March 29, 2000

Berkeley Lab Science Beat

Lab website index

Lab home page

Search Lab science articles archive
 Advanced Search  
Search Tips
Recent news reports in Bay Area newspapers about the arrest of a Berkeley hacker on 15 counts of computer hacking told most of the story -- but not quite all of it.

On March 23 in San Jose, California, Max Ray Butler was charged in federal court with hacking into a number of universities, Department of Defense, and Department of Energy facilities including Brookhaven and Argonne national laboratories. Butler, 27, is a self-described "ethical hacker" also known as Max Vision. According to the San Francisco Chronicle, for two years, he had been a confidential source for an elite FBI Computer Crime Squad.

Butler's attacks also included Lawrence Berkeley National Laboratory (Berkeley Lab) and UC Berkeley. As it turns out, these intrusions helped lead to his undoing.

The attacks occurred in May, 1998. At the time, Vern Paxson of Berkeley Labís Network Research Group was using network monitoring software he had developed to analyze traffic at the Lab and within part of the UC Berkeley campus. The software -- called BRO which is short for "Big Brother" -- was designed to monitor network traffic and unveil security breaches. Paxson not only was protecting the Lab network but also monitoring campus traffic as part of a research project into measuring large-scale network traffic. He provided campus with his expertise in detecting intruders and gained useful data in return.

BRO turned up evidence that campus routers were being probed in an unusual way and Paxson stepped up tracing of related traffic. Soon after that, there was an attack on 13 UC computers using an attack tool never before seen. In fact, the tool was the first exploitation of a newly found vulnerability in UNIX systems.

"The attacker left some interesting footprints and a lot of pointers to where he was coming from," Paxson recalls. Because of the unusualness of the attack, Paxson reported it to the Computer Emergency Response Team and to the Department of Energy's Computer Incident Advisory Capability.

The next day, someone using a U.S. Air Force computer attacked nine Berkeley Lab machines. Since this was before the current capability to block such intrusions was made a component of BRO, the machines were taken offline and no significant harm was done. But the unusual traffic on the campus system continued and UC machines were used to launch attacks on other sites. Because of BRO, "We had records of these sessions and a list of all the machines he had broken into," Paxson said.

Then, the unusual case took an even weirder turn -- the hacker sent Paxson an anonymous e-mail, which was both boastful and self-justifying. Paxson said he had never gotten a message from a hacker before or since. In the message, the hacker claimed his intent was not to do damage but to demonstrate the vulnerability of the Internet.

The data gathered by BRO were turned over to federal investigators, who told Paxson the information was quite useful in building their case. "BRO enabled a very thorough tracing and produced much more information about the attacks than would have been otherwise available," Paxson said. "Usually these guys are very hard to catch."

Within the world of computer security, BRO has earned a growing reputation. In 1998, the Usenix Security Symposium honored Paxson with its best paper award for his work entitled "BRO: A System for Detecting Network Intruders in Real-Time."

BRO is a layered system that seeks out certain types of network traffic.

The first layer is a general packet filter, which decides which data packets should be examined. The second layer is an "event engine," which takes the first-level packets and pieces them together into "events," such as the beginning or end of a connection; or, for some applications such as FTP (file transfer protocol), high-level events such as identifying user names. Above that is the policy layer, which interprets scripts, written in a specialized language, that define how to respond to different events. Should the policy layer detect information amounting to an attempted security breach, the system notifies computer security people in real time. It also archives summaries of the network traffic into and out of Berkeley Lab in a permanent record.

For his part, Butler once billed himself as a computer security expert. In 1997, he started a company that specialized in "penetration testing'' and "ethical hacking." Butler reportedly would simulate for clients how a hacker would penetrate their computer systems.

Paxson said Butler's arrest was ironic but not "totally surprising."

Additional information: