Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (50 page)
Read Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker Online
Authors: Kevin Mitnick,Steve Wozniak,William L. Simon
Tags: #BIO015000
It’s remarkable how the subconscious mind can swing into action and devise a plan in an instant. I opened my mouth, and what came out was, “Hey, I know you. Where do you shop for groceries?”
“Smith’s, on Maryland Parkway,” he answered as he struggled to remember where he recognized me from.
“Yeah, right,” I said. “That’s where I’ve seen you. I shop there all the time.”
“Oh, I thought I’d seen you before,” he said, sounding satisfied.
Now I had to change my story because I had used “London” the last time as well. Instead, I told him I had been serving in the Peace Corps in Uganda and hadn’t been behind the wheel of a car in five years.
Worked like a charm. He was pleased with how quickly I recovered my driving ability.
I passed the test without a hitch and walked away with my Michael Stanfill driver’s license.
An End and a Beginning
Hacking the Samurai
Ozg ojglw lzw hshwj gf AH Khggxafy lzsl BKR skcwv ew stgml?
W
ith my new identity credentials in order, it was time to get clear of Las Vegas before my luck ran out. The 1994 Christmas/New Year’s holiday time was just ahead, and I couldn’t resist the idea of a return visit to Denver, a city I had grown so fond of. Packing up, I took along an old ski jacket of mine, thinking I might be able to get in a little more time on the slopes over the holidays.
But once I arrived in Denver and settled into an attractive, medium-priced hotel, two people I had never met—that arrogant Japanese-American security expert whose server I had hacked into a year earlier, the other an extraordinarily skilled computer hacker in Israel—would become actors in a drama that would change the entire rest of my life.
I had come across an Israeli who went by his initials, “JSZ”; we met over Internet Relay Chat, an online service for finding and chatting with strangers who shared similar interests. In our case, the interest was hacking.
Eventually he told me that he had hacked most if not all of the major software manufacturers that developed operating systems—Sun, Silicon Graphics, IBM, SCO, and so on. He had copied source code from their internal development systems and planted backdoors to get back in anytime he wanted. That was quite a feat—very impressive.
We started sharing our hacking conquests with each other and information on new exploits, backdooring systems, cell phone cloning, acquiring source code, and compromising the systems of vulnerability researchers.
During one call he asked if I had read “the Morris paper on IP spoofing,” which revealed a major vulnerability in the core protocol of the Internet.
Robert T. Morris, a computer prodigy, had found a clever security flaw that could be exploited using a technique called “IP spoofing” to bypass authentication that relied on the remote user’s IP address. Ten years after Morris published his paper, a group of hackers, including JSZ in Israel, had created a tool for it. Since it was only theoretical up to that time, nobody had thought to protect against it.
For the technically minded, the IP spoofing attack in this case relied on an older technology known as the R-services, which required configuring each computer system so that it would accept trusted connections, meaning that a user could log in to an account—depending on the configuration—without needing to provide the password. This made it possible for a system admin to configure a server to trust other computers for the purpose of authentication. One example is where a system admin manages multiple machines, so when he or she is logged in as root, no password would be required to log in to other systems that trust the server.
In the IP spoofing attack, the attacker’s first step is to look for other systems that are likely to be trusted by the root account on the target server, meaning a user logged in to root on a trusted system can log in to the root account on the target server without supplying a password.
It wasn’t too difficult in this case. By using the “finger” command, the attacker was able to identify that our victim was connected to the target system from another computer located in the same local area network. It was very likely that these two systems trusted each other for root access. The next step was to establish a connection to the target system by forging the trusted computer’s IP address.
This is where it got a bit tricky. When two systems are establishing an initial connection over TCP, a series of packets are sent back and forth to create a “session” between them. This is called a “three-way handshake.” During the handshake, the target system
transmits a packet back to the machine trying to establish the connection. Because the targeted server believes it’s responding to the
real
system’s request to establish a connection, the handshake process fails because the attacker’s system never receives the packet to complete the three-way handshake.Enter the TCP sequence number: the protocol uses sequence numbers to acknowledge the receipt of data. If the attacker could predict the sequence number of the packet being sent from the target system to the
real
server during the initial handshake, he could complete the process by sending an acknowledgment packet (with the correct sequence number), and establish a connection appearing to be from the trusted machine.This effectively established a session by guessing the TCP sequence number. Because the targeted system was fooled into thinking it had established a connection with a trusted machine, it allowed the attacker to exploit the trust relationship, and bypass the usual password requirement—allowing full access to the machine. At this point, the attacker could write over the current .rhosts file on the target machine, allowing anyone access to the root account without a password.
In summary, the attack relied on the attacker being able to predict the TCP sequence number of the packet sent by the target computer at the time of the initial contact. If an attacker could successfully predict the TCP sequence number that the target would use during the handshaking process, the attacker could impersonate a trusted computer and bypass any security mechanisms that rely on the user’s IP address.
I told JSZ I had read the article. “But it’s theoretical. Hasn’t been done yet.”
“Well, my friend, methinks it has. We’ve already developed the tool, and it works—amazingly well!” he said, referring to a piece of software that he and some associates spread throughout Europe had been working on.
“No way! You’re kidding me!”
“I’m not.”
I asked him if I could have a copy.
“Maybe later,” he said. “But I’ll run it for you anytime you want. Just give me a target.”
I shared with JSZ the details of my hack into Mark Lottor’s server and his interesting connection with Tsutomu Shimomura, using his nickname. I explained how I’d hacked into UCSD and sniffed the network until someone named “ariel” connected to Shimomura’s server, after which I was finally able to get in. “Shimmy somehow realized that one of the people who had access to his computer had been hacked, and he booted me off after several days,” I said.
I had seen some of the security bugs Shimmy had reported to Sun and DEC and been impressed with his bug-finding skills. In time I would learn that he had shoulder-length straight black hair, a preference for showing up at work wearing sandals and “raggedy-ass jeans,” and a passion for cross-country skiing. He sounded every bit like the kind of Californian conjured by the term “dude”—as in, “Hey, dude, howz it hangin’?”
I told JSZ that Shimmy might have the OKI source code or the details of his and Lottor’s reverse engineering efforts, not to mention any new security bugs he might have discovered.
On Christmas Day 1994, walking out of a movie at the Tivoli Center in downtown Denver, I powered up my cloned cell phone and called JSZ to jokingly wish him a Jewish Merry Christmas.
“Glad you called,” he said. In a cool, collected voice, he told me, “I have a Christmas present for you. My friend, I got into ariel tonight.” And he gave me the port number where he’d set up the backdoor. “Once you connect, there is no prompt. You just type ‘.shimmy.’ and you get a root shell.”
“No fucking way!”
To me it was a great Christmas present. I had been wanting to get back into Shimmy’s computer to find out more about what he and Mark Lottor were up to with the OKI cell phone project, and I wanted to know if either of them had access to the source code. Either way I was going to grab whatever information I could find on his server related to the OKI 900 and 1150 cell phones.
It was known in the hacker community that Shimmy had a very arrogant demeanor—he thought he was smarter than everyone else around him. We decided to bring his ego down a few notches toward reality—just because we could.
The drive back to the hotel in my rental car felt like just about the longest twenty minutes of my life. But I didn’t dare drive faster than the flow of traffic. If I got pulled over and the cop came up with something suspicious about my driver’s license, it might be a hell of a lot longer than twenty minutes before I could get online again. Patience, patience.
As soon as I walked into my hotel room, I powered up my laptop and dialed up to Colorado Supernet, masking the call as usual by using my cell phone cloned to some random Denverite.
I fired up a network talk program that would make a direct connection to JSZ’s computer in Israel so we could communicate in one window as we hacked Shimmy in another. I connected to Shimmy’s computer using the backdoor that JSZ had set up. Bingo!—I was in with root privileges.
Incredible! What a high! That must be what a kid feels on reaching the top level of a video game that he’s struggled with for months. Or like reaching the summit of Mount Everest. Thrilled, I congratulated JSZ on a job well done.
For openers, JSZ and I probed Shimmy’s system looking for the most valuable information—anything to do with security bugs, his email, and any files that had “oki” in their name. He had tons of files. As I was archiving and compressing everything that matched my criteria, JSZ was also probing around for anything that would be useful. Both of us were very concerned that Shimmy might decide to log in to check his email for Christmas greetings and find out he was being hacked. We wanted to get his stuff before he figured it out. I was worried he might pull the network connection, just as Lottor had done several months earlier.
We were working fast to get the information off Shimmy’s machine. My endorphins were on major overload.
After searching, archiving, and compressing, I needed a place to store the code for safekeeping. No problem: I already had root access to every server at the Whole Earth ’Lectronic Link, commonly known as “the Well.” Started by Stewart Brand and a partner, the Well had as its users a who’s who of the Internet, but the celebrity status of the site didn’t matter to me at all. My only concern was whether there was enough disk space and whether I could hide the files well enough that the system admins wouldn’t notice them. In fact, I had been spending lots of time on the site. A few days after John Markoff’s front-page
New York Times
story appeared, I discovered he had an account on the Well. An easy target: I had been reading his emails ever since, searching for anything related to me.
After I finished moving the targeted stuff, we decided to just grab
everything
in Shimmy’s home directory. JSZ archived and compressed his entire home directory into a single file that amounted to more than 140 megabytes.
We held our breath until the file was successfully transferred, then gave each other electronic high-fives over chat.
JSZ moved a copy of the file to a system in Europe in case some Well system admin happened to find the huge file and delete it. I also copied the file to a couple of other locations.
JSZ kept telling me that finding the simple backdoor he had set up for my access would be easy for Shimmy. I agreed: it was too easy to find. I suggested that we consider placing a more sophisticated backdoor in the operating system itself, where it would be much harder to detect.
“He’ll find it,” JSZ countered.
“Yeah, we could always get back in later the same way,” I said.
I logged off the system, and JSZ cleaned up, removing the simple backdoor and deleting all logs of our activity.
It was a very exciting moment. We had gotten into the security expert’s server—in my case, for the
second
time in little over a year. JSZ and I decided we would each examine Shimmy’s files independently and then report back to the other on what we found.
But no matter how careful we were to erase our tracks, I figured it was almost certain that Shimmy would stumble onto some telltale sign we had overlooked.
Sifting through Shimmy’s old emails, I came across messages back and forth between him and my nemesis,
New York Times
technology scribe John Markoff. The two of them had been exchanging emails going back to early 1991 about me—trading bits of information on what I was up to, as in an exchange in early ’92 that showed Shimmy had gone to the trouble of researching online for my ham radio license, call sign N6NHG. He also emailed Markoff asking whether the FCC had a rule against issuing ham radio licenses to a person convicted of a felony.
