKS-6.63] and the lessons learned by LBL.  One point he made with great
elan (at the last NCSC/NBS Nat'l Computer Security Conference) was that it
is essential to write actions and responses down in a 'laboratory' book.
However, it is quite obvious (as he has found out) that there are RISKs to
doing so!

Please report problems with the web pages to the maintainer