Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

The 
copyright
notice?
Sure—that gave me the name of the company that had developed the
product. But from there, I hit a snag. The company had gone out of
business.
The LexisNexis database maintains massive online files of old
newspaper and magazine articles, legal records, and corporate material. As
you might guess, the fact that a company has gone out of business doesn’t
mean that LexisNexis has deleted the files about it. I found the names of
some individuals who had worked for the company that had developed
SAS, including one of its officers. The company had been based in
Northern California. I did a telephone directory search in that area and came
up with the officer’s phone number.
He was home when I called. I told him I was with Pacific Bell
Engineering, that we wanted to make some customized improvements to
our “SAS infrastructure,” and that I needed to talk to someone who knew
the technology. He wasn’t the least bit suspicious. He said it would take him
a couple of minutes, then came back on the phone and gave me the name
and phone number of the guy who had been the lead engineer in charge of
the product development team.
One more thing to do before placing the crucial phone call. At that time,
Pacific Bell internal phone numbers began with the prefix 811; anybody
who had done business with the company might know that. I hacked into a
Pacific Bell switch and set up an unused 811 number, then added call
forwarding and forwarded it to the cloned cell phone number I was using
that day.
The name I gave when I called the developer was one I still remember:
Marnix van Ammers, the name of a real Pacific Bell switching engineer. I
gave him the same story about needing to do some integration with our SAS
units. “I’ve got the user’s manual,” I told him, “but it doesn’t help for what
we’re trying to do. We need the actual protocols that are used between the
SAS equipment in our testing centers and the central offices.”
I had dropped the name of an executive at his old company and was
using the name of a real Pacific Bell engineer. And I didn’t sound nervous; I
wasn’t stumbling over my words. Nothing about my call set off alarm bells.
He said, “I might still have the files on my computer. Hang on.”
After a couple of minutes, he came back on the line. “Okay, I found
them. Where do you want me to send them?”

I was too impatient for that. “I’m under the gun here,” I said. “Can you
fax them?” He said there was too much material for him to fax the whole
thing, but he could send a fax with the pages he thought would be most
useful, and then mail or FedEx me a floppy with the complete files. For the
fax, I gave him a phone number I knew by heart. It wasn’t to a fax machine
at Pacific Bell, of course, but it was in the same area code. It was the fax
number for a convenient Kinko’s. This was always a little risky because
many machines, when they’re sending a fax, display the name of the
machine they’re connecting to. I always worried someone would notice the
tag saying “Kinko’s store #267” or whatever: dead giveaway. But as far as I
can recall, no one ever did.
The FedEx was almost as easy. I gave the engineer the address of those
places where you could rent a mailbox and have packages held for you, and
I spelled out the name of the Pacific Bell employee I was claiming to be,
Marnix van Ammers. I thanked him, and we chatted for a bit. Chatting is
the kind of extra little friendly touch that leaves people with a good feeling
and makes after-the-fact suspicions that much less likely.
Even though I had been practicing the art of social engineering for years,
I couldn’t help but be amazed and a little dazzled by how easy this had
been. One of those moments when you feel that runner’s high, or as if you’d
won a jackpot in Vegas—the endorphins are rushing through your body.
That same afternoon, I drove to the mailbox rental store to set up a box
in Van Ammers’s name. They always require ID for this. No problem. I
explained, “I’ve just moved here from Utah, and my wallet was stolen. I
need an address where they can mail me a copy of my birth certificate so I
can get a driver’s license. I’ll show you the ID as soon as I get it.” Yes, they
were violating postal regulations by renting me a box without seeing my ID,
but these places are always eager for new business; they don’t really want
to turn anybody away. A decent explanation is often all it takes.
By that evening, I had the fax in my hands—the basic information that I
hoped would allow me to wiretap any Pacific Bell phone in all of Southern
California. But we still had to figure out how to use the SAS protocols.
Lewis and I attacked the puzzle of trying to figure out how SAS worked
from a number of different angles. The system gave a technician the ability
to connect to any phone line, so he could run tests to find out why a

customer was hearing noise on his line or whatever the problem was. The
tech would instruct SAS to dial in to the particular CO that handled the
telephone line to be tested. It would initiate a call to a part of the SAS
infrastructure at the CO known as a “remote access test point,” or RATP.
That was the first step. In order to hear audio on the line—voices, noise,
static, or whatever—the tech would then have to establish an audio
connection to the SAS unit in the CO. These units were designed with a
clever security provision: they had a list of phone numbers preprogrammed
into their memories. The technician would have to send a command to the
SAS unit to dial back to one of the preprogrammed numbers—the phone
number at the location where he was working.
How could we possibly bypass such a clever, apparently infallible
security measure?
Well, it turned out not to be all that hard. You’d have to be a phone
company technician or a phone phreaker to understand why this worked,
but here’s what I did. I dialed from my telephone into the phone line I knew
SAS would use to make its outgoing call, then immediately triggered SAS
to call back an authorized number programmed into its memory.
When SAS picked up the line to make an outgoing call, it actually
answered the incoming call from my phone. But it was waiting for a dial
tone and couldn’t get one because I had the line tied up.
I went 

Download 2,97 Mb.

Do'stlaringiz bilan baham: