|
THIRTY-TWO
Sleepless in Seattle
Caem alw Ymek Xptq’d tnwlchvw xz lrv lkkzxv?
I
f the Feds had a problem with my hacking, would they also have a
problem if I was hacking another hacker?
A guy named Mark Lottor, who was under indictment and awaiting trial
as one of Kevin Poulsen’s coconspirators, had a company called Network
Wizards, marketing what he called a “Cellular Telephone Experimenter’s
Kit.” It had been designed for enabling hackers, phone phreaks, and
fraudsters to control the OKI 900 and OKI 1150 cell phones from their
personal computers. Some people were convinced that Lottor had the
source code for the OKI 900; others thought he might have reverse-
engineered the firmware to develop his kit. I wanted to get a copy of
whatever he had—source code or reverse-engineering details.
Through my research, I found the name of Mark’s girlfriend: Lile Elam.
And whadda ya know? She worked at Sun! Perfect, couldn’t be better. I still
had access to Sun’s internal network through some of the systems I had
hacked into in Canada, and by that route it didn’t take me long to hack into
Lile’s workstation at Sun. Setting up a “sniffer”—a program that would
capture all her network traffic—I waited patiently for her to connect to
either Mark’s system or her own home system. Finally I hit pay dirt:
PATH: Sun.COM(2600) => art.net(telnet)
STAT: Thu Oct 6 12:08:45, 120 pkts, 89 bytes [IDLE TIMEOUT]
DATA:
lile
m00n$@earth
The last two lines are her log-in name, followed by her password,
allowing me to log in to her account on her server at home and, using an
unpatched local exploit, gain root privileges.
I set up another sniffer on her home system, “art.net,” and after a few
more days, she logged in to Mark’s system, giving me her log-in and
password for getting into his server. I waited until the very early hours of
the morning, logged in, and got root by exploiting the same security flaw I
had used to get into her workstation.
I immediately searched Mark’s file system for “*oki*”; (an asterisk is a
wild card that in this case means “look for any filenames that have the
character string ‘oki’ in them”). An examination of the files turned up by
this search revealed that Mark didn’t have the source code for the OKI 900
but was indeed reverse-engineering it—and that he was getting help from
another hacker.
And who was helping Lottor with this project? Surprise: of all people, it
was Tsutomu Shimomura, that computer security expert with a big
reputation and a bigger ego, who worked at the San Diego Supercomputer
Center. Odd: at the time, Lottor was under Federal indictment in the Kevin
Poulsen case, and yet here he was, getting help from a computer security
expert who did contract work for the
government
. What was
that
about?
I had encountered Shimomura once before, something he never found
out. The previous year, in September 1993, after getting into Sun’s network,
I had discovered that he had been finding and reporting security bugs he
uncovered in SunOS, one of Sun’s flagship operating systems. I wanted the
information, so I targeted his server. By hacking into a host called “euler” at
the University of California, San Diego (UCSD), I was able to get root and
install a network sniffer.
The stars must have been lined up in my favor. Within several hours, I
intercepted a user, “david,” logging into “ariel,” one of Shimomura’s
servers. By capturing david’s password using my network wiretap, I
accessed Shimomura’s system and was into it for several days before I was
noticed and booted off. Shimomura eventually realized that david had been
hacked, and tried tracking me but hit a dead end. In hindsight, he was
probably monitoring his own network traffic and saw what was going on.
Before getting booted, I was able to grab a lot of files. Most of the
interesting stuff had eluded me, but I knew I would return at some point.
Now my interest in doing that had been stirred up, thanks to Lottor.
As I was probing Lottor’s system, I discovered a file that listed the
instructions for changing an ESN from the keypad of an OKI phone.
to set the esn, enter debug mode.
the command is #49 NN SSSSSSSS
NN is 01 or 02
SSSSSSSS is new ESN# in hex
set security code to 000000 for easier access!
It appeared that Lottor and Shimomura had reverse-engineered and built
a special version of the firmware that allowed the phone user to easily
change the ESN from the keypad. There could be only one purpose for
doing this: to clone to another cell phone number. I had to smile and shake
my head. Here was an even bigger puzzle: Why would the federally
indicted hacker and the security expert want to clone cell phones? It was
something I never did figure out.
In any case, I had come up empty-handed on my real objective: finding
source code from the manufacturer, OKI. In looking through Lottor’s files, I
discovered that Shimomura had written an 8051 “disassembler” program
that Lottor was using for reverse-engineering the firmware. I also read
numerous emails between Lottor and Shimomura discussing their OKI
reverse-engineering project. In one interesting email, Lottor sent
Shimomura a console application named “modesn.exe.”
OKI ESN Modifier. Copyright (C) 1994 Network Wizards.
The name said it all: the program was designed to modify the ESN on
the OKI cell phone. Very interesting. Again, I could think of only one
potential purpose: fraud.
I archived and compressed all the files related to cell phones, including
his email communications with Shimomura. But the process took too long.
During the file transfer, my connection was suddenly dropped. Lottor must
have come home and noticed that something was going on. Apparently he
had pulled the network cable, stopping the transfer. Damn! And then he
took his machine off the Internet.
His server was back online the next day, after he had changed all the
server passwords. Undiscouraged, I looked for another way in and found he
was supporting some servers at “
pagesat.com
,” a high-speed news service.
It took less than a day to get root and install a sniffer.
I kept watching the sniffer. Within hours, Mark logged in to pagesat, and
from there connected to his own server and logged in. My sniffer grabbed
his log-in credentials.
I was stoked. Waiting anxiously until 6:00 a.m., when I figured he was
likely to be fast asleep, I connected to his server and got in once again.
Incredible: the file I had attempted to transfer the day before was
Do'stlaringiz bilan baham: |
