Agencies Probe for Pentagon Computer Intruder as Trail Grows Cold

Two federal agencies have begun an investigation to trace the intruder who broke into one of the Pentagon’s nationwide computer networks earlier this week, but analysts said that time is short and the electronic trail the unknown hacker left through multiple computers may be evaporating.

Defense Department officials said the FBI and the National Security Agency are cooperating in a joint effort to trace the intruder, who exploited a programming flaw late Sunday night and early Monday morning to penetrate computers linked to the unclassified Milnet system, linking hundreds of defense contractors and government research centers.

Connections Restored

The intrusion led the Pentagon’s Defense Communications Agency on Monday to sever Milnet’s connections with other computer networks as a protective measure. Susan Hansen, a Pentagon spokeswoman, said these connections, known as “mail bridges,” were restored Friday.

Coming less than a month after a young Cornell graduate student, Robert T. Morris, allegedly launched a rogue “virus” program that jammed an estimated 6,000 computers on a second Pentagon communications system, ARPAnet, this week’s attack has focused fresh attention on the broad problem of computer security and the vulnerabilities of two electronic networks that thousands of civilian and defense researchers use to exchange information and ideas.

Intrusion Referred to FBI

Pentagon officials said Monday’s intrusion into the Milnet system was referred automatically to the FBI, which is responsible for enforcing the Computer Fraud and Abuse Act of 1986. Although the National Security Agency, as an intelligence-gathering organization, has no law enforcement authority, it is responsible for protecting government communications and computers.

Analysts familiar with the latest episode said that the intruder appeared to have leap-frogged electronically through computers at one or more universities in the United States, then through a Canadian university before attacking a computer at the Mitre Corp., a major defense contractor in Bedford, Mass., and a member of the Milnet system.

Depending on the intruder’s sophistication, these analysts said, it may be possible to trace the origin of the attack by tracking back through sign-on information that is automatically recorded by computers at each step of the way. Many computer managers routinely destroy such data, however, after a week or less because it is usually of little interest and takes up valuable memory space.

“I would guess that lots of systems don’t keep it any longer than seven days, and some only 24 hours,” said Peter Yee, a researcher at UC Berkeley’s Experimental Computer Facility who has helped the Pentagon assess both computer attacks.

“It’s probably too late to trace him,” said Bill Ince, the manager of a computer center at the University of Waterloo in Ontario, Canada, which the intruder used as a last stepping stone to the Mitre Corp. “If you want to catch someone, you don’t cut off his access. You wait for him to do it again,” Ince said.

Analysts said the intruder exploited a recently discovered software flaw in the computer operating program known as Berkeley Unix, which enables users of Milnet and ARPAnet to transfer files of data and software from one computer to another. The Cornell virus that jammed ARPAnet computers on Nov. 2 and 3 took advantage of different weaknesses in Berkeley Unix, these analysts said, and those have since been fixed.

Berkeley’s Peter Yee said that the flaw was an oversight in the original programming that enabled a user, with the right commands, to use the software’s file-transfer function to disable a computer’s security system and take command of its internal operations.

It is possible, Yee and others said, that a remedy the Berkeley researchers sent out at the end of October to users of Milnet and ARPAnet contained clues to the weakness it was meant to fix, enabling the intruder to deduce and exploit the file transfer flaw before the remedy could be widely installed.

Like automobile makers who send out recall notices, Berkeley has no way to ensure that customers will take them seriously, Yee said.

“Some managers don’t understand what to do,” he noted, adding that spelling out the consequences of failing to make the fix would only encourage sophisticated hackers to exploit a weakness.

Ince, at the University of Waterloo, said that this particular fix was not hard to interpret. “If you’re at all clever and you see the fix, you realize how to use it.”

As soon as Mitre notified the university on Monday that the Canadian computer had been used as an attack route, Ince sent Mitre a copy of November’s sign-on records for use in an investigation. These records, he said, showed an unusual pattern of calls from multiple computers in the United States and two in Great Britain, which in themselves may only have been way stations en route to Mitre.

The calls, he said, began on Nov. 3, only three days after Berkeley had sent out its prescription for repairing the file transfer flaw.