Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (43 page)

Read Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker Online

Authors: Kevin Mitnick,Steve Wozniak,William L. Simon

Tags: #BIO015000

BOOK: Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker
5.46Mb size Format: txt, pdf, ePub

Then I went up on Netcom and transferred the source code to one of the servers at USC that I was using as a storage locker.

This hack was a big deal, but for me, it had been too easy. Where was the satisfaction?

So next I set myself an even bigger challenge: to break into NEC’s network and download the source code for all the NEC cell phones used in the United States. And while I was at it, I might as well get set up for England and Australia too, in case one day I decided to try living in either of those countries, right?

Matt Ranney, at NEC in Dallas, was willing to create a dial-in account for me, based on my story that I was visiting temporarily from the NEC facility in San Jose, California, and needed local connectivity—though first I had to convince his boss as well. Once I was logged in, it was easy to get root using one of the exploits I had found in my earlier hack into Sun. Adding a backdoor to the log-in program, I gave myself a secret password—“.hackman.”—that allowed me to log in to anyone’s account, including root. With another tool from my hacker’s bag of tricks, I “tweaked the checksum,” so the backdoored version of log-in would be less likely to be detected.

Back in those days, a system administrator would do a checksum on a system program, such as “log-in,” to see if it had been modified. After I compiled a new version of log-in, I modified the checksum back to its original value, so that even though the program had been backdoored, any check would come back as clean.

The Unix “finger” command gave me the names of users who were
currently logged in to mrdbolt. One was Jeff Lankford; the listing gave his office phone number and showed that he had been typing on his keyboard until just two minutes earlier.

I called Jeff, posing as “Rob in the IT Department,” and asked, “Is Bill Puknat in?” giving the name of another engineer in the Mobile Radio Division. No, Bill wasn’t in.

“Oh, damn. He called us with a trouble ticket, saying he couldn’t create files that began with a period. Have you had any problem like that?”

No.

“Do you have a .rhosts file?”

“What’s that?”

Ahhh: music to my ears. It was like a carnival worker’s slipping a chalk mark onto the back of someone’s jacket to let other carneys know the guy was a patsy, or a “mark” (the origin of that meaning of the word).

“Well, okay,” I said. “Do you have a few moments to run a test with me so I can close this trouble ticket?”

“Sure.”

I told him to type:

 

echo “+ +” >~ .rhosts

 

Yes, a variation of the .rhosts hack. I provided him with a reasonable-sounding explanation for each step, very nonchalantly, so he thought he understood what was happening.

Next I asked him to type “ls- al” to get a directory listing of his files.

As his directory listing was being displayed on his workstation, I typed

 

rlogin lankforj@mrdbolt

 

which logged me into his account, “lankforj,” on the mrdbolt server.

And I was into his account without needing his password.

I asked Jeff if he saw the .rhosts file that we had just created, and he confirmed that he did. “Great,” I said. “Now I can close the trouble ticket. Thanks for taking the time to test it.”

And then I had him delete the file to make it appear that everything was back to its original state.

I was so excited. As soon as we hung up, I quickly obtained root access and set up the log-in backdoor on the mrdbolt server. I started typing at hyperspeed, so charged I couldn’t slow my fingers down.

My guess had been correct: mrdbolt was the mother lode, the link used to share development work among the Mobile Radio Division, NEC USA, and NEC Japan. I found several versions of source code for several different NEC handhelds. But the source code I really wanted, for the NEC P7, wasn’t online. Damn! All that effort, and I wasn’t hitting pay dirt.

Since I was already into the internal network, maybe I could get the code from NEC Japan. Over the next several weeks, I would be able without much difficulty to get access to all the servers used by the Mobile Radio Division in Yokohama.

I continued my search for the cell phone source code but found that there was a massive excess of information: the company was developing phones for a number of different markets, including the United Kingdom, other European countries, and Australia. Enough, already; it was time for an easier approach.

I checked the mrdbolt server to see who was logged in. Jeff Lankford appeared to be a workaholic: well after the end of the normal working day, he was still online.

For what I had in mind, I needed privacy. Darren and Liz had already left for the day; Ginger had the swing shift, so she was still around, but her office was on the opposite side of the computer room. I partly closed the door to the space I shared with my coworkers, leaving it just far enough ajar that I could see if anyone approached.

What I was about to do was gutsy. I was no Rich Little when it came to doing accents, but I was going to try to pass myself off as Takada-san, from NEC Japan’s Mobile Radio Division.

I called Lankford at his desk. When he picked up the phone, I launched into my act:

“Misterrrrr, ahhh, Lahngfor, I Takada-san… from Japan.” He knew the name and asked how he could help.

“Misterrrrr Lahng… for—we no find, ahhhh, vers’n three ohh five
for hotdog uhh project”—using the codename I’d picked up for the NEC P7 source code. “Can you, ahhh, put on mrdbolt?”

He assured me that he had Version 3.05 on floppy and could upload it.

“Ahhh, thank… ahhh, thank you, Mr. Jeff…. I check mrdbolt soon. Bye.”

Just as I was ringing off in my apparently not-too-pathetic accent, the door swung all the way open, and Ginger was standing there.

“Eric… what are you
doing?
” she asked.

Bad timing.

“Oh, just playing a joke on a buddy of mine,” I told her.

She gave me a weird look, then turned and walked away.

Whoa! Close call!

I logged into mrdbolt and waited for Jeff to finish uploading the code, which I then immediately transferred to a system at USC for safekeeping.

During this period, I was constantly searching through all the administrator emails at NEC for certain keywords, including
FBI, trace, hacker, gregg
(the name I was using),
trap
, and
security
.

One day I came across a message that rocked me on my heels:

 

FBI called because source code showed up at a site that they monitor in LA. May 10th the files were FTP’ed from netcom7 to site in LA. 5 files, containing about 1 total meg of stuff. 1210-29.lzh p74428.lzh v3625dr.lzh v3625uss.lzh v4428us.scr. Kathleen called Bill Puknat.

 

Puknat—whose name I had dropped in my first phone conversation with Jeff Lankford—was the lead software engineer for the Mobile Radio Division in the States. “Kathleen” must be Kathleen Carson, from the FBI in Los Angeles. And “a site that they monitor in LA” had to mean the Feds were watching the systems where I was storing the NEC files: USC. They had been watching most or all of my transfers to USC.

Shit!

I needed to find out how I was being watched, and how long it had been going on.

Examining the systems I had been using at USC, I found that a monitoring program had been installed to spy on my activities, and I was even able to identify the USC system administrator who had set it up, a guy named Asbed Bedrossian. Reasoning that one good spy deserved another, I located the host where he and other USC system administrators received their email—
sol.usc.edu
—got root access, and searched Asbed’s mail, in particular for the term
FBI
. I came upon this:

 

Heads up! We have a security incident. We have two accounts that are being monitored by the FBI and by sysadmin ASBED. The accounts have been compromised. If you receive a call from ASBED, please co-operate with capture and copy files, etc. Thanks.

 

It was bad enough that these guys had found one account I was using; now I knew they had found the second one as well. I was worried but at the same time pissed that I hadn’t caught on to the monitoring sooner.

I figured Asbed must have noticed that a huge amount of file space was being used that couldn’t be accounted for. When he took a peek, he would have realized immediately that some hacker was storing purloined software on the system. Since I had used several USC systems to store source code during my DEC hack in 1988, I assumed I was at the top of the suspect list.

I learned later that the Feds had started looking through the files and calling companies to alert them that proprietary source code had been lifted from their systems and was now residing on a server at USC.

Jonathan Littman wrote in his book
The Fugitive Game
about a meeting that took place in early 1994, convened, he says, by prosecutor David Schindler and held at the FBI’s Los Angeles office. Attending were “embarrassed and alarmed” representatives from the major cell phone manufacturers I had hacked into. Not a single person wanted it known that their company had been the victim of a hack—not even in this roomful of other victims. Littman says Schindler told him, “I had to dole out aliases. This guy was from company A, this guy was from company B. They wouldn’t do it any other way.”

“Everyone suspected Mitnick,” Littman wrote, adding that Schindler wondered aloud, “What’s the purpose of gathering all this code? Is somebody sponsoring him? Is he selling it? From a threat assessment, what can he do with it?”

Apparently it never occurred to any of them that I might be doing it just for the challenge. Schindler and the others were stuck in what you might call “Ivan Boesky thinking”: for them, hacking made no sense if there wasn’t money being made from it.

THIRTY
Blindsided
 

Ouop lqeg gs zkds ulv V deds zq lus DS urqstsn’t wwiaps?

 

B
y the late spring of 1994, I was still using my Eric Weiss identity and still working at the law firm in Denver. It wasn’t unusual for me to spend my entire lunch hour on my cell phone. This was long before the landscape became littered with people enjoying the freedom of gabbing wirelessly: these were the days when airtime still cost a dollar per minute. Looking back, I’m sure it must have seemed extremely suspicious that I spent so much time on the cell phone, especially since I was making only $28,000 a year.

One day all of us from the IT Department had a luncheon with Elaine and her boss, Howard Jenkins. During our idle chitchat, Jenkins said to me, “Eric, you went to college in Washington. How far were you from Seattle?”

I thought I had done enough background research to cover myself, having memorized the names of professors who were teaching at Ellensburg during the appropriate years to match my résumé and so forth. But I couldn’t even come close to answering this question. I faked a coughing fit, waved an apology, and, coughing all the way, hurried to the men’s room.

From a stall, I called Central Washington University on my cell phone and told the lady in the registrar’s office that I was thinking of applying but wondered how long a drive it was from Seattle. “Two hours or so,” she said, “if it’s not rush hour.”

I hustled back to the lunch meeting, apologizing for running out,
saying some food had gone down the wrong pipe. When Howard looked at me, I said, “I’m sorry, what did you ask me before?”

He repeated his earlier question.

“Ah, about two hours without a lot of traffic,” I answered. I smiled and asked if he had ever been to Seattle. For the rest of the lunch meeting, no other pointed questions were directed toward me.

Other than my concerns about my cover, the job had been going relatively smoothly for more than a year. And then I got blindsided. While looking for some paperwork on Elaine’s desk one evening, I ran across an open folder containing the layout for a Help Wanted ad for an IT professional. The description of duties was a perfect match for Darren’s job. Or mine.

That was a real wakeup call. Elaine had never mentioned that the firm was looking to add another person, which could mean only one thing: she and her bosses were getting ready to fire one of us. But which of us was headed for the guillotine?

I immediately started digging for the answer. The more I uncovered, the more complex the backstabbing became. I already knew that Elaine had a huge issue with Darren, having to do with his being overheard consulting with an outside client on company time. And then I discovered another smoking gun in a Ginger-to-Elaine email that read in part, “Eric is here all the time, working intently on something but I don’t know what.”

I needed more info. After business hours, I went down to the HR manager’s office on the 41st floor. I had scoped it out days earlier. The janitors were in the habit of starting their rounds by opening up all the doors: perfect. I waltzed in, hoping I could still count on my lock-picking skills.

Other books

The Incredible Banker by Subramanian, Ravi
Calm, Cool, and Adjusted by Kristin Billerbeck
Cat Under Fire by Shirley Rousseau Murphy
Chronicles of Eden - Act V by Alexander Gordon
The Escapement by K. J. Parker
The Classical World by Robin Lane Fox