Hacking History: Clifford Stoll and Operation Showerhead- the first Honey Pot
In 1986, an astronomer named Clifford Stoll, had is grant cut and started a new job in the Lawrence Berkeley Laboratory (LBL), as a systems manager. Near the beginning of his new role, his boss asked him to investigate a 75 cent discrepancy in their monthly accounting report. Users were charged $300 per hour for using the lab’s computers, and for the first time ever, they came up 75 cents short- with no known user to bill for it. This seemingly small discrepancy landed Stoll in a whirl wind of cyber espionage involving the CIA and even the KGB. All this lead to the invention of the first honey pot- Operation Showerhead.
The Hunt for Sventek
Clifford Stoll began running test programs and found no errors. Then, when looking through the user accounts, he found a name without an active account- “sventek”. Sventek was under the name of a researcher who hadn’t used the lab’s computers in over a year. Keeping a close eye on traffic, Stoll uncovered a terminal number, uncovering the line sventek was using to enter the lab’s systems.
Through printing traffic coming in from every network cable in the lab, Stoll found that this sventek user had found a security loophole- and was taking advantage. Sventek had created a program which he sent to the system that allowed him to essentially become the systems manager for the entire lab. This gave him access to all files and communications happening in and through the lab’s computers, and could change or delete any file in the system. Sventek also covered his tracks by reprogramming the accounting systems so they wouldn’t track his usage.
Now Stoll knew that he was dealing with a hacker- and a knowledgeable one. So, he monitored sventek’s use, without allowing his own presence to be known, using a logics analyzer that would notify him every time the word “sventek” popped up in the system. Once Stoll could be alerted anytime sventek was in the system, he began tracking their actions and noticed they were using the LBL computers to hack into other systems- including military systems.
The Plot Thickens
Clifford Stoll worked with technicians to trace the source to Virginia, but the phone company wouldn’t reveal the hackers’ identity without a warrant. So Stoll looked back through sventek’s activity to find that they had been looking up CIA members, and had found them! Not only their names, but also their phone numbers, addresses and other personal information. Stoll contacted the CIA, but since none of the activity was traced out of the country, it was out of their domain. When Stoll contacted the FBI, the account error was too small to be taken seriously, so they didn’t investigate further. With an investigative mind himself, Stoll stuck to what he know best to solve the case- science.
Operation Showerhead- the invention of the Honey Pot
Upon further inspection of the data, Stoll quickly learned that the originator was not in Virginia. Upon an alert about sventek using LBL’s computers, Stoll called a colleague to help him track the activity and found that the hacker was coming in from abroad. Eventually, between analyzing packet delivery delays, and working with phone network technicians, they finally traced the source to Hanover, Germany. Once they tracked the data base in Germany, they found that they were using legacy systems that would require a half-hour to an hour to manually check all ports. The problem is that the hacker only stayed in the LBL system for a few minutes at most, as he essentially used it as a launching pad to find other networks from.
Then, while Stoll was in the shower one day, he came up with an idea. The reason the hacker wasn’t staying on their network for very long, was because there was nothing interesting for him there. This sventek was obviously interested in government secrets, not scientific research and the like. So Stoll created phony government files with boreoarctic language about mainly mundane items, but also with some juicy, imaginary details to keep his interest peeked. When sventek took the bait, they were finally able to trace the call.
The technicians then handed the call over to the authorities in Germany, where they worked with them to track down and imprison the perpetrators. Upon uncovering the hacker’s identity, they found that he had been working with a string of spies who were looking for government secrets to sell to the KGB. Sventek was a Hanover native named Markus Hess- an unassuming, 28-year-old programmer.
All those involved with these government hacking sprees were indicted, except for one who mysteriously died shortly before the trial. He had burned to death in a forest. It was reported as a suicide, but his friends suspected it may have been the KGB.
A Cultural Awakening for Computer Security
This incident brought a fresh awareness to the connected world. As computers became more commonly used, organizations started storing increasing amounts of confidential information online. Even the military, on their own private network, was still vulnerable to people coming in from outside their network to search their systems. Many of the military computers which were hacked, still used their default usernames and passwords given to the systems. These usernames and passwords were supposed to be changed, but even 1 in 20 military systems had not bothered to change them.
This incident opened the word’s eyes to the dangerous possibilities of hackers breaching systems with sensitive information on them- even as sensitive as national government agency secrets. The hackers had found army missile launch plans and other war associated strategies. Luckily, nothing too confidential was compromised, but the scare gave everyone connected to telephone networks greater understanding of the possible risks involved with getting the world connected.
The KGB, the Computer, and Me- https://www.youtube.com/watch?v=PGv5BqNL164
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting edge cyber security training. Our training provides the most in demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cyber security education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand LMS platform has white-label capabilities ideal for internal training purposes.