Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (38 page)

Read Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker Online

Authors: Kevin Mitnick,Steve Wozniak,William L. Simon

Tags: #BIO015000

BOOK: Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker
3.84Mb size Format: txt, pdf, ePub

That night, I periodically logged in to see if Joe was online and active. Even if he noticed that there had been an incoming call on his modem, it might not arouse his suspicion (I hoped) because he would
remember giving Lewis access. Sometime after midnight, Joe’s computer went quiet; I figured he had nodded off for the night. Using the “Point-to-Point” protocol, I logged into Sun’s “mercury” host posing as Joe’s workstation, named “oilean.” Voilà! My computer was now an official host on Sun’s worldwide network!

Within a couple of minutes, with the help of rdist, I had managed to get root, since Sun, like Joe, had been lax about updating the security patches. I set up a “shell” account and installed a simple backdoor giving me future root access.

From there, I targeted the Engineering Group. This was totally familiar stuff, but at the same time totally exhilarating. I was able to log in to most of the Sun machines in Engineering, thanks to Joe’s efforts in cracking that group’s passwords.

So Joe had, without even knowing it, set me up to grab yet another treasure: the latest and greatest version of the SunOS, a flavor of the Unix operating system developed by Sun Microsystems for its server and workstation systems. It wasn’t hard to find the master machine storing the SunOS source code. Even when compressed, though, this was one humongous package of data—not as massive as DEC’s VMS operating system, but still massive enough to be daunting.

And then I had an idea that might make the transfer easier. Targeting the Sun office in El Segundo, just south of the Los Angeles International Airport, I began by doing queries on several workstations to learn what devices were attached to them. I was looking for a user who had a tape drive connected to his computer. When I found one, I called him on the phone and said I was with the Sun Engineering Group in Mountain View. “I understand you have a tape drive connected to your workstation,” I said. “One of my engineers is at a client site in LA, and I need to transfer some files to him, but they’re pretty large to transfer over a modem. Do you have a blank tape you could stick in your drive, so I could write the data to that instead?”

He left me hanging on the phone while he hunted down a blank tape. After a few minutes, he came back on the line and told me he was shoving it in the drive. I had encrypted the compressed source code into an unintelligible blob of data, just in case he got curious and took a look. I transferred a copy to his workstation, then gave a second command to write it to the tape.

When the transfer to tape was finally complete, I called him back. I asked him if he wanted me to send him a replacement tape, but as I expected, he said it was okay, I didn’t need to do that. I said, “Can you put it in an envelope for me, and mark it with the name ‘Tom Warren’? Are you going to be in the office for the next couple of days?”

He started telling me about when he would and wouldn’t be available. I interrupted him: “Hey, there’s an easier way. Can you just leave it with the receptionist, and I’ll tell Tom to ask her for it?” Sure, he’d be glad to do that.

I called my buddy Alex and asked him if he’d swing by the Sun office and pick up an envelope the receptionist was holding for “Tom Warren.” He was a little reluctant, knowing there was always a risk. But he overcame that a moment later and agreed with what sounded like a smile on his face—I suppose as he remembered the kick he always got from participating in my hacking adventures.

I felt triumphant. But here’s the odd part: when I got the tape, I didn’t even spend much time looking at the code. I had succeeded in my challenge, but the code itself was of less interest to me than the achievement.

I continued acquiring passwords and software treasures from Sun, but constantly having to dial up to the modems in Mountain View was chancy. I wanted another access point into Sun’s network.

Time for a social-engineering attack. Using my cloned cell phone, I programmed in a number with the 408 area code for Mountain View, which I would need if the system administrator in Sun’s Denver sales office wanted to call me back to verify that I was who I claimed to be. Using a tool available to all Sun staffers, I pulled up a list of employees, chose Neil Hansen at random, and wrote down his name, phone number, building number, and employee number. Then I called the main number at Sun’s Denver sales office and asked for the computer support person.

“Hi, this is Neil Hansen with Sun in Mountain View. Who’s this?” I asked.

“Scott Lyons. I’m the support person in the Denver office.”

“Cool. Later today I’m flying to Denver for some meetings. I was wondering if you guys had a local dial-up number so I can access my
email without having to make long-distance calls back to Mountain View.”

“Sure, we have a dial-up, but I have to program it to dial you back. The system does that for security reasons,” he told me.

“No problem,” I said. “The Brown Palace Hotel has direct-dial numbers for the guest rooms. When I get into Denver later this evening, I can give you the number.”

“What’s your name again?” he asked, sounding a little suspicious.

“Neil Hansen.”

“What’s your employee number?” he demanded.

“10322.”

He put me on hold for a moment, presumably to check me out. I knew he was using the same tool I’d used to look up Hansen’s information.

“Sorry, Neil, I just had to verify you in the employee database. Give me a call when you get in, and I’ll set that up for you.”

I waited until just before quitting time, called Scott back, and gave him a local 303 (Denver) number that I had cloned to my cell phone. When I started a connection, a callback would come to the cell phone, I’d manually answer it, and then my modem would make a connection. For several days, I used this access point to get into Sun’s internal network.

But then, abruptly, the callbacks stopped working. Damn! What had happened?

I dialed back into Mountain View and accessed the system in Denver. Oh, shit! Scott had fired off an urgent email to Brad Powell with Sun’s Security Department. He had turned on the logging feature on the dial-up I was using and captured all my session traffic. He quickly realized that I was not checking my mail at all but poking around in places I shouldn’t be. I deleted the log files so there wouldn’t be any evidence of my visits and immediately stopped using the cell phone number I had given him.

Did this discourage me from hacking into Sun? Of course not. I just went back to using Sun’s Mountain View dial-up to find more connections into SWAN (Sun’s Wide-Area Network) in case I got locked out of the system. I wanted to establish multiple access points so I’d always have a variety of ways of getting in. I targeted all of Sun’s sales offices in the
United States and Canada, each of which had its own local dial-up so its staff could access SWAN without needing to make long-distance calls to the company’s Mountain View headquarters. Compromising these offices was a piece of cake.

While exploring Sun’s network, I stumbled across a server with the hostname “elmer,” which stored the entire database of bugs for all of Sun’s operating systems. Each entry included everything from the initial report or detection of a bug, to the name of the engineer assigned to tackle the issue, to the specific new code implemented to fix the problem.

A typical bug report read:

Synopsis: syslog can be used to overwrite any system file

Keywords: security, password, syslog, overwrite, system

Severity: 1

Priority: 1

Responsible Manager: kwd

Description:

syslog and syslogd feature of LOG_USER can be used to overwrite *any* system file. The obvious security violation is using syslog to overwrite /etc/passwd. This can be done to remote systems if LOGHOST is not set to localhost.

bpowell: breakin code removed for security reason

If you need a copy of the breakin code see Staci Way (contractor) ([email protected]).

Work around: NONE except turning off syslog which is unacceptable

Interest list: brad.powell@corp, dan.farmer@corp, mark.graff@Corp

Comments: this one is pretty serious. It has already been used on sun-barr to break root, and is one of the few security bugs that work for 4.1.X as well as 2.X e.g. ANY Sun released OS.

 

To use one of my favorite expressions, this again was like finding the Holy Grail. I now had access to every bug discovered internally at Sun as well as every one reported by any other source. It was like putting a quarter into a slot machine and winning the progressive jackpot with the first pull of the handle. The information from this database was
going into my bag of tricks. I started thinking of the tune to the old
Felix the Cat
theme song, “Whenever he gets in a fix, he reaches into his bag of tricks.”

After the Sun system administrator in Denver reported the security incident, the company got wise that it had a gremlin deeply burrowed into its systems. Dan Farmer and Brad Powell, Sun’s top two security people, sent emails around the entire company warning staff to watch out for hacker attacks that also used social engineering. Then they began removing the bug reports from the database in hopes of hiding them from me. But I was still reading their internal emails. Many of the bug reports contained statements like the one in the message above—did you notice it?

 

If you need a copy of the breakin code see Staci Way (contractor) ([email protected]).

 

You probably already know what I’d do when I saw a message like this.

Right: I’d email Staci from an internal Sun account and social-engineer her into sending me the bug. It never failed, not once.

Despite my success in hacking into the company, the following year Powell would receive a “merit award” from Sun’s chief information officer “for his role in securing Sun and thwarting the attacks on SWAN by Kevin Mitnick.” Powell was so proud of the award that he listed it on his résumé, which I discovered on the Internet.

After about six months of morning and evening bus commutes, it seemed like a good idea to move nearer to work. The ideal location would be some place I could walk to work from every morning—plus the right place would put me within walking distance of the 16th Street Mall in downtown Denver, my favorite area to hang out on weekends. An old-style apartment building, the Grosvenor Arms, on East 16th Street, had a unit available on the fifth floor that I was excited to find—a very cool place, spacious, with windows all around, and even old-style boxes where the milkman used to leave bottles of milk every morning. This time I
would have to undergo a credit check, but no sweat: by hacking into the credit reporting agency TRW, I was able to identify several Eric Weisses with reasonably good credit. I used the Social Security number of one of them on my rental application (different from the one I was using for employment). My paperwork sailed through without a problem.

Only about five blocks from my new apartment, Denver’s tourist district offered tons of terrific bars and restaurants. One in particular was a favorite, a Mexican restaurant at 16th and Larimer Streets that was a hangout for lots of great-looking girls. I was still avoiding serious relationships, but chatting up attractive young ladies at the bar didn’t cross any of my barriers of caution, and it helped me feel human. On occasion a gal would sit down next to me and let me buy her a drink or two… or sometimes even buy them for me. Great for the ego.

Having so many restaurants nearby held particular appeal: I ate out almost every meal, rarely fixing even oatmeal or bacon and eggs for myself.

Settling into the new apartment made me feel even more comfortable about being in Denver, yet I knew I could never let my guard down. With full access into PacTel Cellular, I was still keeping track of the cell phone calls that the FBI agents were making to Justin Petersen, aka Eric Heinz, and also watching to see if they were making any calls to Denver phone numbers. A check of Justin’s landline at the safe house showed that his long-distance service, MCI, was still in the name of Joseph Wernle—which meant it was probably still being paid for by the Bureau. Justin’s snitching hadn’t helped the Feds catch me, but they obviously still had him in harness. I wondered what hackers he was targeting and trying to put into prison now that I was out of his reach.

One day while working in the computer room with Darren and Liz, I noticed that Darren had turned his computer at an angle that would make it difficult for anyone else to see what he was doing, which naturally made me suspicious. I fired up a program called “Watch”; aptly named, it let me watch everything on his screen.

I couldn’t believe my eyes. He was in the law firm’s Human Resources directory and had pulled up the payroll file, displaying the pay and
bonuses of all the lawyers, assistants, support staff, receptionists, and IT workers, as well as every other employee of the firm, from the highest-earning partner to the lowest-paid clerk.

He scrolled down to a listing that read:

 

WEISS, ERIC Comp Oper MIS $28,000.00 04/29/93

 

The nerve of this guy, looking up my salary! But I could hardly complain: I knew he was spying on me only because
I
was spying on
him!

Other books

El Libro de los Hechizos by Katherine Howe
Gypsey Blood by Lorrie Unites-Struff
Midnight in Austenland by Shannon Hale
Daddy's Home by A. K. Alexander
Dangerous Joy by Jo Beverley
Nu Trilogy 1: The Esss Advance by Charles E. Waugh
School of Fear by Gitty Daneshvari