OCR of the Document

View the Document >>

Department of the Army Military Intelligence Battalion, "Investigative Memorandum for Record (IMFR)." Secret.

- IN As of f'o P 0 o c UMEN T 0 1'Js all material lncludecf in this file conforms'- with DA policies currently THIS MUST REMAIN T 0 P 0 0 C U ME N T IACSF Form 23 1 Oct 90 Replaces IA HC Form 2214 1 Sep 78 which wi 11 be used until eXhausted 1 o DEPARTMENT OF THE ARMY o MIL ITARY INTI I L IGBNCI BATTALION COUNTBitiNTELLIGI NCEl TI CHNICAL P'ORT GEORGI Go MI A OI MARYLAND 20755o111111 REPLY TO TTI NTION OFt IAGPA-A-OP-0 6 May 1993 381-4Sc MEMORANDUM FOR Record SUBJECT Missing Original Signature Investigative Memorandum For Record IMFR Original signature IMFRs numbered 1 13 11 18 19 2# 22 23 and 2S are missing from the Report of Investigation for ACCO CCN I b2 Jdue to inadvertent destruction 1 2 The POC for this memorandum is SA DSN I b6 I I b6 ---------------- b6 GS-13 DAC Chief SCO CONUS 2 SfECCRET DEPAR'TM NT OF THE ARMY 'MILITARY INTI LLIGBNC I 8ATTAL l0N COUNTI RINTI L LIGENCI l TECHNICAL f'OAT GI ORGI G MI ADI MARYLAND 20751 1155 IIII P' V TO ATTENTION Of IAGPA-A-OP 38l-45c l 6 May 1993 REPORT OF INVESTIGATION l ADMINISTRATIVE DATA TITLE Redstone Arsenal AL SAEDA AUTO ACCO CCN I b2 ___ _ _ _ _ __j 13 July 1990 INVESTIGATING UNIT DATE INITIATED 902d MI Group 20 July 1990 CONTROL OFFICE SCO CONUS DATE CLOSED 1s- ne 993 REASON FOR INVESTIGATION To determine if a Foreign Intelligence Service was involved in an attempted penetration of a Department of Army computer system CASE STATUS 2 U Terminated SYNOPSIS INFORMATION CONTAINED IN THIS REPORT WAS OBTAINED FROM ANOTHER FEDERAL AGENCY WHO RESERVES THE RIGHT TO RESTRICT ITS RELEASE AND WILL NOT BE RELEASED OUTSIDE OF ARMY INTELLIGENCE CHANNELS WITHOUT THEIR APPROVAL Referred CLASSIFIED BY DECLASSIFY ON Appendix E INSCOM GUIDE 90-01 OADR I b2 b6 IAGPA-A-OP TITLE ACCO CCN CONFIDENTlALe b_2_ ____j U Referred c U On 21 and 23 August 1990 b6 ADP Security Specialist Headquarters Army Material Command Rock Island IL provided information that examination of the Rock Island computer system revealed no compromise of the system However it was discovered that computer files from the Picatinny Arsenal Dover NJ were accessed and tranaferred to the University of Chicago computer system 3-4 d U On 21 August 1990 J b6 Automated Data Processing Systems Security Off ce u s M1I eary Academy NY provided information that an analysis of the logon files from 25 June to 13 July 1990 indicated no apparent penetration of the computer system or transfer of files from the system to the computer at the University of Chicago However the audit trail only listed unsuccessful logons and did not keep a record of successful logons and work processed on the system 5 Exhibit III e U On 23 August 1990 b6 MIOOM Redstone Arsenal provided a copy of the Cracker Program a computer program used to break encrypted passwords used to penetrate the MICOM computer system He also revealed that be could not determine the specific systems penetrated at Redstone Arsenal 6 Exhibit IV - Referred CONFIDENTIAL 2 4 CONFIDENTIAL IAGPA-A-OP TITLE ACCO CCN j b2 e U Referred U On 17 August and 5 September 1990 I b6 I Assistant Security Manager and Automated Data Processing p c1 Security Officer Letterkenny Army Depot Chambersburg PA provided the following information On 19 June 1990 she was informed of the penetration of the computer system at Letterkenny Army Depot The system was accessed by an unauthorized user through the computer system at the University of Chicago Of the seven systems accessed one contained sensitive information on supply transactions and transportation of ammunition and weapons from depot to depot Her analysis of the system records did not prove or refute the penetration and loss of data I b6 s involved in the PATRIOT missile project and processes data on the shipment of the missiles 8 11 u on 7 September 1990 neithexf b6 b6 lnor I b6 l Icatumy 1nacuQ ' Dover N prov 1a d any relevant Into macon concerning the unauthorized accessing and transfer of data from the system at Picatinny Arsenal 9 - 12 I i C On 8 November 1990 analysis of the computer tape from the University of Chicago revealed the presence of a classified message dated March 1990 marked confidential and concerned with the results of a Patriot missile counterlaunch experiment The analysis also revealed that SUSPECT s transferred files from accessed computers to the University of Chicago and created a repository file on the University's computer system These files contained PATRIOT weapons system data information on key personnel and project status costs and vulnerabilities 13 Exhibits VI-XC Referred 3 CONF OENTl L 5 IAGPA-A-OP TITLE ACCO CCN _____b_2_ ___J U k U On 26 November 1990 b6 MICOM Redstone Arsenal AL alleged that it was determ1ne that the penetration of MICOM's computer system and subsequent loss of data did not involve any classified information He provided two messages sent to headquarters u s Army NSCOM One of the messages provided a cursory analysis of the University of Chicago computer tape which revealed a listing of computer gateways main entry pointe from a network to a computer system computer network and system computer addresses password files from MICOM Rock Island Arsenal and Letterkenny Army Depot data files from the US Army Military Academy and the MICOM PATRIOT Project Office 15 Exhibits XCn-XCiaj 1 U On 27 November 1990 b6 Chief Program Evaluation Branch Patriot Project Office Space Defense Command Huntsville AL revealed the document Results of Patriot Counterlauncb Experiment was two years old and determined to be unclassified but sensitive The document was processed on a system accredited for unclassified only 16 m U On 27 November 1990 further analysis of the University of Chicago computer tape found no additional classified information 17 b1 Referred o IAGPA-A-OP TITLE ACCO CCN OICI ASSlHGBP0 o b2 Referred a u l b6 Computer Systems Analyst and b6 Computer System Analyst Letterkenny Army Depot C a ersburg PA reportea on 16 August 1991 an unauthorized user SUSPECT attempted to access the A2 computer system at Letterkenny Army Depot SUSPECT attempted to logon the system by using a User ID and password that was compromised Systems a year ago They were notified by I b6 I Administrator Columbia University New York NY that on 16 August 1991 a computer file identified as belonging to Letterkenny Army Depot was discovered on the Columbia University computer system 20 Exhibits XCVI-XCVll q U A determination was made thl the data discovered in ACCO CCN I b2 nd ACCO CCN b2 as part of the data transferred by SU PECT in this investigation SUSPECT indicated in a computer talk session that HE used multiple satorage sites when HE transferred data Based on this information the above mentioned investigations were terminated and transferred to this investigation ACCO CCN b2 21 I 1 r U On 23 August 1991 I b6 Computer Security Manager US Army Information Command Redstone Arsenal Al opined that the Test Measurement and Dianostic Equipment TMDE Support Group computer files discovered on the Columbia University computer system were penetrated and transferred during the same time frame as the data found on the University of Chicago computer system July 1990 The password file used by SUSPECT to access the TMDE files was created prior to July 1990 and the passwords were changed auring a shut down of Redstone's computer system in July 1990 22 l s U On 28 August 1991 b6 Security Specialist MICOM Redstone Arsenal AL revealed the computer files discovered on the Colu ia University computer system were from the TMDE computers at Redstone The data is unclassified and nonsensitive I b6 etermined that the password file discovered at Columbia University contained user IDs of personnel who had departed Redstone prior to 1 November 1990 lt was determined that there was no recent penetration of the TMDE system and the penetration probably occurred in July 1990 23 UICL IFIEH o IAGPA-A-OP TITLE ACCO CCN NClASSlFIEO o I'---b 2- __jI U t U On 18 September 1991 b6 Letterkenny Army Depot revealed that the computer file discovered on the Columbia university system was a decrypte version of an encrypted login password file from the A2 computer system at Letterkenny Army Depot a was robably electronically removed as early as August 1990 b6 pined that SUSPECT could have accessed the file and system a etterkenny from anywhere and only the results of the decryption of the file were found at Columbia University 24 Exhibit XCVDr u U On 21 October 1991 1 b6 systems Programer Columbia University New York NY provided information concerning the unauthorized accessing and use of computers by SUSPECT and the subse9uent discovery of computer files belonging to the u s Army Lb6 as initially made aware of the incident by b6 1 Director of Molecular Modeling Facility Columbia University It was determined the files placed in the university's computer system had been there for over one year SUSPECT exploited a security hole in the system and gained root privileges the ability to control the computer with access to all files created a file storage area on the system and installed a Cracker program a computer program that can decrypt encrypted passwords and user IDs SUSPECT normally came into the system via a telenet connection from a computer located at Delf University Netherlands The files belonging to the u s Army were from Letterkenny Army Depot PA Redstone Arsenal AL and SIMA Army Material Command Systems ST Louis MO 25 Exhibits te Ct I v U On 21 October 1991 b6 joirector of Molecular Modeling Facility for Molecular Biology Columbia University New York NY revealed his computer system was penetrated approximately one year ago At that time he installed an audit trail and the unauthorized penetrations stopped On 13 August 1991 he noticed the unauthorize user was back and his audit trail program was tamperrd w tb LThe SUSPECT was active from 13 through 15 August 1991 _ b6 ponfirmed lb5 Jdescription of the penetration 26 w U On 18 November 1991 1 b6 - Systems Programer Columbia University revealed the unications pathway for the penetration of Columbia University's computers was traced through a computer system in Finland afd oriainated from a computer at Delf University Netherlands _ b6 Finnish citizen computer system administrator F in la_n_d t r a-c e d the connection from his computer system in Finland to the system at Delf University 27 UNCLASSIFIEr 6 - 8 o UICUSS f GBP0 o IAGPA-A-OP TITLE ACCO CCN '--b_2_ ___jl U I on 17 December 1991 I b6 land I b6 computer security experts CIAC u s Arndr-------' Ball1st1c Research Laboratory Aberdeen Proving Ground MD provided an analysis of the data found on the University of Chicago system They discovered a subdirectory that was encryped and the key to the encryption appears to be the Unit Identification Code UIC for MICOM HQ Also they discovered that on 12 May SUSPECT attempted to create an account named orgb rgb is one of the hacker aliases used by the SUSPECT b6 28 Exhibit Cit' x U b6 1 3 U Case Terminated Investigation revealed that u s Army computer systems were penetrated and computer files were transferred to computer systems at the University of Chicago and Columbia University to include one document marked confidential The origin of the penetrations are from the Netherlands Foreign Intelligence Service activity or collusion was neither proved nor refuted 4 U ROI prepared by Special Agent CI T 902d MI Group Fort Meade MD Enol 28 IMFRS 102 Exhibits l b6 I MI 2 0 7 s s - s g s s- ---- b6 GS-13 DAC Chief SCO CONUS UNClASSIFIED BN DEPARTMENT OF THE ARMY MILITARY INTELLICJEHCI BATTALION COUHTI tRINTI LL IGKNCEl TI CHNICAL P'ORT GEORGE G MEAD MARYLAND 10755o5951 RIEPI Y TO ATTENTION OF 6 May 1993 IAGPA-A-OP MEMORANDUM FOR RECORD SUBJECT Unlisted Attachment to Report of Investigation - b2- --- - ---_ _ _ _ 1 r 1 The following item is appended to the Report of Investigation as unlisted attachment u s ' I b6 1 The Department of Justice Letter 0 0Cr for this action is r b6 DSN _j com 'I L-- ---------- b6 Enol GS-13 DAC Chief SCO CONUS 10 e uNuEo DEPARTMENT OF THE TATE ARMe ARMY INTUliGlNCE AND SECURitY COMMAND fOIT IElVOtl VIRGINIA 22060 $370 IIPI Y TO AmNnONOf IAOPS-CI-01 0 3 FJ i99Z 381-45c MEMORANDUM FOR COMMANDER 902D MILITARY INTELLIGENCE GROUP FORT GEORGE G MEADE MD 20755-5910 SUBJECT Dutch Hacker Related Cases 1 The enclosed Department of Justice letter is forwarded for your action OOJ is requesting that the 902d keep their investigative tiles open on any Netherland related incidents until further notice HQ INSCOM should be kept informed of the status of these investigations 2 HQ INSCOM POC is Ms AVI _b_6_____ L- Encl 11 _J Freedom of Information Act Privacy Act Deleted Page s Information Sheet Indicated below are one or more statements which provide a brief rationale for the deletion of this page D Information has been withheld in its entirety in accordance with the following exemption s It is not reasonable to segregate meaningful portions of the record for release D Information pertains solely to another individual with no reference to you and or the subject of your request clrnformation originated with another government agency It has been referred to them for review and direct response to you D Information originated with one or more government agencies We are coordinating to determine the releasability of the information under their purview Upon completion of our coordination we will advise you of their decision DELETED PAGE S NO DUPLICATION FEE FOR THIS PAGE Page s IAGPA-CSF Form 6-R 1 Sep 93 _t -13 o 't-6E 01 C CI R oo oooo sc s I ' f ss o q r o s s s ss 0 F FFFFH s ' CIO FFFF' FF Gf GA M 0 lf' 1- f- GG GG S GG5Sub M KM M s s 5 sc c r -lYuw vn ' ' H ICliC Y T ''ib 1 ' 11M Ff' FF 0 fll' 0 tJ 0 sssss ss ' Ff H o - 1 'J __ v j H GSGGGGtiG $ MMM 6f M ss osrn rtt P - - j 1 '' O f1F III t t A-0'-'-I TO S5f' 55 flOE IIASP - - P O I-tlC-C 0 1 1f ll - t C T liP oJ l t 'l'- -uai0 H1t P11ifJCP ' f tH q 'lt H' ii i f lf f nUT' H i JH lS PAS Tf Y r t-Sr r URTTYt 9u n r t i' CH P 1'T aa p- -R-0 o '' _10 TO uA C Ot orf' l r 'AMI-ctc- r o SU JF T Q OSTO E - - c ILJI a ' d r R Ill MPof' iYSTE S 1 1 CfM Lo 'L bA - Y 1 ''1 0 4 U 1 lol Tu 1 JUL f h lh 1-Cf tC r lo 1 - '' o o pf J tqo s ' n cT C Ofo DUTErt P r ry SIJTT TS ' fl l 1 II I G iil- o ITO 4 J 8 C F OPt io 1 PI fH UI 40' 1 IS K vr ltl fnRJPY-AT pj Vl l l 'l pp Ct 'CEF h IHJ 1 f 0 C f T VI r JT' l l C HI F p q I A r F F o J C 1 u Jil I o 0 1 C Ao lj E S sc YoLo CIVILT IIU Ci llC oI b6 b6 3 A 1 rh PHF l tiG t E noh up E- sp J-i -jilfll ''DF R' TI H l o r ru l J T p t CI IJ OTHt s t c ll Io o i -1 1 ' o 1 tt l fTY ' ' 12Slt IJ$ E l 0 c' P 'P p t 'I T rR- j oo StGTlO ft cn VISIO o tH 'Y f IS- Ilf L'- e - A V' f' t F l'li F'I' L l1 J 1'o' 11' 1 t ' t'- ' o o '- o - o o' ' ' 0f ' H uo r rC o o o j 1 o o o 1 I o4 - - 'o o' o 3 L ' THE II RIIY ro TrtE t l UP JT' $ft U1 'fTY ANIJ COI'i INO CIHCO U i U DI-if IIIE NU t R o Referred o OF l SIG t o b6 CO J tH 'Hl IT LI lGU' r DT Tf'llh T urunN 3tllt r TCI 'f 0 Nl t 21 1 - 7 1 o IW nLVf I $ 11 1 i tdfOMIIT C o o o o l q nsro lJ o o e 1 J o 1Rli'-O ll ltL 90 MM 9t - c IJ v -r1'1_T 3 tlJ S A- u- s MMM ft o o 0 o o e ' 1 t 14 I o o - I' 4 1 o 1 fr-c r _ ' oo 4315h PA6 02 b2 u - sw c r 'H1 St1JI 1A I ''0 t J CHO i l Hl- J t '-'TlTY 6fL1116 rLt A iGBP0 rL ru r oo 17 d J 1_ lQo b6 VHn oo crE u PfP'H 5F IT4TIVES Of THo 0SHP t MI fod At H E'H TC'I i f OI Ii Tli PEI JETR Tlftl r ' 1 COIIIP IHP v rC ' - U N IN f' l lt l r Q 1 13 JUI_v l lqo b6 IJAS nur T y M JO ll lOENTirlf C 0'1 q JUL't l q - - i CAGO THE ' f F l wHo lEII VE tN I lH Bt l ' 'Gfi'Hi P' T 1 n nEFE SE rOMMUN CATIONS oGfNCV T1-4Jq CCI tPUER FOLOSRo T P fO -E O 1 lKO htt- C 1W' 'U1 1- JI P Hnor 'S'f H ' P'-0Jf CT FF fCGBPo lllii S LOCt TEUR 0 6'L ''uHi13 'TO Tl1i li IJ R5ITY OF nmm i 'Y P 'H S 1R AT THi IJ IVERSITY fJLfS o ' Ju 1Q1n PDTOP To GOI R o FOlb' P loJA S NOT JM HI -i Fll' S 1 25 JU dE 1 - tQO '1Ul ps 'Ill JULY JC 090 liPI'li'J til oTUFN F O M Lf lVGBP THE OLOtR iou FOliNO THE f WA b6 b6 fAtiT VOl l OLE 11 oJq o Is TtTLEO b6 A lfF E M rh 4 0 CD Tol En rw o rn TRIP Ar lll tr tJT PJ q E srrr r J r P J r vGBP THf f Fn TlON -M I P' Ct'HoPLJ'lf ' l' r J l i JUI v 1' '10o 'h f l o u- 4 Lf INFTJ TH n J l $ o 1 Cl s S Tf'Ir JI r tHCIIGI' H5 fHf' P TPI H P -ICi nF-nc SYST HIJ PORTSo tETING OTESo s ONUUH E s r ME OJ IC THE UNlViRSITY Of l HJn v li Otl HOUI S tl i O H 'ATiON TORt O SY5T' II' l UT TN Ll 'H fl TO THE 1$ ' 6 o o o o o o o o o o o o o o o o o Regraded UNCLASSIFIED on 12JAN2011 o o o i ' ' 11 lit IO-Bi1 J by USAINSCOM FOI P A ---- Auth para 4-102 DOD 5200-lR -- -- - - - __ RI0 1HY 15 o c c - - __ _ _ -'t - 'S5SS' _ c s Ot' r o ssc ss ss 5SSSSSS 00 ' 0 sssss ss ' -SSSSSS on oo 00 ' 0 sc c ssssss s ss CT ''lYUW Y 'OHT 7 Y 'NSH 7 l op e 18Hf Ol JUL KXX XXX 00000000 oo CHfCKERooooooo FFFfFFFF GGGGG66 MMM MMM FF GG MMMM FFFFf 66 MM MM MM MM FFFFFF 66 SGGG M MM ff 66 6G6 MM M MM F 66GG666G SSO Jll fllflEIII'G r Regraded UNCLASSIFIED on o 12 JAN 2011 'Ho 0 1l- -I'IPIDA III-CIC-C t' ni T ' - M MM 2576 2011645-'-- SH--YE ICHQV Fo ssn OHONf llfoGP -rs- sltbyUSAINSCOMFOIIPA TO S 0 EAnr llt AI PA OPoI 11 Auth nar 8 4-102 DOD 5200 1 PAGE 01 OUTrR 000000 s ssssssss - 201 l ll PT U31' 7 ssssc ss I tI 1 - 1 o o ppTn t o 0 - - o l ' ' o c bkf - 1 f VI 51 J -s- t- ---flrl 1 L QQOQ Ht TTN' 04 oF 02 lJNITEf'l ST4TfS IIQ Y lNFO ' T C'I YSTtl'IIS COIIIIfiiANO-MICOMlii4 AlSC-MICO IIl ' MPUS ARf A WIDo EA tTWORI T f UG _ Ti-i USE OF IIOOE il' c THE JS lSr -oICI'I AR Il IWIOE A Nc TWORV 11 lto S OST OF THF MICO l q JGBP'Ct Of tC S' Ooi' AM EI ECUTIVE OfFICt St iUOGET OFFICESt FINANCE At J l l CI JNrlNS r FICE t ICO II SEr URITY A D CLE RANCE FILf St AS WELL AS OTHER RrA SUPPnPT AGE CIES THE NETWORK ALSO ACCfSSES lHGBP OEFf t OATo NflW RK COO THE USAISC-MICOM C MPUS REA WIDE RGBPA 'J fWO C J0 -5 -'f 'l Tn JqSEOUt T EC 'NTACTE'fo FOlOEP THE ONTaiJ C AS HIF'l t1El0P IGTN6 UNIV 5ITY b6 o ou ECIAL ACCESS INFOR ATTON TE VIE GF T E SOUCEt HE WAS r'f THE Ct ' T wH ' l 'F JI EO Hl WI nuT FURTHE'q T l lTIAL t- '1 0 ' '1 #u WERE FOIJI '0 UF CHIC O UJ Oll t Q l P XI ATELY tl I'IPlJT Qo FGA ITl SYSTl 'l OF t F' 'ID1'111AJ f'lt ' 'iC 'o' EN F'HI ll T 44T t 'lllrAT S '-8 PASSWORI' ON THf USAl C-114JCf'M CA ''PPS AREt llollDE ARE A Nt Twn K Wf Pf OHPPnMISEO LL JNFn oATIO ij LO Hl b TO lCO l T 15 U D IN lHE UNIVERSITY OF tHIC r O CO P JT ' ' rsnos Wlll tH ETU 'JEoi T ' MICOf' FOR PRINTUII AND AIV l'l't IS t Y tq COl' AOP i-ECUPITY oe QSOIIINEL Tttl'i A ALYSlS JlLL OETE otNf Tt-IE flelr'1 l OF THt PENETRATl 'N os WELL A i H ANY INFOP II ll llt Cn s CI A SSl lEI'l Tlir Ot JGH C MOTLHlON c UJ AClJONS le l f '-1 oo Ill o C'if 'hTJC oliAGP o TO fHGBP IJSAl C-oHCOM caMPUS AREA IWIIJE o T IC' IC 41 n- TAH EO 014 THE OURt r V IU I'IIAY 1 E FORW-ROEO IINOE'ID SEP4r 'AE C 'IVtR lF ECESSAI' Y 6 lllf -GBP NI't ll A HI 'RE IWtn SECURTTY qo f U oOP Ul Pl tTDIITIO q J NET40R WILL CLrSt THl US ISC-MICOM CA PUS F A ONTH tN 1ROE TO REEST RLlSH 00 THE NfTW0 K R Co- J Tl CUl 'C I'l l MC Nl SFCU ITY f IO SP CYaLI TS Hi ' T1 A'I IAl Y l5 OF OETER INE lHE lNFOR ATJON iiY MICO I ANY o o o o n o o o o o o 'o j'li o o o 1 o o o lF THEPf Referred r --- - - -- ---f r t Rl OR TTY - 16 -- 'j o o o o ' oo I' p o - Ill T t ArH I' - l'llt LLY OYPt t h F $11 I f 1-H' i'oOLTIIIG rf HN'-'C'l tr rr T 1 Ml l ol ftHi JS SUr JfCT Tfl PU N CRIPTlO MilO f'I' Jnr r o oc otti r _ - l t S1'1 1 lF''I''I - o TA Ho UL 1 E lNOEPtl 1'' -NTLY IEf'' Flf l fF' F t -'-T O 1-Itt r F H ' - Hl' 1EFt F r oc t ' ' --- n r o - - O 'H At J I b6 h - I b6 '7o o I b6 I I r LaSSTFTfij 't 'i7f -r y I ltlTlPlr r b6 -'IIPr - 'S Exhibit j Electronic Message Subject tration of f UCOM Microcomputer U CI ' lFY I 'IN lov O L' o o I e oo o o o o Pene- o o o on o o o o ' 1 i o o UIClASSlRED 17 o o o o o o o o J o r oo o o o' 'o o o o o o o o ' o o o I o o o o - - o CON TIAL EXHIBIT COVER SHEET SUBJECT U - REDSTONE ARSENAL AL SAEDA AUTO 13 July 1990 DACCO CCN U SCO CONUS CCN w PREPARING UNrT U REPORT DATED U DESCRIPTlON fu b2 Reds torte '11 Det 902d l' U Group 18 JUly 1990 Co tfidential Electronic lessage From CommaTtdet' MICOI 1 Dat d 171620Z JUL 90 CO SubJ Penetration of NlCOM f iuicomputex- EXHIBrr_ ___ r C8NFIOENTIAL GltOUP fOIIM J ll NOV H 19 -- CUNftOENTIAt o LN 077 cl v '' '' ZCZ OFDS997PGBPAq61 00 I 'CTCZYUW RUCOSRA 611 19B8i 36 - CCCC- R JDI-IAf 'lf 193 L - Zi Y CCCCC zKZtt PP OHI DE f-' 17 6EOZ t L S' - ' f -1 FM C R HICOM REOSTON RSENAL AMSMI-SI 1 '10 RUDHAA CDR INSCOM FT' ELVOIR UA AOPS-C -T0 1 INFO RUKLDAR COR AM ALEX VA MCMI-CS '' o r RllKGNBfVCI tj USAISS FT EoC LVO R ' VA IAS11l-SPS I RUEAOWD HGDA ASH DC DAMI-CIC- G SOIS-AOS 1 RUCDGDA CDR ICOM RE GTONE ARSENAL AL AMSMI-Sl RUCOGDA PEO AIR DEFENSE REDSTONE ARSENAL AL $FAE-AD 3 AE-AD-PAI 1n Referred oo oo 0 0 o o 0 ooo oooo o o o oo '1 o I F I I t l't i f1 l CONFtOE 1l L o JOINT MESSAGEFORM OfGI- IUA fiM ya N T 2otomoz 1 AUG 1 o pl D4 C ll PaiCIOIIIICC I - I I IIOfO CIC -s-sn- PP 1 PP 232l OOZ IIIIUAOI MAIIO OIIG I SIIOUC JOONt SAIC RO 902 MIGP rT SHERIDAN IL IIAGPA C-SH FROM CDR902DMIGP fT GEORGE G MEADE MD IAGPA-OP-1 TO INfO CDR MID 902D MIGP FT SAM HOUSTON TX IAGPA C-SA CDR MIBN Cl 902D MIGP PSr SfRAN CA IAGPA-C-OP 1 ZEN CDR MIBN Cil Sl 902D MIGP FT GEORGE G MEADE MD IAGPA-8-0P ZEN CDR DSD MIGP rT GEORGE G MEADE nD 902D IA'GPA-8-J S ZEN CDR MlBN Cil Tl 902D MIGP rT GEORGE G MEADE MD ' IAGPA-A-OP 1 ZENIDIR DACCO fT GEORGE G MEADE MD DAMI-CIC-CCO CDRINSCOM fT BELVOIR VA AOPS-Cl-01 IAOPS-CI-TO -f-- --IH-1SUBJECT INVESTIGATIVE MEMORANDUM fOR RECORD L u ll TITLE REDSTONE ARSENAL AL SAEDA AUTO 13 JUL 0 b 5 3 2 U DATE 3 - U CCNI 1 0 U or REPORT I sco ocl o - IJ AUGUST ' 0 b2 Regraded UNCLASSlFIED on 12 JAN2011 by USAINSCOM FOIIP A Auth para 4-102 DOD 5200-lB DIIITR ' ooooooo -- Ol b6 1 b - H AV 459-2275 l ' ' ' ancolllo a vcroou Cl ASSifiEl SAIC DGBPflASSIFY ' o --- u _ - ____ -- IC b6 o OD 1 P 'n lJl 2- tfERJ BY ONI INS COM PAM 3 0-b OADR IAGPA-C- IH F - F a _' 1 acuoon CI Ait s-f' t t ' r voovt lOOT- GIIOLUI - o-u s o - a acNBIIIKIUIT looor ooe ur lllWTIIICI orru o oooo ooo o Regraded UNCLASSIFIED on 12 JAN2011 by USAiliSCOM FOIIP A Auth para 4-102 DOD 5200-lR - McuanY JOINT MESSAGEFORM IU ' I OTO IIUAIII To -1 POOl OAlt fl l 0201 ooo Q I 2D1 DOZ I AUG cuu NECII IIICI IoOIIIYNfn 1 0 I StlloCt foDN fPICAf C IC ooIG'MSG ID III ACY _ lllfO IPP J l 2321' DDZ 111111 01 M ilrtDLtiiiiiO 'VCftONi Ul ' fflY STIGATIVE RESULTS -- -- - --INFORMATION CON'l'AINBD IN THISREPORT WA - OSTAINED FROM ANOTHER FEDERAL AGENCY WHO RESERVES 'l'HE RIGHT TO RESTRIGT I'l'S RELEASE AND WILL NOT BE BE RELEASED OUTSIDE OF A RMY INTELLI CE CHANNELS WITHOUT THEIR - -- _ ___ A-PPROV- L' - SQUA SB tJ ON lS AUGUST 1 0 SPECIAL AGENT Referred ll o --- - ---- CHICAGO fiELD OffiCE CrO Referred CHICAGO IL MET WITH MEMBERS Of THE CHICAGO RESIDENT OffiCE CRO 02D MILITARY INTELLIGENCE Mil GROUP fORT SHERDIAN IL AND PROVIDED THE fOLLOWING INfORMATION a U C J-ON JULY 1 0 b6 EPARTMENT Of ASTRONOMY AND UNIVERSITY Of CHICAGO U Of Ch CHICAGO IL ASTROPHYSICS A A COMPUTER fiLGBPS ON THE U Of C'S COMPUTER SYSTEM BELONGING THESE ED STONE ARSENAL HUNTSVILLE AL TO COLONEL b6 biAS ON A TWO ILES WHILE b6 riLES ERE PLACED ON b6 DISCOVE E b6 ldEEK VACATION VACATION WAS POSTED ON THE BULLETIN BOAR AND ANYONE COULl HAVE OBTAINGBP THIS COMPUTE INfO MATION ONCE THEY HAD SIGNGBP ON TO THE SYSTEM U b 5 't 3 1 0 c fo 't- OUND APPROXIMATELY TEN MILLION BYTES or b6 A DITIONAL INfORMATION IN HIS COMPUTER riLES WHICH HE DID NOT PLACE THERE REALIZING THIS INFORMATION WAS NATIONAL DErENSE INFORMATION OISTR I ' munu rvPu mu ooroc a avua111 iPlC L oIIISIIUCTtO I r- nrT 'YYPID IIAYI fiJI-a DffiCI SYY OI AIIO 1'1101111 i _ _ --4 Pl w O i ' ' b6 lf - y - - - - - - - ___ panOOUUIIIIoOIIItiOIIOUII 173 a QCRJ_ VI L I - ' 0 ' ' HWIL C o4Cit lr I o o _ oo - oo o o o o o SEC ET o JOINT PaGI MES AGEFORM 010 IIUAIIII'flll' 1 _ r SECRET PUI IOIIIGI Yl AI T I 0 PP - PP I b6 C U II IPII Af Lllf SSSS CIC 32lt OOZ ED THE INFORMATION TO THE COMPUTER EMERGENCY RESPONS TEAM CEftTllD CARNEGIGBP-nELLON PITTSBURGH PA AND THEN ERASED THE INf ON fROft HIS fiLES AS PER STANDARD OPERATING PROCEDURE THE UOf C TRACED AN ILLEGAL ACCESS ATTEMPT THROUGH A REQUESTGBP TELEPHONE TRACE BACK TO GTE TELGBPNGBPT 303 wACKER tRIYGBP CHICAGO IL j w b6 ADVISED THAT GTE TELENET IS A HUB AND IT WILL BE VIRTUALLY IMPOSSIBLE TO TRACE THE Eo C LL BACK ANY fURTHER U Of C'S ON 'CAI1PUS COMPUTER SYSTGBP11 IS CONNECTED TO A REGIONAL SYSTEM WHICH IS CONNECTGBP TO THE NATIONAL SCIENCE fOUNDATION ' NSfl SYSTEM THROUGH THE NSf A CRACKER NEW TERM fOR HACKER WOULD HAVE ACCESS TO OTHER OVERSEAS SYSTEMS THROUGHOUT THE u s AN ADtiTIONALLY Ir AN UNAUTHORIZED USER ENTERED THE U Of C COMPUTER THROUGH A TELEPHONE NETWOR IT IS VERV DifFICULT TO TRACE OR TRACK THE USER THIS APPEARS TO BE THE CASE IN THIS INCIDENT IN THAT THE ENTRY WAS THROUGH GTE TELENGBPT f IT IS BELIEYED THIS CRACKER MAY BE ON A LEARNING CURVGBP b MEANING ONE COULD SEE THE PROGRESS AND LEVEL GAINED THE LONGER THE CRACKER WAS ON THE SYSTEM l 1 0 AND PUNCTUATUION USED IT IS BELIEVED THE CRACKER 11AY BE EUROPEAN s '3 Of COMPETENCE THAT WAS DUE TO THE GRAMMER ta JS T -------------------------- -------------------------- IPICI IIIITIIICTIOIII b 6 ------------ -- -us GBP c R E T___o__ v_-___ l- _ _'' _ _o--- ---- 1YHI ooMI nnl OffiCIIIYIIIOl Pllllll --- OD I 17312 0Cft1 - fltVIDUI _ oo Dl-111 oo u ooo - - - oooooooo ooo JOINT MESSAOEFORM ' 01'1118UIAS18 1oal1 PaOI D ll lllll NICIIIIIIICI 1 11011111 1 oo M l I lllfG oLb a C Dl 'lDDZ IAUG 1'10 PP IPP I fOOl AND I e o o' u c o OAIG'MIICIIOIIII CIC ssss -- 2321omoz 111111601 IIAIIDlllll IIIIIIUCJIOII$ WORK ftiLONGBP THE CRACKER SIGNED ON AT ABOUT 0300 to 0 00 HOURS ANl RDftAINED ON fOR TWELVE TO SIXTEEN HOURS EACH DAY WITH AN OCCASIONAL BREAK BETWEEN DaDO AND 1000 HOURS THIS PATTERN LASTGBP1 FOR ABOUT TWO WEEKS DATES NOT PROVIIED ITH-ONLY ONE DAY Off -oN G NoT cE D I b6 aa JULY l'l'lD c coMPUTER svsTEM WHEN HE THOUGHT A rRIEN FURTHER IDENTifiED IUS ON THE SYSTEM HAD RETURNED fROM HIS TRIP GAINING ACCESS TO NOtHER or A CRACKER oN THE u I b6 I ASKED I b6 His I b6 or oT jwHEN HE THE CRACKER RESPONDED BY ASKING ABOUT COHPUTER SYSTEH THE CRACKER THEN IDENTifiED HinSELf AS A HACKER AND SIGNED Orro Referred b 5 3 l 1 DECLASS OADR D DISTR IPICIAL IIIIIIIIUt 110111 DUfffo IVPIO III MI flfll C fll l IY O HIOIII St g T T'IPfO II lUI RIU Dffii J DY-L AIID _ I r - DD b6 I io'AR 17312 OCRJ w- wr IICUIIITW CUHint l'fiO ECRET o nooo _o o _ --- D IITI 'I-P __ _------ o ' SECRET o - u s ARMY INTELLIGENCE ' ' o EX HIBIT COVER SHEET SUBJECT oJ4J ARSFNAL AL SAEDA At11Q DACCO _CCN PREPARING UN IT REPORT DATED DESCRIPTION July 90 cu 600'----- _b2_ U _j Chicago Resident Office 902d Milit acy Intelligence Group U 11 August l990 U Sonitized F otEf-rt rt5 Freedom of Information Act Privacy Act Deleted Page s Information Sheet Indicated below are one or more statements which provide a brief rationale for the deletion of this page D Information has been withheld in its entirety in accordance with the following exemption s It is not reasonable to segregate meaningful portions of the record for release D Information pertains solely to another individual with no reference to you and or the subject of your request 2 Information originated with another government agency It has been referred to them for review and direct response to you D Information originated with one or more government agencies We are coordinating to determine the releasability of the information under their purview Upon completion of our coordination we will advise you of their decision DELETED PAGE S NO DUPLICATION FEE FOR THIS PAGE Page s IAGPA-CSF Form 6-R I Sep 93 J -J 1 tofl EtfHALJSlcuaotv tL SSifiC TIO -' H fff I -kl JOINT MESSAGEFORM PAQl 'O CAI DAT IIMI I Y0111tl I oo ACt I CIC OIHG 'MIG IDI ' lllfO 0 1 03 i2_ 1_ 21_iO_OZ l_A_UG -O IP PJ PP C - - -- 2 33 2100 Z-- eooa _I MI$ GI M NOIINQ oNIT liCTIOIIS FROM TO INfO SAIC RO 02D fT GEORGE G MEADE MD IAGPA-OP-I C R 02DMIGP CDR MID MIGP fT SHERIDAN IL IAGPA-C-SH 02 MIGP fT SAM HOUSTON TX IAGPA-C-SA 1 CDR MIBNiCil CEl MIGP PSf SfRAN CA IAGPA-C-OP 02 ZEN CDR MIBNiCll S 02D MIGP fT GEORGE G MEADE MD IAGPA-8-0P CDR MID 02D MI GP fT MEADE MD IAGPA-C-fM 1 ZGBPN CDR DSD 902D MIGP rT GEORGE G MGBPADE MD IAGPA-B-J S 1 ZEN CDR MIBNiCll T 902 MlGP fT GEORGE G MEADE MD IAGPA-A-OP ZEN DIR DACCO FT GEORGE G MEADE MD DAMI-CIC-CCO CDRINSCOM fT BELVOIR VA IAOPS-CI-01 IAOPS-CI-TO -EUR-- -I- E--N-T SUBJECT INVESTIGATIVE MEMORANDUM fOR RECORD U 1 TITLE T-A-L - REDSTONE ARSENAL ' L SAEDA AUTO b 5 13 JUL 90 3 2 2 l 0 OISTA U DATE Of REPORT u 21 AUGUST 1 90 Regraded UNCLASSIFIED on b 3 6M FOIJPA Auth para 4-102 DOD 5200-lR SPic tAL tfldTRUC 110 t LASSIFIED BY DECLASSIFY ON INSCOM PAM 350-b OADR ' - 80NFHJ8FJAL JOINT MESSAGEFORM OYQI hioSIO PoG I DArE 02a 03 toeo I 12100Z r UC loiOtolM ICIDIIIICI t u I AUG 90 l t I ClAU lriCAt IIIIJO cc- PP PP 2332100Z b2 3 U If U IN sTIGATIVE RESULTS SCO A U f J ON 21 AUGUST 1990 b6 ADP SECURITY SPECIALIST INSTALLATION SECURITY OFFICE HEADQUARTERS AMCCOM ROCK ISLAND ARSENAL ROCK ISLAND ILLINOIS WAS TELEPHONICALLY CONTACTED BV THE CHICAGO OFFICE CROl 902 ESI ENT SHERIDAN IL AND e u -8- PROVIDE INTELLIGENCE GROUP fT MILITA Y THE fOLLOWING INfORMATION ArTER LEARNING Of 'THE fiLES BEING DISCOVERED ON THE UNIVERSITY Of CHICAGO'S COMPUTER SVST M b6 CHIEf OF SECURITY AND INTELLIGENCE HQ AMCCOM ROCK ISLAND ARSENAL CHECKED ALL THE COMPUTER LOGS fOR THE MONTH Of JULY 1990 EXAMINATION BY b6 AfTER CAREFUL AND THE INfORMATION SYSTEMS COMMAND IT WAS DETERMINED THAT NONE Of THE fiLES AT ROCK ISLAND ARESENAl HAD BEEN CO PROMISED IT WAS LEARNED HOWEVER f ILES fROM ONE Of THGBP SUBORDINATE UNITS AT DOVER OffiCE SYMBOL AMSMC-MGM WERE STOLENHEADQUARTERS AMCCOM IS THE HEADQUARTERS fOR b MAY INDICATE WHV IT WAS 5 - ARSENAL 3 b6 BELI VE TH UNIT AT DOVER WHICH THE fiLES CAME fROM ROCK ISLAND DID NOT HAVE ANY INFORMATION ON THE TYPE Of a INfORMATION WHICH AS STOLEN FROM DOVER ___c_L_A_s_s_w_IED ___o_n________ 0 ----------------------R-e -a_d_ed_UN 1 OISTR by t s BU FOI P A Auth para 4-102 DOD 5200-lR I - ' I c ' b6 DD ' ' '' OAU Tl l GROUP - 'J- _ IDITtCUoIS MMILUI 1 N G102 lf OOO U11 o U S ODYERJIMGBP11'1 PllNTIHO OJI'f'tCEII f oUt Ib o JOINT MESSAGEFORM PACII LUI OATI fiiU I MOOOT 21c100Z I AUG I I Y acT 90 PP CIC 1 IOOfO l 2332100Z PP -t -H EXPLAINED THERE IS A PASSWORD PROTECTION SYSTEM IN PLACE AT ONS RO ALLO ED ISLAND ARSENAL MAKES USE Of A SIX CHARACTER NEUTRALIZED ANY BACKDOORS 5 U PASS ORD AND HAS MAY HAVE BEEN IN PLACE HICH REPORT SUBMITTED BV GROUP AIJ THIS SYSTEM LIMITS THE AMOUNT Of LOG S A b6 CRO 'i02D MI b6 DECLASS OADR Regraded UNCLASSIFIED on b s '3 12 JAN 2011 by USA INSCOM FOJIP A Auth para 4-102 DOD 5200-lR 2 1 0 ---------------------------------------------------------- OISTA S'I CtAl INSTIIIUCfiON5 c o IIGWA -- b6 - I DATI TIME CIROU' PRIVIOUI lOoT10N II 0 uTI Slfil 0102 lt QDCH 711 Q CONFI TlAL 2351SOOz FROM SAIC RO 02D MIGP FT SHERIDAN IL IAGPA-C-SH TO Cl R l02l MIGP rT GEORGE G ME ADGBP MD IAGPA-OP-1 INfO CDR MID 902 MIGP rT SAM HOUSTON TX IAGPA-C-SA CDR MIBNiC 1021 MIGP PSf SrRAN CA IAGPA-C-OP ZEN CDR MIBN Cl S 902D MIGP fT GEORGGBP G MEADE MD IAGPA-8-0P CDR MID 902D MI GP fT MEADE MD IAGPA-C-fM 1 ZEN CD DSD 902D MIGP fT GEORGE G MEADE MD IAGP -8-DS ZEN CDR MIBN T 02D MIGP fT GEORGE G MEADE MD 1 IAGPA-A-OP ZEN DIR DACCO rT GEORGE G MEADE MD DAMI-CIC-CCO CDRINSCOM rT BELVOIR VA IAOPS-CI-01 IAOPS-CI-TO SUBJECT A b INVESTIGATIVE MEMORANDUM fOR RECORD U EIMfR IAGPA-C-SH DTG 212100Z AUG 90 SAB 1 0 TITLE REDSTONE ARSENAL AL 5 - R egraded UNCLASSIFIED on SAEDA UUTO 13 JUL 90 1 Ill lut 12 JAN 2011 by USAINSCOM FOI P A O -------------------------A_u_ili_ _ _a_4_-I_D_2 D-O _D_5_2_0o --1 -- DIIUT1o nND II I TIIU 0 1 OL P OIII SAIC 113I RJ I CIAL INSnUCliDU CLASSifiED BV DECLASSifY ON PotVtOUI 101n0 oun SIN 01DZoL f-GCI0 17H INSCOM PAM 380-b OADR ' CONFitMTIAL JOINT MESSAGEFORM -o PAGE DTGIIItLU$111 TIIU 1 uoamt I oan tout 02 Of r tcua YY CI AUIIH ATIUII 02 I 23'J SOOZ AUG Y I 90 CNfUEtfTiolct IPE AT 1 o PP I pp IMf CIC oet 23515DOZ allSSAOI NA OLoNCi 111 ICTtON$ 2 U Or REPORT 3o U CCJal 4 Ul INVESTIGATIVE RESULTS A U ON 23 AUGUST 1990 SCO 23 AUGUST 1990 b2 b6 ADP SECURITY SPECIALIST INSTALLATION SECURITY OffiCE HEADQUARTERS AMCCOM ROCK ISLAND ARSENAL ROCK ISLAND ILLINOIS WAS TELEPHONICALLY CONTACTED 9Y THE CHICAGO RESIDENT OffiCE CRO 902D MILITARY INTELLIGENCE GROUP fT SHGBPRIDAN IL AND PROVIDGBPD B u THGBP'fOLLO ING INfORMATION AFTER LEARNING Of THE fiL t S BEING DISCOVERED ON THE UNIVERSITY Or CHICAGO'S COMPUTER SYSTEM A CHECK Of ALL COMPUTER LOGS A T ROCK ISLAND ARSENAL ROCK ISLAND _ ILLINOIS SHOWED THAT fiLES fROM ONE Of THEIR SUBORDINATE UNITS PICATINNY ARSENAL DOVER NEW JERSEY OffiCE SYMBOL AMSMC-MGM HAD BEEN STOLEN CONTACT AT PICATENNY A RESENAL IS 5 U REPORT SUBMITTED BY GROUP AV b6 b6 S A THE POINT Or CRO 902D I'U b6 b DECLASS OAJHt Regraded UNCLASSIFIED on 5 't 12 JAN 2011 3 by USAINSCOM FOI P A Auth para 4-102 DOD 5200-IR a l 0 DISTil DUffU i T P Q UMI TITU OffiCI I UIDL HOME TYPED lOAMI I Til OffiCI IYIIIDL AND COMFIOENTJAL MDIII -t- - c n c -- lcA Tt oii ------ DA U IL WE G -o uP------1 I e'' i b6 Do - 173 2 IOCR Ct Nr I'tiJTH I 01 ' 1 ' ' '' '' PRIYIOUIIOITIDN It oU S OOVEittiMDrl' PRUITlMG C H'ICl a na - u -lt o 01 05 221SOOZ AUG 90 PP C PP CfJIIDENTIAL- - 2341430Z SAIC NYRO 902D MI GP FT HAMILTON NY lAGPA-C-NY 1 CDR 902D MI GP FT M ADGBP M IIIAGPA-OP-I INFO CDR FMOMID 02D MI GP fT MONMOUTH NJ IAGPA-C-MO CDR MI BN Cl CE PSf SfRAN CA IAGPA-C-OP 1 DIR A CCO FT MEADE MD DAMI-CIC-CC0 1 CDR INSCOM FT BELVOIR VA IAOPS-CI-OI 1 CDR INSCOM FT BELVOIR VA IAOPS-CI-TO ADP DET fT MEADE MD IAGPA-A-DP 1 C 0 N I e NO NIGHT ACTION REQUIRED-DELIVER H T I A L DURING FIRST DUTY HOURS SUBJECT A u INVESTIGATIVE MEMORANDUM FOR RECORD U CONF MSG CDR ' 11021 MI GP IAGPA-OP-I 082022Z REDSTONE ARSENAL ALi J u tl TITLE SAEDA AUTO AUG 90 SUB 13 JUL 110 REDSTONE ARSENAL AL R graded UNCLASSIFJED on SAE DA AUTO 12 JAN2011 by USAINSCOM FOL'PA Auth para 4-102 DOD 5200-lR 13 JUL 90 2 U DATE OF REPORT 21 AUG U CASE CONTROL NUMB R 4 U INVESTIGATIVE RESULTS 0 902D CCN b2 ------------SOURCE HAD NO OBJECTION TO HER IDENTITY-------------- _ b6 b6 SA l t021 MI GROUP AV b6 IAGPA-C-NY CLASSIFIED BY b6 D CLASSIFY ON AR 381-12 OADR IAGPA-C-NY 630- 388 11 i ----- CONFIDENTIAL lllilllil b6 5 33 Ol 05 22150DZ AUG 90 PP PP CCCC 2341430Z ------BEING RGBPLEASED IN CONJUNCTION WITH THIS INVESTIGATION-- ----- -------------------------------------------------------------------- ' A cu b6 ON 21 AUG 10 THE REPORTI G AGENT MET WITH b6 AUTOMATE DATA PROCESSING SYSYTEM SECURITY OffiCER ADPSSO DIRECTORATE Of INFORMATION MANAGEMENT i OIM UNITED STATES MILITARY ACADEMY USMA HIGHLAND fALLS NY bE PROVIDED THE FOLLOWING DOCUMENTS AND INFORMATION CONCERNING THE PENETRATION OF USMA'S STAFF COMPUTER SYSTEM SCS BETWEEN 25 JUN 90 AND 13 JUL 90 AS WELL AS THE FOLLOWING SUGGESTIONS ON DEVELOPING AN AUDIT TRAIL PROVIDED A COPY Of THE LOGON FILES fOR THIS TIME PERIOD U c BASED ON SOURCE'S ANALYSIS OF THE APPROXIMATELY SOC LOGON ATTEMPTS LISTED IN THE ABOVE FILES BETWEEN 22 JUN 90 AND 21 JUL 90 PENETRATION Of USMA'S SCS WAS NOT APPARENT THESE LOGON FILES LISTED ONLY UNSUCCESSFUL LOGON ATTEMPTS AS USMA'S UNISYS 5000 80 COMPUTER A UNIX-BASED OPERATING SYSTEMl WAS NOT PROGRAMMED TO RETAIN SUCCESSFUL LOGONS opGBP USMA DOIM'S PROCE URES THE SCS RETAINED ONLY THE PREVIOUS TEN DAYS OF TH SVSTEM fiLES NEEDED TO TRACK THE TRANSFER OF FILES fROM THE SCS TO THE UC HOST i b6 b6 I ' o o ' o ' o j SA tl b6 Regraded UNCLASSIFffiD on I MI GROUP by1J FOJJPA Authgara 4-102 DOD 5200-lR CONFID4TIAt 34 CONF ifi TIAL 01 OS 221SOOZ AUG 90 PP PP CCCC o Ul C 2341430Z ANALYSIS REVEALED NONE Of THE fOLLOWING PASSWORDS LISTED IN REFERENCE A PARA 3 9 ANONYMOUS GUEST LISTEN SETUP fiLE TRANSFER PROTOCOL AND ECT FTP APPEARED FREQUENTLY IN THE LOGON FILES BUT WAS NOT USED AS A PASSWORD SOURCE EXPLAINED THAT fTP IS A PROCESS THAT FACILITATES FILE TRANSFERS AND IS A STANDARD ENTRY ON MANY LOGON FILES E U ANALYSIS REVEALED THE FOLLOWING COMMAND LISTED IN REFERENCE PARA c ROOT BUT NON OF TH OTHERS LISTED LIST COPY AND PASSWD F 0 111J ANALYSIS REVEALED 0 INDICATIONS THAT THE INTRUDER USED A LEGITIMATE ACCOUNT HOLDER'S LOGON IDENTIFICATION OR ATTEMPTED TO iBECOME G C A SUPER USER ANALYSIS OF ALL DIRECTORIES REVEALED NONE Of TRHE FOLLOWING SIGNS Of ENTRY LISTED IN REFERENCE A PARA 3 C ROOT USR USR2 MAIL BIN AND DOT H U Cl IN ORDER TO DEVELOP AN AUDIT TRAIL SOURCE WOULD NEED THE FILE NAMES ANP CONTENTS TAKEN fROM THE SCSi ANY KNO N DtfiCIENCIES IN TH UNISYS S000 80 OPERATING SYSTEM PAST SECURITY ANO THE INTRUDER'S FULL OR PARTIAL USER IDENTIFICATION AND OR NETWORK ADDRESS IN ORDER-TO MONITOR ANY FUTURE SCS PENETRATION ATTEMPTS i I b6 b6 Regraded UNCLASSIFIED on i2 JAN2011 by USAINSCOM FOLP A Auth para 4-102 DOD 5200-lR SA 902 MI GROUP 11 b6 CONFIDENTIAL 35 e O'J OS AUG 22 LSOOZ pp 90 PP eeee 2341430Z ' - s U AGENT NOTES b6 A - REPORTING AGENT WAS ASSISITED BY DIRECTOR COMPUTER SYSTEMS DIVISION DOIM USMAi TC b6 GS12 SECURITY MANAGER COMPUTER SYSTEMS DIVISION DOIM USMAi AND b6 GS12 COMPUTER SYSTEMS MANAGER COMPUTER SYSTEMS DIVISION OIM USMA B U b6 PPRECIATED BEING ALERTED TO THIS SCS PENETRATION AN WILL MONITOR THE SCS DAILY FOR THE ABOVE MENTIONED INDICATORS AFTER PROGRAMMING THE UNISYS 5000 80 COMPUTER TO RETAIN SUCCESSFUL LOGON ENTRIES ALONG IIliTH THE UNSUCCESSFUL ATTEMPTS b6 WILL CONTACT NYRO IF HE SUSPECTS OR DETECTS ANY FUTURE PENETRATIONS EXHIBITS b iU A ' P ' FOUO LOGON FILES FROM 22 JUN 90 TO 23 JUL 90 LABELED ON THE TOP ACAnEMY MANAGEMENT SYSTEM COMPUTER OPERATIONS BRANCH APPROXIMATELY TWO INCHES THICK b6 1 1 b6 c tC b6 Jh b6 JATI J EB 1ctit 913 'tSCLO e ARN N STAT MeNT1 b6 t ATED 28 A G li49 b6 CJ _JI_SCL SI I E IN STATEP'IENT EXECUTE 8JPY1 b6 Regraded UNCLASSIFIED on SA b6 II b6 I by J JJJboiJP A Auth para 4 102 DOD 5200 1R GROUP ' b6 CSNFIDENTIAL 36 n rt 1 t'JrJ OS OS U Eo 221SOOZ EEl b6 7 SCL S NE WARNIN' STATE ENT REPORT SUBMITTED BY ' b6 EXEE TED BJPYt b6 b6 b6 SA 902D MI GP DSN AV DE CL OAl R r ' Re graded UNCLASSIFffiD on 12JAN2011 by USiUNSCOM FOL'PA Auth para 4-102 DOD 5200-lR o - 's 2341 430Z AUG i ATE 28 Al l6 'itQ U L-l m f b6 b6 UNClASSIFIED b6 37 US ARMY INTELLIGENC E ANI SE URITY OMMAND EXHIBIT COVER SHEET Regraded UNCLASSIFIED on b fi 2bk FOIIPA Auth para 4-102 DOD 5200-lR SUBJECT FILE NUMBER PREPARING UNIT AGENT REPORT DATED DESCRIPTION - Redstone Arsenal AL SAEDA AUI'O 13 July 1990 b2 New York Resident Office 902d MI GP 21 August 1990 Staff Computer System Logon Files 2 thic t Directorate of Information Management - United States Military Academy J' fu l 9c- 1 3 Tu j 'fO GBP EXHIBIT ir l al el 1 l Ia ' '8 38 Off1CIAL USGBP OMLY fOR OFPICIA I I JSE ONLY ACADEMY MANAGEMENT SYSTEM COMPUTER OPERATIONS BRANCH USERID - b_2_ __J L - 1 ACCOUNT NAME RUNID - UAO RSPOOM b2 FILENAME DATE - AUG 21 1990 TIME - 11 56 17 PRINTER - LXt FORM - F600 ROUTE TO - ROOT FOft Orf'ICIAL USB 39 Ot LY Freedom of Information Act Privacy Act Deleted Page s Information Sheet Indicated below are one or more statements which provide a brief rationale for the deletion of this page nformation has been withheld in its entirety in accordance with the following exemption s It is not reasonable to segregate meaningful portions of the record for release D Information pertains solely to another individual with no reference to you and or the subject of your request D Information originated with another government agency It has been referred to them for review and direct response to you D Information originated with one or more government agencies We are coordinating to determine the releasability of the information under their purview Upon completion of our coordination we will advise you of their decision DELETED PAGE S NO DUPLICATION FEE FOR THIS PAGE Page s IAGPA-CSF Form 6-R 1 Sep 93 12 Freedom of Information Act Privacy Act Deleted Page s Information Sheet Indicated below are one or more statements which provide a brief rationale for the deletion of this page ctCformation has been withheld in its entirety in accordance with the following exemption s It is not reasonable to segregate meaningful portions of the record for release D Information pertains solely to another individual with no reference to you and or the subject of your request D Information originated with another government agency It has been referred to them for review and direct response to you D Information originated with one or more government agencies We are coordinating to determine the releasability of the information under their purview Upon completion of our coordination we will advise you of their decision DELETED PAGE S NO DUPLICATION FEE FOR THIS PAGE - Page s IAGPA-CSF Form 6-R l Sep 93 - - '_ 5 FOR OFFICIAL USE ONLY ACADEMY MANAGEMENT SYSTEM COMPUTER OPERATIONS BRANCH USERID ACCOUNT NAME - RUNID - RSPOOL UAO RSPOOH b2 FILENAME- DATE - AUG 21 1990 TIME - 11 56 24 PRINTER - LX1 FORM - F600 ROUTE TO - ROOT FOR OFFICIAL USE ONLY 56 '' Freedom of Information Act Privacy Act Deleted Page s Information Sheet Indicated below are one or more statements which provide a brief rationale for the deletion of this page cz Information has been withheld in its entirety in accordance with the following exemption s It is not reasonable to segregate meaningful portions of the record for release D Information pertains solely to another individual with no reference to you and or the subject of your request D Information originated with another government agency It has been referred to them for review and direct response to you D Information originated with one or more government agencies We are coordinating to determine the releasability of the information under their purview Upon completion of our coordination we will advise you of their decision DELETED PAGE S NO DUPLICATION FEE FOR THIS PAGE IAGPA-CSF Form 6-R 1 Sep 93 0 oo FOR OFFICIAL USE ONLY ACADEMY MANAGEMENT SYSTEM COMPUTER OPERATIONS BRANCH USERID- I b2 '--------- J ACCOUNT NAME RUNID - UAD RSPOOM b2 FILENAMEDATE - AUG 21 1990 TIME - 11 56 28 PRINTER - FORM - ROUTE TO - LX1 F600 ROOT FOR OFFICIAL USE ONLY 60 Freedom of Information Act Privacy Act Deleted Page s Information Sheet Indicated below are one or more statements which provide a brief rationale for the deletion of this page rlrnformation has been withheld in its entirety in accordance with the following exemption s It is not reasonable to segregate meaningful portions of the record for release D Information pertains solely to another individual with no reference to you and or the subject of your request D Information originated with another government agency It has been referred to them for review and direct response to you D Information originated with one or more government agencies We are coordinating to determine the releasability of the information under their purview Upon completion of our coordination we will advise you of their decision DELETED PAGE S NO DUPLICATION FEE FOR THIS PAGE Page s p 1- OL IAGPA-CSF Form 6-R l Sep 93 FOR OFFICIAL USE ONLY ACADEMY MANAGEMENT SYSTEM COMPUTER OPERATIONS BRANCH USERID - b2 l ACCOUNT NAME RUNID - FILENAME- UAD b2 b2 DATE- AUG 21 1990 TIME - 11 56 31 PRINTER FORM - J LX1 F600 ROUTE TO - ROOT FOR OFFICIAL USE ONLY 63 l Freedom of Information Act Privacy Act Deleted Page s Information Sheet Indicated below are one or more statements which provide a brief rationale for the deletion of this page formation has been withheld in its entirety in accordance with the following exemption s brtIt is not reasonable to segregate meaningful portions of the record for release D Information pertains solely to another individual with no reference to you and or the subject of your request D Information originated with another government agency It has been referred to them for review and direct response to you D Information originated with one or more government agencies We are coordinating to determine the releasability of the information under their purview Upon completion of our coordination we will advise you of their decision DELETED PAGE S NO DUPLICATION FEE FOR THIS PAGE Page s IAGPA-CSF Form 6-R 1 Sep 93 i 1- D FOR OFFICIAL USE ONLY ACADEMY MANAGEMENT SYSTEM COMPUTER OPERATIONS BRANCH USERID - b2 --- ACCOUNT NAME - RUNID - FILENAME - UAO RSPOOM _b_2_ _ _j DATE - AUG 21 1990 TIME - 11 56 37 PRINTER - Lxt FORM - F600 ROUTE TO - ROOT FOR OFFICIAL USE ONLY 81 Freedom of Information Act Privacy Act Deleted Page s Information Sheet Indicated below are one or more statements which provide a brief rationale for the deletion of this page ormation has been withheld in its entirety in accordance with the following exemption s It is not reasonable to segregate meaningful portions of the record for release D Information pertains solely to another individual with no reference to you and or the subject of your request D Information originated with another government agency It has been referred to them for review and direct response to you D Information originated with one or more government agencies We are coordinating to determine the releasability of the information under their purview Upon completion of our coordination we will advise you of their decision DELETED PAGE S NO DUPLICATION FEE FOR THIS PAGE Page s fq IAGPA-CSF Form 6-R 1 Sep 93 0 FOR OFFICIAL USE ONLY ACADEMY MANAGEMENT SYSTEM COMPUTER OPERATIONS BRANCH USERID- ACCOUNT NAME - RUNID - b2 UAO RSPOOM b2 FILENAME DATE - AUG 21 1990 TIME - 11 56 42 PRINTER FORM - LX 1 FOOO ROUTE TO - ROtJr 'FOR OFFICIAL USE ONLY 90 Freedom of Information Act Privacy Act Deleted Page s Information Sheet Indicated below are one or more statements which provide a brief rationale for the deletion of this page nformation has been withheld in its entirety in accordance with the following exemption s It is not reasonable to segregate meaningful portions of the record for release D Information pertains solely to another individual with no reference to you and or the subject of your request D Information originated with another government agency It has been referred to them for review and direct response to you D Information originated with one or more government agencies We are coordinating to determine the releasability of the information under their purview Upon completion of our coordination we will advise you of their decision DELETED PAGE S NO DUPLICATION FEE FOR THIS PAGE Page s IAGPA-CSF Form 6-R 1 Sep 93 9 --1 This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu