The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (17 page)

And that was the case here, providing what Adrian referred to as "the coup de grace." Some Times systems administrator had placed a utility in one of the directories that allows doing what's called a free-form SQL query. SQL, the Structured Query Language, is a scripting language for most databases. In this case, a pop-up dialog box appeared that allowed Adrian to enter SQL commands with no authentication, meaning that he was able to search virtually any of the databases on the system and extract or change information at will.

He recognized that the device where the mail servers lived was running on Lotus Notes. Hackers know that older versions of Notes allow a user to browse all other databases on that system, and this part of the Times network was running an older version. The Lotus Notes database that Adrian had stumbled onto gave him "the biggest thrill, because they included everyone right down to every newsstand owner, the amounts they made, and their socials," slang for social security numbers. "There was also subscriber information, as well as anybody who'd ever written to complain about service or make inquiries." Chapter 5 The Robin Hood Hacker 103

Asked what operating system the Times was running, Adrian answered that he doesn't know. "I don't analyze a network that way," he explained.

It's not about the technology, it's about the people and how they

configure networks. Most people are very predictable. I often find

that people build networks the same way, over and over again.

Many eCommerce sites make this mistake. They assume people

will make entries in the proper order. No one assumes the user will

go out of order.

Because of this predictability, a knowledgeable attacker could place an order at an online Web site, go through the purchase process to the point where his or her data has been verified, then back up and change the billing information. The attacker gets the merchandise; somebody else gets the credit card charge. (Though Adrian explained the procedure in detail, he specifically asked us not to give a full enough description that would allow others to do this.)

His point was that systems administrators routinely fail to think with the mind of an attacker, making an attacker's job far easier than it need be. And that's what explains his success with his next step in penetrating the Times' computer network. The internal search engine should not have been able to index the entire site, but it did. He found a program that brought up a SQL form that allowed him control over the databases, including typing in queries for extracting information. He then needed to find out the names of the databases on that system, looking for ones that sounded interesting. In this way he found a database of very great interest: It contained a table of the entire username and password list for what appeared to be every employee of the New York Times.

Most of the passwords, it turned out, were simply the last four digits of the person's social security number. And the company did not bother using different passwords for access to areas containing especially sensi- tive information -- the same employee password worked everywhere on the system. And for all he knows, Adrian said, the passwords at the Times are no more secure today than they were at the time of his attack.

From there, I was able to log back into the Intranet and gain

access to additional information. I was able to get to the news

desk and log in as the news manager, using his password.

He found a database listing every person being held by the United States on terrorism charges, including people whose names had not been made public. Continuing to explore, he located a database of everyone who'd ever written an op-ed piece for the Times. This totaled thousands 104 The Art of Intrusion

of contributors and disclosed addresses, phone numbers, and social secu- rity numbers. He did a search for "Kennedy" and found several pages of information. The database listed contact information on celebrities and public figures ranging from Harvard professors to Robert Redford and Rush Limbaugh.

Adrian added his own name and cell phone number (based in a north- ern California area code, the number is "505-HACK"). Obviously count- ing on the paper never figuring out that the listing had been planted there and apparently hoping that some reporter or op-ed page editor might be taken in, he listed his fields of expertise as "computer hacking/ security and communications intelligence."

Okay, inappropriate, perhaps inexcusable. Yet even so, to me the action was not just harmless but funny. I still chuckle at the idea of Adrian get- ting a phone call: "Hello, Mr. Lamo? This is so-and-so from the New York Times." And then he's quoted in a piece, or maybe even asked to write 600 words on the state of computer security or some such topic that runs the next day on the op-ed page of the country's most influential paper.

There's more to the saga of Adrian and the New York Times; the rest of it isn't funny. It wasn't necessary, it wasn't characteristic of Adrian, and it led him into serious trouble. After tampering with the op-ed page data- base listings, he discovered that he had access to the Times' subscription to LexisNexis, an online service that charges users for access to legal and news information.

He allegedly set up five separate accounts and conducted a very large number of searches -- over 3,000, according to the government.

After three months of browsing through LexisNexis with the New York Times totally unaware that its accounts have been hijacked, Adrian finally reverted to the Robin Hood behavior that had characterized his previous attacks on other companies. He got in touch with a well-known Internet journalist (like me a former hacker) and explained the vulnerability he had exploited that gave him access to the New York Times computer system -- but only after extracting an agreement that the reporter would not pub- lish any information about the break-in until he had first advised the Times and waited until they had fixed the problem.

The reporter told me that when he contacted the Times, the conversa- tion didn't go quite the way either he or Adrian had expected. The Times, he said, wasn't interested in what he had to tell them, didn't want any of the information he offered, had no interest in speaking directly to Adrian to find out the details, and would take care of it on its own. The Times person didn't even want to know what the method of access had been, finally agreeing to write down the details only after the reporter insisted. Chapter 5 The Robin Hood Hacker 105

The newspaper verified the vulnerability and within 48 hours had the gap sewn up, Adrian says. But Times' executives were not exactly appre- ciative of having the security problem called to their attention. The earlier Hacking for Girlies attack had received a lot of press, and their embar- rassment was no doubt made all the worse because the people responsible were never caught. (And don't think that I had any connection with the attack; at the time, I was in detention awaiting trial.) It's a safe guess that their IT people had been put under a lot of pressure to make sure they would never again be the victim of a hacker break-in. So Adrian's explo- ration around their computer network may have wounded some egos and damaged some reputations, which would explain the newspaper's uncompromising attitude when it learned he had been taking advantage of their unintended generosity for months.

Maybe the Times would have been willing to show appreciation for being allowed time to plug the gaping hole in its computer system before the story of its wide-open network appeared in print. Maybe it was only when they discovered the LexisNexis usage that they decided to get hard- nosed. Whatever the reason, the Times authorities took the step that none of Adrian's previous victims had ever taken: They called the FBI.

Several months later, Adrian heard the FBI was looking for him and disappeared. The Feds started visiting family, friends, and associates -- tightening the screws and trying to find out whether he had let any of his journalist contacts know where he was hanging out. The ill-conceived plan resulted in attempts to subpoena notes from several reporters Adrian had shared information with. "The game," one journalist wrote, "had suddenly turned serious."

Adrian gave himself up after only five days. For the surrender, he chose one of his favorite places to explore from: a Starbucks.

When the dust had settled, a press release put out by the office of the United States Attorney for the Southern District of New York stated that the "the charges incurred" by Adrian's New York Times hack "was [sic] approximately $300,000." His freeloading, according to the govern- ment, amounted to 18 percent of all LexisNexis searches performed from New York Times accounts during his romp on their site.2

The government had apparently based this calculation on what the charge would be for you or me -- or anyone else who is not a LexisNexis subscriber -- to do individual, pay-as-you-go searches, a fee that is scaled up to as much as $12 for a single query. Even calculated that highly unrea- sonable way, Adrian would have had to do something like 270 searches every day for three months to reach a total figure that high. And since large organizations like the Times pay a monthly fee for unlimited LexisNexis access, it's likely they never paid a penny additional for Adrian's searches. 106 The Art of Intrusion

According to Adrian, the New York Times episode was an exception in his hacking career. He says he had received thanks from both Excite@Home and MCI WorldCom (which was all the more grateful after they confirmed that he could indeed have had hundreds of employee direct-deposit transfers paid to some account under his control). Adrian sounds not bitter but merely matter-of-fact when he says that "The New York Times was the only one that wanted to see me prosecuted."

To make matters worse for him, the government had apparently some- how induced several of Adrian's earlier victims to file statements of dam- ages suffered -- even including some companies that had thanked him for the information he provided. But maybe that's not surprising: A request for cooperation from the FBI or a federal prosecutor is not some- thing most companies would choose to ignore, even if they had thought differently about the matter up to that time.

The Unique Nature of Adrian's Skills Highly untypical of a hacker, Adrian is not fluent in any programming language. His success instead relies on analyzing how people think, how they set up systems, the processes that are used by system and network administrators to do network architecture. Though he describes himself as having poor short-term memory, he discovers vulnerabilities by prob- ing a company's Web applications to find access to its network, then trolling the network, patiently building up a mental diagram of how the pieces relate until he manages to "materialize" in some corner of the net- work that the company thought was hidden in the dark recesses of inac- cessibility and therefore safe from attack.

His own description crosses the border into the unexpected:

I believe there are commonalities to any complex system, be it a

computer or the universe. We ourselves encompass these common-

alities as individual facets of the system. If you can get a subcon-

scious sense of those patterns, sometimes they work in your favor,

bring you to strange places.

[Hacking] has always been for me less about technology and more

about religion.

Adrian knows that if he deliberately sets out to compromise a specific char- acteristic of a system, the effort will most likely fail. By allowing himself to wander, guided mainly by intuition, he ends up where he wants to be.

Adrian doesn't believe his approach is particularly unique, but he acknowledges never having met any other hacker who was successful in this way. Chapter 5 The Robin Hood Hacker 107

One of the reasons none of these companies, spending thousands

and thousands of dollars on detection, has ever detected me is that

I don't do what a normal intruder does. When I spot a network

system open to compromise, I view it the way it's supposed to be

done. I think, "Okay, employees access customer information. If I

were an employee, what would I ask [the system] to do?" It's hard

[for the system] to distinguish legitimate from illegitimate activ-

ity because you're going through the same interface an employee

would. It's essentially the same traffic.

Once Adrian has the network's layout in his head, "it's less about looking at numbers on a screen and more a sense of actually being in there, spotting patterns. It's a way of seeing, a view on reality. I can't define it, but I see it in my head. I notice what lives where, how it interrelates and connects. And many times this leads me to what some people consider amazing."

During an interview with NBC Nightly News at a Kinko's in Washington, DC, the crew jokingly challenged Adrian to try breaking into NBC's system. He says that with cameras rolling, he had confiden- tial data on the screen in under five minutes.3

Adrian tries to approach a system both as an employee and an outsider would. He believes the dichotomy tells his intuition where to go next. He'll even role-play, pretending to himself that he's an employee out to complete a specific assignment, thinking and moving forward in the appropriate way. It works so well for him that people long ago stopped dismissing his uncanny success as chance fumblings in the dark.

Easy Information One night at the same Starbucks where I had once had coffee with him, Adrian got an earful. He was sitting there with a cup of coffee when a car pulled up and five men piled out. They sat down at a nearby table, and he listened to their conversation; it quickly becomes apparent that they were law enforcement and he was pretty sure they were FBI.

They talked shop for about an hour, entirely oblivious to the fact

that I'm sitting there not touching my coffee. They're talking shop

talk -- who was liked, who was disliked.

They made agent jokes about how you could tell the power of an

agency by the size of the badge it issued. FBI agents wear very