Thought this might be of interest.  I'm a little concerned
that Tsutomu didn't have his firewall set up correctly...


> How a computer sleuth traced a digital trail
>     ------------------------------------------------------------------------
> 
> 
> (c) Copyright the News & Observer Publishing Co.
> 
> New York Times
> 
> RALEIGH, N.C. (8.59 p.m.) -- It takes a computer hacker to catch one.
> 
> And if, as federal authorities contend, 31-year-old computer outlaw
> Kevin D. Mitnick is the person behind a recent spree of break-ins to
> dozens of corporate, university and personal computers on the global
> Internet, his biggest mistake was raising the interest and ire of
> Tsutomu Shimomura.
> 
> Shimomura, who is 30, is a computational physicist with a reputation
> as a brilliant cyber-sleuth in the tightly knit community of
> programmers and engineers who defend the country's computer networks.
> 
> And it was Shimomura who raised the alarm in the Internet world after
> someone used sophisticated hacking techniques on Christmas Day to
> remotely break into the computers he keeps in his beach cottage near
> San Diego and steal thousands of his data files.
> 
> Almost from the moment Shimomura discovered the intrusion, he made it
> his business to use his own considerable hacking skills to aid the
> FBI's inquiry into the crime spree.
> 
> He set up stealth monitoring posts, and each night over the last few
> weeks, Shimomura used software of his own devising to track the
> intruder, who was prowling around the Internet. The activity usually
> began around mid-afternoon, Eastern time, broke off in the early
> evening, then resumed shortly after midnight and continued through
> dawn.
> 
> Shimomura's monitoring efforts enabled investigators to watch as the
> intruder commandeered telephone company switching centers, stole
> computer files from Motorola, Apple Computer and other companies, and
> copied 20,000 credit-card account numbers from a commercial computer
> network used by some of the computer world's wealthiest and
> technically savviest people.
> 
> And it was Shimomura who concluded last Saturday that the intruder was
> probably Mitnick, whose whereabouts had been unknown since November
> 1992, and that he was operating from a cellular telephone network in
> Raleigh, N.C.
> 
> Sunday morning, Shimomura took a flight from San Jose to
> Raleigh-Durham International Airport. By 3 a.m. Monday, he had helped
> local telephone company technicians and federal investigators use
> cellular-frequency scanners to pinpoint Mitnick's location: a 12-unit
> apartment building in the northwest Raleigh suburb of Duraleigh Hills.
> 
> Over the next 48 hours, as the FBI sent in a surveillance team from
> Quantico, Va., obtained warrants and prepared for an arrest, cellular
> telephone technicians from Sprint Corp. monitored the electronic
> activities of the man they believed to be Mitnick.
> 
> The story of the investigation, particularly, Shimomura's role, is a
> tale of digital detective work in the ethereal world known as
> cyberspace.
> 
> A COMPUTER SLEUTH BECOMES A VICTIM
> 
> On Christmas Day, Tsutomu Shimomura was in San Francisco, preparing to
> make the four-hour drive to the Sierra Nevadas, where he spends most
> of each winter as a volunteer on the cross-country ski patrol near
> Lake Tahoe.
> 
> But the next day, before he could leave for the mountains, he received
> an alarming telephone call from his colleagues at the San Diego
> Supercomputer Center, the federally funded research center that
> employs him. Someone had broken into his home computer, which was
> connected to the center's computer network.
> 
> Shimomura returned to his beach cottage near San Diego, in Solana
> Beach, Calif., where he found that hundreds of software programs and
> files had been taken electronically from his powerful work station.
> This was no random ransacking: the information would be useful to
> anyone interested in breaching the security of computer networks or
> cellular phone systems.
> 
> Taunting messages for Shimomura were also left in a computer-altered
> voice on the Supercomputer Center's voice-mail system.
> 
> Almost immediately, Shimomura made two decisions. He was going to
> track down the intruders. And Lake Tahoe would have to wait awhile
> this year.
> 
> The Christmas attack exploited a flaw in the Internet's design by
> fooling a target computer into believing that a message was coming
> from a trusted source.
> 
> By masquerading as a familiar computer, an attacker can gain access to
> protected computer resources and seize control of an otherwise
> well-defended system. In this case, the attack had been started from a
> commandeered computer at Loyola University of Chicago.
> 
> Though the vandal was deft enough to gain control of Shimomura's
> computers, he, she or they had made a clumsy error. One of Shimomura's
> machines routinely mailed a copy of several record-keeping files to a
> safe computer elsewhere on the network -- a fact that the intruder did
> not notice.
> 
> That led to an automatic warning to employees of the San Diego
> Supercomputer Center that an attack was under way. This allowed the
> center's staff to throw the burglar off the system, and it later
> allowed Shimomura to reconstruct the attack.
> 
> In computer-security circles, Shimomura is a respected voice. Over the
> years, software security tools that he has designed have made him a
> valuable consultant not only to corporations, but also to the FBI, the
> Air Force and the National Security Agency.
> 
> WATCHING AN ATTACK FROM A BACK ROOM
> 
> The first significant break in the case came on Jan. 28, after Bruce
> Koball, a computer programmer in Berkeley, Calif., read a newspaper
> account detailing the attack on Shimomura's computer.
> 
> The day before, Koball had received a puzzling message from the
> managers of a commercial on-line service called the Well, in
> Sausalito. Koball is an organizer for a public-policy group called
> Computers, Freedom and Privacy, and the Well officials told him that
> the group's directory of network files was taking up millions of bytes
> of storage space, far more than the group was authorized to use.
> 
> That struck him as odd, because the group had made only minimal use of
> the Well. But as he checked the group's directory on the Well, he
> quickly realized that someone had broken in and filled it with
> Shimomuru's stolen files.
> 
> Well officials eventually called in Shimomura, who recruited a
> colleague from the Supercomputer Center, Andrew Gross, and an
> independent computer consultant, Julia Menapace.
> 
> Hidden in a back room at the Well's headquarters in an office building
> near the Sausalito waterfront, the three experts set up a temporary
> headquarters, attaching three laptop computers to the Well's internal
> computer network.
> 
> Once Shimomura had established his monitoring system, the team had an
> immediate advantage: it could watch the intruder unnoticed.
> 
> Though the identity of the attacker or attackers was unknown, within
> days a profile emerged that seemed increasingly to fit a well-known
> computer outlaw: Kevin D. Mitnick, who had been convicted in 1989 of
> stealing software from Digital Equipment Corp.
> 
> Among the programs found at the Well and at stashes elsewhere on the
> Internet was the software that controls the operations of cellular
> telephones made by Motorola, NEC, Nokia, Novatel, Oki, Qualcomm and
> other manufacturers. That would be consistent with the kind of
> information of interest to Mitnick, who had first made his reputation
> by hacking into telephone networks.
> 
> And the burglar operated with Mitnick's trademark derring-do. One
> night, as the investigators watched electronically, the intruder broke
> into the computer designed to protect Motorola Corp.'s internal
> network from outside attack.
> 
> But one brazen act helped investigators. Shimomura's team, aided by
> Mark Seiden, an expert in computer fire walls, discovered that someone
> had obtained a copy of the credit-card numbers for 20,000 members of
> Netcom Communications Inc., a service based in San Jose that provides
> Internet access.
> 
> To get a closer look, the team moved its operation last Thursday to
> Netcom's network operation center in San Jose.
> 
> Netcom's center proved to be a much better vantage point for watching
> the intruder. To let its customers connect their computer modems to
> its network with only a local telephone call, Netcom provides dozens
> of computer dial-in lines in cities across the country.
> 
> Hacking into the long-distance network, the intruder was connecting a
> computer to various dial-in sites to elude detection. Still, every
> time the intruder would connect to the Netcom system, Shimomura was
> able to capture the computer keystrokes.
> 
> Late last week, FBI surveillance agents in Los Angeles were almost
> certain that the intruder was operating somewhere in Colorado. Yet
> calls were also coming into the system from Minneapolis and Raleigh.
> 
> The big break came late last Saturday night in San Jose, as Shimomura
> and Gross, red-eyed from a 36-hour monitoring session, were eating
> pizza. Subpoenas issued by Kent Walker, the U.S. assistant attorney
> general in San Francisco, had begun to yield results from telephone
> company calling records.
> 
> And now came data from Walker showing that telephone calls had been
> placed to Netcom's dial-in phone bank in Raleigh through a cellular
> telephone modem.
> 
> The calls were moving through a local switching office operated by GTE
> Corp. But GTE's records showed that the calls had looped through a
> nearby cellular phone switch operated by Sprint.
> 
> Because of someone's clever manipulation of the network software, the
> GTE switch thought that the call had come from the Sprint switch, and
> the Sprint switch thought that the call had come from GTE. Neither
> company had a record identifying the cellular phone.
> 
> When Shimomura called the number in Raleigh, he could hear it looping
> around endlessly with a "clunk, clunk" sound. He called a Sprint
> technician in Raleigh and spent five hours comparing Sprint's calling
> records with the Netcom log-ins. It was nearly dawn in San Jose when
> they determined that the cellular phone calls were being placed from
> near the Raleigh-Durham International Airport.
> 
> By 1 a.m. Monday, Shimomura was riding around Raleigh with a second
> Sprint technician, who drove his own car so as not to attract
> attention. From the passenger seat, Shimomura held a
> cellular-frequency direction-finding antenna and watched a
> signal-strength meter display its readings on a laptop computer
> screen. Within 30 minutes the two had narrowed the site to the Players
> Court apartment complex in Duraleigh Hills, three miles from the
> airport.
> 
> At that point, it was time for law-enforcement officials to take over.
> At 10 p.m. Monday, an FBI surveillance team arrived from Quantico, Va.
> 
> In order to obtain a search warrant it was necessary to determine a
> precise apartment address. And although Shimomura had found the
> apartment complex, pinning down the apartment was difficult because
> the cellular signals were creating a radio echo from an adjacent
> building. The FBI team set off with its own gear, driven by the Sprint
> technician, who this time was using his family van.
> 
> On Tuesday evening, the agents had an address -- Apartment 202 -- and
> at 8:30 p.m. a federal judge in Raleigh issued the warrant from his
> home. At 2 a.m. Wednesday, while a cold rain fell in Raleigh, FBI
> agents knocked on the door of Apartment 202.
> 
> It took Mitnick more than five minutes to open it. When he did, he
> said he was on the phone with his lawyer. But when an agent took the
> receiver, the line went dead.