The Cuckoo’s Egg – Revisited

The other day I picked up a used copy of Cliff Stoll’s book The Cuckoo’s Egg about his search for a hacker, ultimately identified as a German, Markus Hess. Hess was using Stoll’s Lawrence Berkeley Labs computer as a base to infiltrate various government computers to steal (and sell to Russia’s KGB) government documents.

In this age of “Advanced Persistent Threats”, this 1986-8 threat was hardly “advanced”. In fact Hess’ basic break-in approach consisted of trying simple passwords for known system and vendor accounts. Today, this still an effective break-in approach! People are too lazy to create complex, but easy to remember, passwords.

Hess also used known bugs in system programs to escalate his privileges. Today, I get weekly CERT notifications of such bugs. There are hundreds of them announced annually. Nothing new (or advanced) here!

What did impress me about this story was that Hess was amazingly persistent. His efforts spanned many months. He was careful – always checking to see if some system person could be watching, and if so, quickly logging off. When a cracked password was changed for example, Hess quickly moved to another system and kept his attack going. “Persistent” threats aren’t new.

Hess copied password files to his system, presumably for off-line brute force (albeit simple) dictionary attacks to “guess” passwords. Some of these attacks were successful.

Also impressive was that Stoll set up an automated warning system to track Hess’ intrusions. It was not visible by Hess, but it automatically recorded his keystrokes on Stoll’s computer. Its design made it impossible for an intruder to delete or modify its records. It was an early threat detection system that of course was primitive compared to today’s detection systems, but it was instrumental to the discovery of Hess and Hess’ cohorts. Stoll also manually created a log notebook, which I would still recommend in the analysis of any attack. Such a notebook would include all aspects of an investigation, including interactions with network vendors, government agencies, and interested parties. Stoll’s astronomy training included “If you don’t record it, it didn’t happen…” – a good message for today’s network forensic engineers.

Another feature of Stoll’s detection system was the creation of what we today call a “honeypot”. His was rather simple: just some fake, but apparently interesting documents that needed system privileges to read. Stoll left open his computer so that the attacker could be tracked, but some government computers were forced to clamp down immediately. I’ve seen companies today, Google comes to mind, where systems are left vulnerable to track intruders so long as damage can be contained and not affect customers. Leaving a system and a honeypot open for the analysis of a threat is a good technique.

I found it hilarious that in the course of watching Hess attack various government and government contractor systems, Stoll was told by the owners of these systems, “It’s impossible to break into our system; we run a secure site.” I’m reminded of all the retail vendor breaches occurring these days as well as the stuxnet-like attacks.

Finally, Stoll had trouble getting help from the FBI, the CIA, and the NSA. The FBI has certainly beefed up its computer expertise since 1988, but it still will refuse to help anyone to deal with an annoying hacker that does not cause serious financial damage. My recommendation here is to pre-prepare an argument for why a threat can potentially cost your company lots of money. Homeland Security has a bevy of agencies to combat cybercrime; learn about them here.


  1. Stoll published a May 1988 ACM article “Stalking the Wily Hacker” that outlines chasing Hess. His book is better and is also an easy and quick read.
  2. The Cuckoo’s Egg, Doubleday 1989
  3. TaoSecurity’s Richard Bejtlich’s excellent talk on chasing Hess (has good photos).
  4. “The KGB, the Computer, and Me”. Video that tells Stoll’s story.

Tags: , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: