|
TWENTY-NINE
Departure
126 147 172 163 040 166 172 162 040 154 170 040 157 172 162
162 166
156 161 143 040 145 156 161 040 163 147 144 040 115 156 165 144
153 153
040 163 144 161 154 150 155 172 153 040 162 144 161 165 144 161
040
150 155 040 122 172 155 040 111 156 162 144 077
T
he law firm threw its annual Christmas bash in mid-December. I went
only because I didn’t want people to wonder why I wasn’t there. I nibbled
at the lavish food but steered clear of the flowing liquor, afraid it might
loosen my tongue. I wasn’t really a drinker anyway; zeros and ones were
my brand of booze.
Any good snoop watches his back, doing countersurveillance to be sure his
opponents aren’t catching on to his efforts. The entire time I had been using
Colorado Supernet—for eight months, ever since my arrival in Denver—I
had been electronically looking over the system administrators’ shoulders to
make sure they hadn’t caught on to the way I was using their servers as a
massive free storage locker, as well as a launchpad into other systems. That
involved observing them at work; sometimes I’d simply log on to the
terminal server they used and monitor their online sessions over the span of
a couple of hours or so. And I was also checking that they weren’t watching
any of the other accounts I was using.
One night, I decided to target the lead admin’s personal workstation to
see if any of my activity had been noticed. I searched his email for
keywords that would indicate if he was aware of any ongoing security
issues.
I stumbled across a message that got my attention. The admin was
sending someone log-in records about my Novell break-in. A few weeks
earlier, I had been using an account named “rod” to stash the NetWare
source code on a server at Colorado Supernet. Apparently it hadn’t gone
unnoticed.
the login records for “rod” during the times that the folks at
Novell reported break-ins, and connections FROM Novell during
that time. Note that a couple of these do originate via Colorado
Springs dial-up (719 575-0200).
I started frantically going through the admin’s emails.
And there it was, double-masked: an email from the admin using an
account from his personal domain—“
xor.com
”—rather than his Colorado
Supernet account. It had been sent to someone whose email address was not
at a government domain but who was nonetheless being sent logs of my
activity, which included logging in to Colorado Supernet from Novell’s
network and transferring files back and forth.
I called the FBI office in Denver, gave the name the email had been
addressed to, and was told there was no FBI agent by that name in the
Denver office. I might want to try the Colorado Springs office, the operator
suggested. So I called there and learned that, yes, dammit, the guy was
indeed an FBI agent.
Oh,
shiiiiit
.
I’d better cover my ass. And quickly. But how?
Well, I have to admit that the plan I came up with may not actually have
been all that low-key or cover-your-ass, though I knew I had to be very,
very careful.
I sent a bogus log file from the administrator’s account to the FBI agent,
telling him “we” had more logs detailing the hacker’s activities. I hoped he
would investigate and end up chasing a red herring as I continued working
on my hacking projects.
We call this tactic “disinformation.”
But knowing that the FBI was on the hunt for the Novell hacker wasn’t
enough to make me shut down my efforts.
Since Art Nevarez had become suspicious, I assumed that the Novell
Security team would be forming a posse, trying to figure out what had
happened and how much source code had been exposed. Shifting my target,
I now focused on the Novell offices in San Jose, looking for the dial-up
numbers in California. Social-engineering calls led me to a guy named
Shawn Nunley.
“Hi, Shawn, this is Gabe Nault in Engineering in Sandy. I’m heading
over to San Jose tomorrow and need a local dial-up number to access the
network,” I said.
After some back and forth, Shawn asked, “Okay, what’s your
username?”
“ ‘g–n–a–u–l–t,’ ” I said, spelling it out slowly.
Shawn gave me the dial-up number to the 3Com terminal server, 800-
37-TCP-IP. “Gabe,” he said, “do me a favor. Call my voicemail number at
my office and leave me a message with the password you want.” He gave
me the number, and I left the message as he’d instructed: “Hi, Shawn, this is
Gabe Nault. Please set my password to ‘snowbird.’ Thanks again,” I said.
There was no way I was going to call the toll-free 800-number Shawn had
given me: when you call a toll-free number, the number you’re calling from
is automatically captured. Instead, the next afternoon I called Pacific Bell
and social-engineered the POTS number associated with the number Shawn
had given me; it was 408 955-9515. I dialed in to the 3Com terminal server
and tried to log in to the “gnault” account. It worked. Perfect.
I started using the 3Com terminal server as my access point into the
network. When I remembered that Novell had acquired Unix Systems
Laboratories from AT&T, I went after the source code for UnixWare, which
I years earlier found on servers in New Jersey. Earlier I had compromised
AT&T to get access to the SCCS (Switching Control Center System) source
code and briefly got into AT&T’s Unix Development Group in Cherry Hill,
New Jersey. Now I felt like it was déjà vu because the hostnames of the
development systems were still the
same
. I archived and compressed the
latest source code and moved it to a system in Provo, Utah, then over the
weekend transferred the huge archive to my electronic storage locker at
Colorado Supernet. I couldn’t believe how much disk space I was using,
and often needed to search for additional dormant accounts to hide all my
stuff.
On one occasion, I had a strange feeling after I dialed in to the 3Com
terminal server, as if someone were standing behind me and watching
everything I typed. Some sixth sense, some instinct, told me the Novell
system administrators were looking over my shoulder.
I typed:
Hey, I know you are watching me, but you’ll never catch me!
(I talked with Novell’s Shawn Nunley a while back. He told me they
actually
Do'stlaringiz bilan baham: |
