Taking a Computer Crime to Heart

By John Markoff

Copyright © 1995 The New York Times Company

January 28, 1995

It was as if the thieves, to prove their prowess, had burglarized the locksmith. Which is why Tsutomu Shimomura, the keeper of the keys in this case, is taking the break-in as a personal affront -- and why he considers solving the crime a matter of honor.

Mr. Shimomura, one of the country's most skilled computer security experts,is the person who prompted a Government computer agency to issue a chilling warning on Monday. Unknown intruders, the agency warned, had used a sophisticated break-in technique to steal files from Mr. Shimomura's own well-guarded computer in his home near San Diego. And the stealth and style of the attack indicated that many of the millions of computers connected to the global Internet network could be at risk. There have been at least four other known victims so far, including computers at Loyola University of Chicago, the University of Rochester and Drexel University in Philadelphia.

Since Monday, as the F.B.I. has continued to investigate the crime and look for evidence of break-ins elsewhere, Mr. Shimomura has been answering telephone calls and E-mail from government, corporate and university computer administrators seeking advice on how to arm themselves. Between replies, he has been working feverishly to perfect a new type of protective software that would thwart the burglars. Once it is finished, he intends to distribute the software free over the Internet.

But more than anything else, Mr. Shimomura, who is 30, wants to help the Government catch the crooks. And while he acknowledges that the thieves were clever, Mr. Shimomura has also uncovered signs of ineptitude that he says willbe the intruders' eventual undoing.

"Looks like the ankle-biters have learned to read technical manuals," Mr. Shimomura said derisively. "Somebody should teach them some manners." Already, investigators working with Mr. Shimomura's assistance say they mayhave traced the source of the break-ins to a computer somewhere in the Philadelphia area. But the burglars' identities remain unknown.

Until last week, Mr. Shimomura, a computational physicist at the federally financed San Diego Supercomputer Center, was primarily known only to an elite circle of the country's computer security specialists. He is considered an expert in safeguarding computers from anonymous intruders -- whether pranksters out for a network joy ride, or more malevolent types intent on industrial espionage, stealing data or spreading software viruses.

The software security tools that he has designed have made him a valuable consultant to the F.B.I., the Air Force and the National Security Agency, as well as companies including Sun Microsystems Inc. The tools have also occasionally made him a target for computer burglars out to test his and their own mettle.

That is how Mr. Shimomura interprets what happened on Christmas Day, when computer burglars used the Internet to hack their way into the network of powerful work stations he keeps at his beach cottage. Having established this connection, the intruders then assumed Mr. Shimomura's electronic identity to move through the circuits that connect his cottage to the San Diego Supercomputer Center five miles away. The center is one of five around the nation whose mission is to develop advanced computer technology and use supercomputers to conduct research.

The thieves stole thousands of Mr. Shimomura's electronic mail messages andother computer files, leaving behind voice mail threatening his life and bragging about their technical skills. He considers the voice mail to be among the amateur mistakes, because truly skilled burglars would leave the premises assilently as they had entered.

Mr. Shimomura said the attack symbolized a basic tension at a time when millions of people are using the Internet and thousands of businesses are flocking to the network with visions of digital commerce dancing in their heads.Ideally, access to and from the Internet is a freely swinging two-way door. Practically speaking, however, security measures are necessary to insure that those who use the Internet have legitimate business to conduct on any of the millions of computers with which they may try to interact. The tightest securitycomes from erecting so-called software fire walls; but the more secure the wall,the less free the flow of information.

The balance that Mr. Shimomura chose to strike at his beach house proved too lax. "I thought I was reasonably secure," he said, "but I wanted to be able to usemy computer without hiding behind a fire wall."

A Japanese citizen who has lived most of his life in the United States, and who once studied with the Nobel Prize-winning physicist Richard Feynman at the California Institute of Technology, Mr. Shimomura is not the stereotypical computer nerd. He was not home on Christmas Day because he was on his way to theSierra Nevada, where he spends most of the winter as a self-described ski bum and a volunteer for the cross-country ski patrol near Lake Tahoe.

All the more reason he derides the geeks who had nothing better to do on Christmas than sit at a computer and pry into his electronic life.

"Gentlemen are not supposed to read each other's mail," he said.

The Christmas attack exploited a flaw in the Internet's design by fooling a target computer into believing that a message was coming from a trusted source. By masquerading as a familiar computer, an attacker can gain access to protectedcomputer resources and seize control of an otherwise well-defended system.

In this case, intruders gained electronic entry into a small Internet computer in the San Francisco Bay area and used it as a staging area to look for weaknesses in the computers in Mr. Shimomura's home and the San Diego Supercomputer Center. Once this scouting mission was completed, the intruders used a computer they had remotely commandeered at Loyola University of Chicago to start a full-scale attack on Mr. Shimomura's machines.

Though the vandals were deft enough to gain control of Mr. Shimomura's computers, they made a clumsy error. One of his machines routinely mailed a copyof several record-keeping files to a safe computer elsewhere on the network -- afact that the intruders did not notice. That led to an automatic warning to the San Diego Supercomputer Center employees that an attack was under way. This allowed the center's staff to throw the burglars off the system within a day; italso later allowed Mr. Shimomura to reconstruct the attack.

So far, the only known defense against this form of break-in involves making sophisticated hardware or software modifications to computer sites connected to the Internet.

But Mr. Shimomura is now at work on a software filter that he hopes will make it easier to ward off such attacks. When it is finished, it could make it virtually impossible for an outsider to masquerade as a trusted computer to gainentry to his system or any other computer armed with the software.

"It keeps detailed records of attempted attacks and immediately sets off an alarm," Mr. Shimomura said.

The ankle-biters, he warned, will test it at their peril.