- The Rome Labs Case: Datastream Cowboy and Kuji Mix It Up with the U.S. Air Force
- HotterthanMojaveinmyheart: The Case of Julio Cesar Ardita
- The Solar Sunrise Case: Mak, Stimpy, and Analyzer Give the DoD a Run for Its Money
- Conclusion
- Richard Power
HotterthanMojaveinmyheart:(2) The Case of Julio Cesar Ardita
On March 29, 1996, the U.S. Justice Department announced it had charged Julio Cesar Ardita (a.k.a. “El Griton”), a 21-year-old Argentine, with breaking into Harvard University’s computer network and using it as a staging platform for many other hacks into sites throughout cyberspace. Like Kuji and the Datastream Cowboy, Ardita targeted sites belonging to NASA, DoD, several American universities, and those in other countries (for example, Korea, Mexico, Taiwan, Chile, and Brazil). Like Kuji and the Datastream Cowboy, Ardita gained unauthorized access to important and sensitive information in his explorations. In Ardita’s case, the research information that was compromised involved satellites, radiation, and energy-related engineering.
Peter Garza of Evidentdata (Ranchero Cucamonga, California) was a special agent for the Naval Criminal Investigative Services. He led the digital manhunt that ended in Buenos Aires.
Garza described Ardita as a dedicated hacker. “Ardita was no ordinary script kiddie,” Garza tells me. “He didn’t run automated hacking scripts downloaded from someone else’s site. He did his hacking the old-fashioned way. He used a terminal emulator program, and he conducted manual hacks. He was prodigious. He had persistence and stamina. Indeed, I discovered records of ten thousand sessions on Ardita’s home computer after it was seized. During the technical interviews we did of Ardita in Argentina (after his arrest), he would describe all-night sessions hacking into systems all over the Internet.
“Early on in the investigation,” Garza adds, “I had guessed this would be a solvable case because of this persistence. I had guessed that because this was such a prolific hacker, he had to use the same file names, techniques, and hiding places just so that he would be able to remember where he left collected userids and passwords behind on the many hacked systems. Also, I hoped the hacker was keeping records to recall the hacked sites. Records that would help further the investigation if we were successful in tracking the hacker down. It was gratifying that I was right on both counts. Records on his seized computer, along with his detailed paper notes, helped us reconstruct much of what he had done.”
Like the investigation that led to the identification and arrest of the Rome Labs hackers, the pursuit that led to the identification and arrest of Ardita accelerated the learning curve of those responsible for tracking down cybercriminals and bringing them to justice.
The following account, drawn from my interview with Garza and the court affidavit written by Garza himself in support of the criminal complaint against Ardita, sheds light on the details of the investigations and the groundbreaking work that the case required.
How the Search for “El Griton” Began
Sysadmins at a U.S. Navy research center in San Diego detected that certain system files had been altered. Taking a closer look, they uncovered certain files, including a sniffer he left behind, the file that contained the passwords he was logging, and a couple programs he used to gain root access and cover up his tracks.
This evidence enabled Garza to construct a profile of the hacker.
Coincidentally, and fortuitously, Garza and other naval security experts happened to be at the San Diego facility for a conference on the day that the intrusion was detected. They worked late into the night.
They succeeded in tracking the as-yet-unidentified hacker to a host system administered by the Faculty of Arts and Sciences (FAS) at Harvard University, Cambridge, Massachusetts. The hacker was making unauthorized use of accounts on the FAS host and trying to access other systems connected to Harvard’s network via the Internet.
(As early as July 1995, host computers across the United States as well as in Mexico and the United Kingdom reported both successful and unsuccessful hacking attempts seeming to originate from the FAS Harvard host. But this U.S. Navy investigation that commenced in late August would lead to Ardita’s arrest.)
Although it was impossible at first to determine the hacker’s true identity because he was using the legitimate account holders’ identities as his aliases or covers, investigators could distinguish the hacker from other users of the FAS Harvard host and the Internet through certain distinctive patterns of illicit activity. But to track the hacker all the way back to his point of origination, Garza was going to need a court order for a wiretap.
Figure 6.2 The hacker’s path.
){kind=link}
Source: U.S. Justice Department
“I called the U.S. Attorney’s office in Boston on a Thursday and asked if we could have the court order in place by Monday,” Garza recounts. “They laughed. Six months was considered the ‘speed of light’ for wiretap approval. But we started to put the affidavit together anyway, and got it okayed in only six weeks, which at that time was unheard of.”
Indeed, the work of Garza and the others to obtain a wiretap in the 1995 Ardita case laid a lot of the groundwork that made it possible for investigators in the 1999 “Solar Sunrise” case (which I describe later in this chapter) to obtain wiretap approval in one day.
Ardita’s Biggest Mistake
By the end of September, as Garza explains, the investigators detected a change in the hacker’s behavior. “He had been dialing into the Harvard network via telephone lines. But by September, he had stopped dialing in, yet he was still active on the network. Our investigation revealed that in the beginning, he had been breaking into a PBX of an off-shore company, located in Argentina, and from there dialing into Harvard, and then from Harvard hacking elsewhere around the Internet. The change came when he broke into Telecom Argentina to get free Internet access. He would tel-net from there to Harvard and then from Harvard keep hacking other sites.
“We were able to look at where he was coming from on the Internet,” he explains, “and we saw a cluster of connections from different universities and other organizations in Argentina. We hadn’t tracked it back to his residence yet, but at least we knew he was either coming in through Argentina or he actually was someone living in Argentina.”
Breaking into Telecom Argentina turned out to be Ardita’s biggest mistake.
“We had been trying to get the phone company down there to do a phone trace because we follow the trail to a bunch of dial-ups,” Garza tells me. “But each one we tracked back to Argentina ended up in a modem pool, so we needed somebody down there to trace it the next step back. We couldn’t get them to act fast enough until he broke into the phone system, then they acted because they were afraid of what he could do. So, in just a couple of days, they got a court order and traced the calls back to Ardita’s residence.”
The investigation had begun in August; Ardita was identified as the suspect in December.
On December 28, 1995, acting on information supplied by Telecom Argentina, Argentine law enforcement seized Ardita’s computer files and equipment at his home in Buenos Aires.
No Ordinary Wiretap
“This is a case of cyber-sleuthing, a glimpse of what computer crime fighting will look like in the coming years,” said U.S. Attorney Donald K. Stern in the official U.S. DoJ statement announcing the criminal charges filed against Ardita. “We have made enormous strides in developing the investigative tools to track down individuals who misuse these vital computer networks.”
He was not indulging in hyperbole. The wiretap used in the Ardita was no ordinary wiretap. Intruder Watch was a specialized module of a Network Intrusion Detector, developed at Lawrence Livermore Lab in California. And, as Garza explains, it was the first of its kind.
“There had been four other wiretaps on a computer crime case,” Garza says, “but they weren’t tapping the network, they were tapping a modem line. In that instance, what was captured had to be manually reviewed and filtered, then only what was relevant to the case agents.”
But with a thousand users online simultaneously, Garza insisted, they just couldn’t do it that way. Practicality demanded that they quickly filter what was happening on the network. Legal considerations demanded that they minimize the intrusion on the privacy of authorized users.
Intruder Watch provided the answer to the dilemma. It intercepted only those communications that fit the patterns identified as the hacker’s. “Even when communications contained the identifying patterns of the intruder,” Stern observed, “we limited our initial examination to 80 characters around the tell-tale sign to further protect the privacy of innocent communications.”
Although Ardita’s hack of Telecom Argentina had identified him without evidence supplied through Intruder Watch, the breakthrough wiretap provided plenty of evidence on his activities. For example, as Garza recollects, Ardita got online with some of his hacker buddies on what turned out to be a bulletin board near Carnegie Mellon and gave them the phone number to his bulletin board down in Argentina.
Debriefing “El Griton”
Tracking down Ardita, and putting an end to his hacking adventures, took four months. But, as Garza relates, almost an entire year passed before U.S. investigators could actually interview the now-infamous young man.
“It took us a while to go through the mutual legal assistance treaty process,” Garza explains. “Hacking wasn’t illegal in Argentina. Interruption of telecommunications was, however, illegal under their penal code. So we went with that, and they agreed to hold all of his computers and everything until we got down there. But it took a while to go through our State Department and their equivalent. We finally got down there in October 1996.”
Garza and other U.S. officials conducted six sessions with Ardita going into detail about his activities. These in-depth discussions allowed Garza to size up “El Griton.”
“He claimed, as many hackers do, that he was doing it simply because he could,” Garza tells me. “He said he was inquisitive. He claimed he was researching security. He kept insisting that he was just hacking for the good of mankind. But we walked him through what he had done. He had been phone-phreaking from the PBX of that multinational corporation. He was making calls to his girlfriend. He was making calls into Harvard. To the tune of approximately $15,000.
“We asked him, ‘Isn’t that just plain theft?’ It had shattered his self-image of the ‘White Hat Hacker.’ He broke down in tears. I didn’t get the sense from talking to him that he was very sophisticated people-wise. He wasn’t a genius either, he was just talented and very persistent.”
Of course, there is a lingering question in the minds of some regarding the Ardita case because his father just happened to be a retired Argentine military colonel “assigned” to the Argentine legislature. Could “El Griton” have been the pawn of some larger online intelligence-gathering operation? No such evidence has been produced. But it’s one of those “coincidences” that just kind of gnaws at you.
In December 1997 (yes, another year later), the Ardita case was finally brought to conclusion. Because hacking wasn’t a crime in Argentina, it wasn’t covered under the existing extradition treaty with Argentina. But Ardita agreed to waive extradition. His father, after all, was in the Argentine military, and the case was probably something of an embarrassment.
He voluntarily traveled to the United States and pleaded guilty. The agreement worked out between the U.S. Attorney’s office in Boston and Mario Crespo, Ardita’s lawyer, recommended that Ardita receive a three-year probation and a fine of $5,000.
Considering the resources that went into the case, Garza acknowledges, “Ardita got off with pretty light sentence. There was criticism. But the U.S. prosecutors felt that in this case, since they could not extradite him, the stalemate would have just dragged on.”