Whenever someone asks me which cybersecurity book I’d recommend reading, my answer is instantly “The Cuckoo’s Egg”. This book can be enjoyed by both technical and non-technical people not only within the cyber sphere but also other unrelated fields due to its simplicity in explanation and captivating flow of events. It tells a story of an astronomer who is tasked with finding a small error in the account’s book, little did he know, the issue runs deeper than just a mathematical error. I highly recommend reading this book yourself, so if you wish to do so, please stop here. Should you have no time to read the book, I got you covered with a short summary of it below.
Book Summary. Spoiler Alert!
Cliff, an astronomer, gets transferred to the Lawrence Berkley computer lab where Dave and Wayne work for years. He is tasked by Dave with figuring out why the account books had a 75 cent difference. After hours of research, he comes across the name Hunter, a guy without a billing address who had used up 75 cents and not paid. He goes on to delete the user. The next day, a computer named Dockmaster sends them an electronic message claiming that someone from the lab had tried to break into his computer over the weekend. He establishes that the only user logged into the system at the time was Sventek an account of a previous employee currently based in UK. He also finds the first mistake in the accounting system: a five minute skew from various computer’s clock drifting over the months.
He comes to the realization that he might have a super-user hacker in the network. This is a possibility as they had an unguarded guest account with password guest. It is therefore possible for a user to elevate privileges and become a super user.
Without further information, they presented their suspicion to their boss, Roy, who dismissed them demanding evidence. Cliff then started monitoring logins and noted that the user Sventek used a tty23 terminal port which he pinned down to a 1200- baud modem connection. To get real evidence, he placed a printer between the 50 modems and computer connections to print out every keystroke. On one of the modems, he noted that someone had sneaked in.
The printouts showed that the hacker had been active for 3 hours and had super-user previlidges. The hacker (cuckoo’s bird) had taken advantage of a vulnerability in Unix Gnu-emac program to gain elevated priviledges from the guest account. He had written a program (cuckoo’s egg) requesting priviledges and swapped this with the actual Unix atrun file. The swap was possible due to the vulnerability in Gnu-emac that let anyone swap files into protected system space. Since the Unix system runs the atrun program automatically every 5 minutes, the user was able to become super user. As a superuser, the attacker was able to easily navigate the best of computers and masquerade as any user, read files plus copy the password file.
After consulting with the lab director, Cliff’s manager, Roy, informs him that he has the full backing from management to investigate this electronic terrorism and catch the bastard.
They setup a hardened unix-8 system to watch over the other systems. During one of the intrusions, they noted how the attacker ran the PS -eafg command which Dave found rather odd. They were able to trace the telecoms number used to dial in as coming from around Oakland. Dave ascertains that the attacker was an AT&T Unix user and not a Berkley Unix user due to the use of the -f flag which lists all processes files is unnecessary if one is used to Berkley Unix. That ruled out an insider attacker or from the campus population. We also get to know that the password file was encrypted in DES and the only way to get the passwords was if DES encryption was broken.
The attacker Is able to use the unix-4 computer to hop onto the Milnet network which was the Department of Defence. We get to know that DoD had been keeping track of Hunter and that hunter changed his password to Hedges which gives a starting clue.
Cliff and Dave notice that the attacker generated a Trojan horse to try and collect user passwords but the program does not work because of syntax used belonging to AT&T Unix whereas the Berkley environment used Berkley Unix. Attacker eventually deletes the program as no passwords were harvested.
A warrant is acquired but the attempt to trace the attackers call fails. We get to know that the attacker acquired several dead accounts of physicists long gone and changed the password for personal use.
Despite being turned down by the FBI several times, Cliff and team manage to get the airforce involved in the hunt after the attacker tries to brute force entry into White sands missile range. In another attempt, the trace was finally successful but showed that it came from Virginia which was beyond the jurisdiction of the current search warrant. During this particular trace, the attacker tried reaching the CIA network but got telephone numbers instead. Cliff called one of the numbers to warn them of what’s happening
The CIA do show up at the lab for a discussion regarding the events, however, despite their interest, they do state this is FBI territory. There is not much they can do at the moment. Cliff is however indirectly encouraged to keep at it.
For fear of files being deleted, the Aniston Army Depot decides to close the attacker off by changing user passwords but forgets to change system passwords. The attacker is able to login and gets the warning message left by the administrator.
The department of energy that is responsible for the LBL is finally informed and advise Cliff to reach out to the National Computer Security Center, a part of the NSA.
After consultation with his peers during lunch, Cliff is given the idea to try calling the numbers he had logged during the phone trace as the telephone company is unwilling to provide the results of the trace. He instead opts to social engineer this by calling the phone company and pretending he had forgotten the people he had dialed. This leads him to Mitre whose branch was based in Virginia, same place as the CIA’s HQ.
After contacting Mitre, the CIA and the Defence Communications Agency, Cliff is contacted by someone from the Airforce who promises to try contact the FBI to get things rolling.
Cliff decides to try hack into Mitre via tymenet to prove his hypothesis. He is able to gain access without much trouble. He found that someone had laid a Trojan horse to collect user passwords since 6 months ago and that one can freely dial out of Miter. He then called Bill from Mitre to discuss this indirectly and got a list of all the phone calls that were made from Miter for the past 6 months which he analysed statistically.
Mitre shutdown the attackers route hence cutting him off from Cliffs network. Cliff sends his notes to the CIA.
The hacker disappears for almost a month then finally shows up again. Cliff has a new hypothesis to test – the attacker might be coming from abroad.
When the hacker eventually shows up, Cliff and Ron are able to trace him as originating from Germany. Further trace from the international team by Steve confirms Germany as the origin of the attacker. They were able to narrow down to Bremen.
The FBI, CIA and NSA are now rather interested in the case. Roy wants Cliff to shutdown the attacker but the FBI are able to talk him into letting this go on for a few more weeks. Another trace shows the attacker coming from Hannover. A German warrant is required for this to proceed further. Cliff asks help from FBI.
The FBI inform Cliff that he should shut down the operation. Luckily, CIA was able to intervene and get Mike back on the case in FBI. Issue now was that the attacker was showing up for a relatively small amount of time that was not enough to trace the calls.
As the attacker had been connecting for a very short time and In an attempt to lure the attacker, Cliff and his partner Martha come up with a plan to fake secret military documents and host them.in his network. The attacker was to gain access to them and probably take 2 hours reading them – enough to get an end to end phone scan.
Martha (Cliff’s partner) suggested luring the attacker by putting fake malicious documents that appeared to be military like plans in a bid to attract the attacker for at least a few hours to enable a trace be conducted. We see them devicibg a plan on how to do that.
Their plan worked. They were able to keep the hacker online long enough to have the call traced. We see the hacker using the LBL computer to login to an account all the way in Japan.
The call is finally traced. We see the attacker logging in to American military bases in Germany. The Germans plan on making the arrest on the weekend. A warrant is yet to be received from FBI. Cliff calls the agencies. We learn that the scope of the case is being extended by the Germans and that they consider the situation serious.
The agencies finally gather in one place and Cliff explains the situation. In the end, it’s clear that the FBI and the Department of justice wanted the operation shutdown while the DoE and the military wanted the operation to go on until a conviction is made. Cliff is invited to speak at the NCSC where he meets Bob Harris, the chief scientist at the NCSC who then takes him to the NSA to speak with Harry Daniels, a top shot there. Cliff explains the situation to both of them with Harry showing much interest as he had been trying to bring this to the attention of various entities. Cliff is invited to speak at the National Telecommunications Security committee that is upcoming.
Cliff returns home. The LBL sends out information that Cliff was giving a talk on how they caught the Germans. Cliff is able to quickly get that information erased. The attacker has been away for a while now but cliff notices that this was because he was using a different path into the Milnet. Steve white comes into town and meets Cliff and Martha for dinner.
The hacker finally showed up using a different username of one of the researchers in LBL. Turns out that the hacker used a dictionary attack to gain access to Merv’s account that had the password “Messiah”. On calling Bob from the NSA, he found out that they already know about this weekends for 5 to 10 years but had not said anything.
Cliff visits the NSA and gives his talk. He then heads over to the CIA who surprise him with a certificate award
A letter arrives for Babra Sherwin, the fictional character that Cliff, Claudia and Martha had come up with to create bait for the attacker. The attacker was requesting the files for SDINET. Cliff informs the agencies. FBI tells him to ensure proper chain.of custody for the letter. From the spelling mistakes in the letter, the sender seemed to be from Eastern Europe. Perhaps Hungary. Only issue is that the letter was sent from Pittsburg. In the logs, cliff confirmed that the bait file was opened just once and only read by the attacker.
After 10 months or so, the warrants are ready. An arrest is made but Cliff is not informed the details.
Finally, after more than 1.5years since the attacker was noticed and several months after his arrest, someone in Germany wrote an article about the hack before Cliff could publish his article. A decision was therefore made to have a press conference immediately where Cliff and his boss answered questions regarding the hack to news agencies.
In the long run, Cliff got to piece up the information about the hacker – Markus Hess. Hess stole secrets and sold it through Haggard to the Russians. This went via Pengo, one of the german members of the Chaos Computer club who hacked machines.
Technical Errors leveraged within the book:
Below are a couple of lessons learned from the book.
- Unsynced clocks – A five minute skew from various computer’s clock drifting over the months.
- They hadn’t changed their passwords in months
- Used a simple dictionary password as the super password
- The guest account used a simple guessable password – guest
- Never screwed down the security bolts in the system for fear of loosing physicists to competitors.
- An engineer sent his easy password (his wife’s name) via email to Ed
- The network of computers did not require more than one password to login to several computers.
- Accounts of physicists who had long left were not deleted
- Saved passwords on computer files because the auto-generated passwords were too difficult for people to remember
- Changed user passwords but forgot to change system passwords assuming they are only known to the administrator
- No password protection on some accounts
- Vendors selling computers with the security features disabled
- Shared unaudited outgoing long distance telephone service
- Reenabled system account with same password without investigation
- The use of dictionary based passwords which are easy to brute force.
- Mailing passwords to each other
- Not monitoring audit trails