Read Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker Online
Authors: Kevin Mitnick,Steve Wozniak,William L. Simon
Tags: #BIO015000
As I started to walk to my apartment through a beginning snowfall, I called toll-free directory assistance and asked for Motorola, then called that number and told the friendly receptionist who answered that I was looking for the project manager for the MicroTAC Ultra Lite project.
“Oh, our Cellular Subscriber Group is based in Schaumburg, Illinois. Would you like the number?” she asked. Of course I would.
I called Schaumburg and said, “Hi, this is Rick with Motorola in Arlington Heights. I’m trying to reach the project manager for the MicroTAC Ultra Lite.” After being transferred around to several different people, I ended up speaking with a vice president in Research and Development. I gave him the same line about being from Arlington Heights and needing to reach the MicroTAC project manager.
I was worried that the executive might get suspicious about the traffic noises and occasional horns being blown by drivers eager to get home before the snow started piling up, but no. He just said, “That’s Pam, she works for me,” and gave me her telephone extension. Pam’s voicemail message announced that she was away on a two-week vacation, then advised, “If you need any help whatsoever, please call Alisa,” and gave her extension.
I called the number and said, “Hi, Alisa. It’s Rick with Research and Development in Arlington Heights. When I spoke to Pam last week, she talked about going on vacation. Did she leave yet?”
Of course Alisa answered, “Yes.”
“Well,” I said, “she was supposed to send me the source code for the MicroTAC Ultra Lite. But she said if she didn’t have time before she left, I should call you and you’d help me out.”
Her response was, “What version do you want?”
I smiled.
Great—no challenges about my identity, and she’s willing to help. But of course, I had no idea what the current version was, or even what numbering system was being used. So I just said, flippantly, “How about the latest and greatest?”
“Okay, let me check,” she said.
I trudged along. The snow was beginning to stick and pile up underfoot. I had a ski cap pulled down over one ear and was holding my bulky cell phone to the other, trying unsuccessfully to keep the ear warm by pressing the phone hard against it. As Alisa clacked away on her keyboard, I looked for a building to duck into so the traffic noise wouldn’t set off alarm bells, but there was nowhere to go. Minutes passed.
Finally she said. “I found a script in Pam’s directory that will let me extract any software version for the Ultra Lite. Do you want ‘doc’ or ‘doc2’?”
“ ‘doc2,’ ” I answered, figuring it would be the later version.
“Just a sec. I’m extracting it to a temporary directory,” she said. And then, “Rick, there’s a problem.”
Just my luck
. “I have lots of files in numerous directories. What do you want me to do?”
It sounded like it was time for some archiving and compression. “Do you know how to use ‘tar’ and ‘gzip’?” No, she didn’t. So I asked, “Would you like to learn?”
She answered that she loved learning new things, so I became her tutor for the moment, walking her step-by-step through the process of archiving and compressing the source code files into a single file.
Cars were sliding around now on the slippery streets, even more horns were honking. I kept thinking,
Any minute she’ll notice the horns and start asking questions
. But if she heard any of it, she must have thought it was just traffic sounds outside my office window; she didn’t say a word about it. At the end of the lesson, we had a three-megabyte file that contained not only the latest source code but also a copy of the server’s “/etc” directory,
which included, among other things, a copy of the password file with every user’s password hash. I asked Alisa if she knew how to use “FTP.”
“File transfer program? Sure,” she answered.
She already understood that FTP would allow her to transfer files among computer systems.
At this point I was kicking myself in the butt for not being better prepared. I had never expected to get this far in such a short time. Now that Alisa had found the latest release of the source code and compressed it into a single file, I needed to walk her through the steps required to send me the file. But I couldn’t give her one of the hostnames I was using, and obviously I didn’t have a hostname that ended in Motorola’s “
mot.com
.” I thought of a work-around: thanks to my knack for remembering numbers, I knew the IP address of one of Colorado Supernet’s servers, named “teal.” (Each reachable computer and device on a TCP/IP network has its own distinctive address, such as “128.138.213.21.”)
I asked her to type in “FTP,” followed by the IP address. That should have established a connection to Colorado Supernet, but it kept timing out on each attempt.
She said, “I think this is a security issue. Let me check with my security manager about what you’re asking me to do.”
“No, wait, wait, wait,” I said, more than a little desperate. Too late: I was on hold.
After a few minutes, I started feeling pretty nervous. What if they hooked up a tape recorder and began recording me? By the time Alisa came back on the line some minutes later, my arm was getting sore from holding the cell phone.
“Rick, I just spoke to my security manager. The IP address you gave me is outside of Motorola’s campus,” she said.
I didn’t want to say any more than was absolutely necessary, just in case.
“Uh-huh,” I answered.
“Instead my security manager told me I have to use a special proxy server to send you the file, for security reasons.”
I started to feel a great sense of disappointment, thinking,
That’s the end of
this
little hack
.
But she was going on: “The good news is, he gave me his username
and password for the proxy server so I can send you the file.” Incredible! I couldn’t believe it. I thanked her very much and said I might call back if I needed further help.
By the time I reached my apartment, the complete source code for Motorola’s hottest new product was waiting for me. In the time it had taken me to walk home through the snow, I had talked Alisa into giving me one of her employer’s most closely guarded trade secrets.
I called her back a number of times over the next few days to get different versions of the MicroTAC Ultra Lite source code. It was like the CIA having a mole in the Iranian embassy who didn’t even realize he was passing on information to an enemy of the state.
If getting the source code for one cell phone had been that easy, I started thinking, maybe I could somehow get into Motorola’s development servers so I could copy all the source code I wanted without needing help from Alisa or any other cooperative employee. Alisa had mentioned the hostname of the file server where all the source code was stored: “lc16.”
On a long shot, I checked the current weather in Schaumburg, Illinois, where Motorola’s Cellular Subscriber Group was located. And there it was: “The snowstorm that began yesterday will last through tonight and into tomorrow, winds gusting to thirty miles per hour.”
Perfect.
I got the phone number for their Network Operations Center (NOC). From my research, I knew that Motorola’s security policy for employees dialing in from a remote location required more than just a username and password.
They required two-form-factor authentication—in this case, that included using the SecurID described earlier, a product from a company called Security Dynamics. Every employee who needs to connect remotely is issued a secret PIN and is given a device the size of a credit card to carry with him or her that displays a six-digit passcode in its display window. That code changes
every sixty seconds
, seemingly making it impossible for an intruder to guess it. Anytime a remote user needs to dial in to Motorola’s campus, he or she has to enter a PIN followed by the passcode displayed on their SecurID device.
I called the Network Operations Center and reached a guy I’ll call
Ed Walsh. “Hi,” I said. “This is Earl Roberts, with the Cellular Subscriber Group”—giving the name and group of a real employee.
Ed asked how things were going, and I said, “Well, not so great. I can’t get into the office because of the snowstorm. And the problem is, I need to access my workstation from home, but I left my SecurID in my desk. Can you go grab it for me? Or can somebody? And then read off my code when I need to get in? Because my team has a critical deadline, and I can’t get my work done. And there’s no way I can get to the office, the roads are much too dangerous.”
He said, “I can’t leave the NOC.”
I jumped right in: “Do you have a SecurID for the Operations Group?”
“There’s one here in the NOC,” he said. “We keep one for the operators in case of an emergency.”
“Listen,” I said, “can you do me a big favor? When I need to dial into the network, can you read me the code from your SecurID? Just until it’s safe for me to drive in.”
“Who are you again?” he asked.
“Earl Roberts.”
“Who do you work for?”
“For Pam Dillard.”
“Oh, yeah, I know her.”
When he’s liable to be faced with tough sledding, a good social engineer does more than the usual amount of research. “I’m on the second floor,” I went on. “Next to Steve Littig.”
He knew that name as well. Now I went back to work on him. “It’d be much easier just to go to my desk and grab my SecurID for me.”
Walsh didn’t want to say no to a guy who needed some help, but he didn’t want to say yes, either. So he sidestepped the decision: “I’ll have to ask my boss. Hang on.” He put the phone down, and I could hear him pick up another phone, put in the call, and explain the request. Walsh then did something inexplicable: he told his boss, “I know him. He works for Pam Dillard. Can we let him temporarily use our SecurID? We’d tell him the code over the phone.”
He was actually vouching for me—amazing!
After another couple of moments, Walsh came back on the line and said, “My manager wants to talk to you himself,” and gave me the guy’s name and cell phone number.
I called Ed’s manager and went through the whole story one more time, adding a few details about the project I was working on and emphasizing that my product team had to meet a mission-critical deadline. “It’d be a whole lot easier if someone just went and got my Secur-ID,” I said. “My desk isn’t locked, and it should be there in my upper left-hand drawer.”
“Well,” said the manager, “just for the weekend, I think we can let you use the one in the NOC. I’ll tell the guys on duty that when you call, it’s okay to read off the pass code,” and he gave me the PIN to use with it.
For the whole weekend, every time I wanted to dial in to Motorola’s internal network, all I had to do was call the Network Operations Center and ask whoever answered to read off the six digits displayed on the SecurID.
But I wasn’t home free yet. When I dialed in to Motorola’s dial-up terminal server, the systems I was trying to reach, in the Cellular Subscriber Group, weren’t available. I’d have to find some other way in.
The next step took chutzpah: I called back Walsh in the Network Operations Center. I complained, “None of our systems are reachable from the dial-up terminal server, so I can’t connect. Could you set me up with an account on one of the computers in the NOC so I can connect to my workstation?”
Ed’s manager had already said it was okay to give me the passcode displayed on the SecurID, so this new request didn’t seem unreasonable. Walsh temporarily changed the password on his own account on one of the NOC’s computers and gave me the information to log in, then said, “Call me when you don’t need it anymore so I can change my password back.”
I tried to connect to any one of the systems in the Cellular Subscriber Group, but I kept being blocked; apparently they were all firewalled. By probing around Motorola’s network, I finally found one system with the “guest” account enabled—meaning that the gates had been left open, and I could log in. (I got a surprise when I identified this system as a NeXT workstation, produced by the short-lived company Steve Jobs founded before he returned to Apple.) I downloaded the password file and cracked the password of somebody who had access to that machine, a guy named Steve Urbanski. It didn’t take my password cracker long:
the username he used to access the NeXT computer was “steveu,” and he had chosen “mary” as his password.
I immediately tried to log in to the “lc16” host in the Cellular Subscriber Group from the NeXT workstation, but the password didn’t work. Huge bummer!
Fine. The information about Urbanski’s credentials would come in handy later. What I needed, though, was not his NeXT account but the password for his account on the Cellular Subscriber Group’s servers, which held the source code I wanted.
I tracked down Urbanski’s home phone number and called him. Claiming to be from “the NOC,” I announced, “We’ve suffered a major hard disk failure. Do you have any files you need to recover?”
Duh! He did!
“Well, we can do that on Thursday,” I told him. Thursday meant he would be without his work files for three days. I held the phone away from my ear as I got the expected explosion.
“Yeah, I can understand,” I said sympathetically. “I guess I can make an exception and put you ahead of everybody else if you’ll keep it to yourself. We’re setting up the server on a brand-new machine, and I’ll need to re-create your user account on the new system. Your username is ‘steveu,’ right?”