2nd Intruder in Pentagon Computers : ‘Hacker’ May Have Altered User Files in Nationwide Link

In the second such incident in a month, an electronic intruder broke into an unclassified Pentagon computer network earlier this week and this time may have damaged computer files of some users, a senior Defense Department official said Thursday.

Dr. Raymond S. Colladay, director of the Pentagon’s Advanced Research Projects Agency, said that there is “some evidence” that a sophisticated intruder “altered or destroyed files” in the computer memory of one or more users of the nationwide Milnet on Monday.

He declined to identify the users whose files may have been damaged or to describe the evidence.

He and other officials, however, said that the apparent tampering with files made this latest incident potentially more serious than the jamming of the Pentagon’s unclassified ARPAnet last month by an exasperating computer virus.

Pentagon Severs Links

As a precautionary measure, Milnet’s operator, the Pentagon’s Defense Communications Agency, severed the system’s links with other nationwide computer networks for 48 hours beginning Monday to protect the hundreds of defense contractors and government research centers that share information by computer through Milnet.

This latest incident also prompted the Defense Department to call on the expertise of a still-unannounced “fast reaction” team of software engineers--the electronic equivalent of a counterterrorist force--that it established last month at Carnegie-Mellon University in Pittsburgh. By Wednesday night, officials said, the team had worked out a remedy for the problem and was in the process of distributing it through the Milnet system Thursday.

New Security Measures

Pentagon officials said that two such troublesome intrusions less than a month apart on two computer networks that are considered vital to the nation’s civilian and defense research communities made it almost inevitable that new security measures would be imposed on users, despite likely inconvenience for thousands of researchers.

In the earlier incident, a young Cornell University graduate student, Robert T. Morris Jr., is under investigation by the FBI and a federal grand jury in Syracuse, N.Y. Beginning on the night of Nov. 2, a rapidly propagating virus--or rogue program--clogged the memories of an estimated 6,000 computers linked to the Pentagon’s ARPAnet. The only damage, however, was in time lost purging computers of the junk software.

Two sources familiar with the Milnet attack this week said that it used an intrusion technique employed by the Cornell virus, details of which have not been published. The latest intruder also exploited one of the software flaws used by the Cornell virus, thus highlighting a failure by some computer managers to take corrective action after last month’s highly publicized incident.

“When we first identified (the virus) a month ago, some installations implemented a defense against it and others did not,” said Colladay. The Pentagon official said that the failure of all users to act on the Pentagon’s prescriptions “is something we’ve got to investigate.”

Although other sources said they saw no signs that a computer virus was involved in the Milnet penetration, Colladay said that this possibility had not been ruled out. “We still don’t know if it was a virus or an individual,” he noted. “It was a very slow-moving thing.”

After initially declining to comment on the reasons for isolating Milnet from other networks, the Defense Communications Agency said in a statement Thursday that it had temporarily severed the connections after an “unidentified hacker penetrated a VAX computer” belonging to a defense contractor last Sunday night or early Monday morning.

The statement did not identify the contractor and made no reference to tampering with files.

The agency said that the intruder “used a weakness in the (firm’s) computer software,” although a remedy for the flaw previously had been prepared and made available through computer networks to users. It added that the firm has now “taken corrective action” to prevent a recurrence.

The Milnet intruder, operating from a computer in a still-unknown location, followed an intricate electronic route into the network, leapfrogging through one or more computers at universities in the United States, through a faculty computer at the University of Waterloo in Ontario, Canada, then into the headquarters of the Mitre Corp., a major defense contractor, in Bedford, Mass. Officials said that other, still-unidentified pathways might also have been used.

Mitre, a nonprofit firm that earns nearly all of its $450 million in annual revenues from engineering and technical services to the Defense Department, has other offices in the Washington suburb of McLean, Va., Houston and Colorado Springs, Colo., the headquarters of the North American Air Defense Command.

Marcia Cohen, a spokeswoman for Mitre, dismissed the intrusion as a “minor incident that was quickly detected and fixed, with no adverse consequences.”

Cohen said that the firm kept classified or sensitive information only on isolated, “stand-alone” computers that could not be reached through outside communications networks. She was unable to say, however, whether the intruder had reached other machines elsewhere after gaining access to the Mitre computer.

Cohen said that when the intrusion was detected about 8 a.m. Monday--several hours after it actually occurred--Mitre immediately notified the Defense Department, then telephoned the University of Waterloo’s Mathematics Faculty Computer Center, which appeared to have been the point of origin.

Only a Way Station

Bill Ince, the acting director of the computer center, said that a quick review of his system’s entry logs revealed that Waterloo was only a way station en route to Mitre. The logs showed an unusual pattern all through November of similar calls to Waterloo emanating from several universities in the United States and unidentified locations in Great Britain.

The mysterious calls began Nov. 3--about 24 hours after the Cornell virus began jamming ARPAnet computers--and continued until early Monday morning, the day Mitre’s computer was breached.

“Usually we don’t look at the logs,” Ince explained. “They’re usually not interesting.”

The intruder appeared to be routing calls through computer switching systems at schools ranging from Stanford University to the Massachusetts Institute of Technology “to hide his tracks,” Ince said in a telephone interview. He described the unknown hacker as surprisingly clumsy.

“It would have been so easy to destroy or edit the log-in records,” he said, “but instead they left stuff behind on our machine, some of it interesting.”

The computer file the intruder used was known as a “guest account,” one containing teaching materials for a calculus course the University of Waterloo is making available by computer to educators. The intruder appears to have known the file’s published “user name,” the first step for signing on to the system, and guessed the unpublished password--”guestaccount.”

The precise method by which the intruder leaped from Waterloo to Mitre remained unclear. “We’re not even a Milnet site,” Ince said.

Between Nov. 3 and Nov. 28, the intruder used 14 computers in the United States and two commercial networks to log into the Canadian machine, Ince said.

On Nov. 18 and again on Nov. 24, brief computer calls to the little-used calculus file came through a third commercial network from unidentified locations in Great Britain, although the intruder may actually have been operating a British computer remotely from the United States.

“It’s hard to understand the motivation,” Ince said. “It might be real spies or disgruntled people or kids out for fun. I’m annoyed that they used our machine for camouflage.”

Staff writer Lori Silver also contributed to this story.