EIGHTEEN
Traffic Analysis
Khkp wg wve kyfcqmm yb hvh TBS oeidr trwh Yhb
MmCiwus wko ogvwgxar hr?
H
ave you ever walked down a dark street or through a shopping center
parking lot late at night when nobody else is around and had the feeling
somebody was following you or watching you?
I bet it sent chills up your spine.
That was how I felt about the mystery of the Wernle and Martinez
names. Real people, or aliases of Eric Heinz’s?
I knew I had to give up the search and not chance getting caught hacking
again… but maybe I could get just one more piece of the puzzle before I
did. The Martinez phone bill had shown me the numbers of the people he
was calling. Maybe I could get some clues by finding out who was calling
him
.
I needed to do what I call a “traffic analysis.” The process begins with
looking at the call detail records (CDRs) of one person whose phone
number you’ve identified and pulling information from those records.
Whom does he call frequently? Who calls him? Does he sometimes make
or receive a series of calls in close succession to or from certain people?
Are there some people he mostly calls in the morning? In the evening? Are
calls to certain phone numbers especially long? Especially short? And so
on.
And then you do the same analysis of the people this person calls most
often.
Next you ask, whom do
those
people call?
You’re beginning to get the picture: this effort was humongous, a
process that was going to take up much of my spare time, hours a day. But I
needed to know. There was no way around it: this effort was essential,
regardless of the risk.
I felt my future depended on it.
I already had the last three months of Martinez’s cell phone records. For
openers, I’d have to hack into PacTel Cellular and find out where all their
real-time call detail records were located within the network, so I could
search for any PacTel customer who had been calling Eric’s pager,
voicemail, and home phone.
Wait, even better: if I was going to hack into PacTel anyway, I could
also get the customer service records for every phone number Martinez
called within their network, and I’d be able to discover who owned the
phone being called.
I didn’t know much about the company’s naming conventions for
internal systems, so I started with a call to the public customer service
phone number used by people who wanted to sign up for a calling plan.
Claiming to be from PacTel’s internal help desk, I asked, “Are you using
CBIS?” (the abbreviation used in some telcos for “Customer Billing
Information System”).
“No,” the customer service lady said. “I’m using CMB.”
“Oh, okay, thanks anyway.” I hung up, now possessing a key piece of
information that would gain me credibility. I then called the internal
Telecommunications Department, gave the name I had obtained of a
manager in Accounting, and said we had a contractor coming to work on-
site who would need a number assigned to him so he could receive
voicemail. The lady I was talking to set up a voicemail account. I dialed it
and set “3825” as a password. Then I left an outgoing voicemail message:
“This is Ralph Miller. I’m away from my desk, please leave a message.”
My next call was to the IT Department to find out who managed CMB;
it was a guy named Dave Fletchall. When I reached him, his first question
was, “What’s your callback?” I gave him the internal extension number for
my just-activated voicemail.
When I tried the “I’ll be off-site and need remote access” approach, he
said, “I can give you the dial-in, but for security reasons, we’re not allowed
to give passwords over the telephone. Where’s your desk?”
I said, “I’m going to be out of the office today. Can you just seal it in an
envelope and leave it with Mimi?”—dropping the name of a secretary in the
same department, which I had uncovered as part of my information
reconnaissance.
He didn’t see any problem with that.
“Can you do me a favor?” I said. “I’m on my way into a meeting, would
you call my phone and leave the dial-up number?”
He didn’t see a problem with that, either.
Later that afternoon I called Mimi, said I was stuck in Dallas, and asked
her to open the envelope Dave Fletchall had left and read the information to
me, which she did. I told her to toss the note in the trash since I no longer
needed it.
My endorphins were running and my fingers were flying. This was exciting
stuff.
But it was always in the back of my mind that the people I was social-
engineering might catch on partway through and feed me bogus
information, hoping to catch me.
This time, no worries. As usual, it worked.
Oh, well—not entirely. I got to the CMB system, which handily turned
out to be a VAX running my favorite operating system, VMS. But I wasn’t
really a PacTel Cellular employee, so I didn’t have a legitimate account on
the machine.
In a call to the Accounting Department, I posed as an IT staffer and
asked to speak to someone who was currently logged in to CMB.
Melanie came on the line. I told her I worked with Dave Fletchall in IT
and said we were troubleshooting a problem with CMB—did she have a
few minutes to work with me?
Sure.
I asked her, “Have you changed your password lately? Because we’ve
just done an upgrade to the software for changing passwords, and we want
to make sure it’s working.”
No, she hadn’t changed her password lately.
“Melanie, what’s your email address?” At PacTel Cellular, an
employee’s email address was also his or her username, and I was going to
need her username to log in to the system.
I asked her to close all her open applications, log out of the system, and
then log back in, so I could determine whether she could access the
operating system command line interface. Once I confirmed she could, I
asked her, “Please type ‘set password.’ ”
She would then be looking at a prompt reading “Old password.”
“Type your old password, but don’t tell me what it is,” and I gave her a
gentle lecture about never telling anyone her password.
At that point she would be looking at the “New password” prompt.
By now I was dialed in and standing by.
“Now enter ‘pactel1234,’ and when you get the next prompt, enter that
password again. And hit Enter.”
The instant I heard her finish typing, I logged in with her username and
the “pactel1234” password.
Now for multitasking in split-brain mode. I was feverishly typing away,
entering a fifteen-line program that would exploit an unpatched VMS
vulnerability, then compile and run it, setting myself up with a new account,
and providing the account with full system privileges.
Meanwhile, through all of this, I was simultaneously feeding
instructions to Melanie. “Now please log off your account…. Now log in
again with the new password…. You got in okay? Great. Now open all the
applications you were using before and check to make sure they’re working
the way they should…. They are? Fine.” And I walked her through the “set
password” process again, once more cautioning her not to tell me or anyone
else the new password she was setting up.
I had now gained full access to PacTel’s VMS cluster, which meant I
could access customer account information, billing records, electronic serial
numbers, and much more. This was a major coup. I told her how much I
appreciated her help.
It wasn’t as if I was home free now. I spent the next couple of days finding
out where the CDRs were stored and maneuvering for access to the
customer service applications, so I’d be able to probe at leisure to find the
name, the address, and all sorts of other information on every phone
account.
The CDRs were on a
huge
disk, storing near real-time data on every call
to and from customers in the LA market for the previous thirty days or so—
a bunch of very large files. I could search right on the system, though every
search took me something like ten to fifteen minutes.
Since I already had Eric’s pager number, that was my entry point. Had
anyone on PacTel called Eric’s pager, 213 701-6852? Of the half dozen or
so calls I found, two jumped out at me. Here are the listings, exactly as they
appeared on the PacTel records:
2135077782 0 920305 0028 15 2137016852 LOS ANGELE CA
2135006418 0 920304 1953 19 2137016852 LOS ANGELE CA
The “213” numbers at the beginning of each line are the calling
numbers. The number groups starting with “92” indicate the year, date, and
time—so the first call was made on March 5, 1992, at twenty-eight minutes
past midnight.
The first calling number was one I recognized: it was the phone number
on Eric’s rental application, which I already knew was listed in the name of
one Mike Martinez. Once again, this was a huge red flag. I had thought
“Martinez” was just a phony name for Eric, or “Eric” was a phony name for
Martinez, but now that didn’t make sense, because Martinez wouldn’t be
calling his own pager number.
So whom else had Martinez called, and who had called him?
I ran a search on PacTel’s CDRs to find out. It wasn’t any revelation that
he was calling the FBI, since I had stumbled on that information after I got
his phone number from Eric’s rental application. Quite a few of his calls
were to and from other cell phones provisioned by PacTel; on my notepad, I
jotted down the numbers. Then I started examining the phone records for
each of those accounts.
All of the numbers on my list belonged to people who were in frequent
contact with one another, as well as with the FBI’s Los Angeles office and
other law enforcement agencies.
Oh, shit. I knew too many of these phone numbers. The office number
and cell phone of Pacific Bell Security’s Terry Atchley. A manager of
Pacific Bell Security based in Northern California, John Venn. Also Eric’s
pager, voicemail, and home phone numbers. And the numbers of various
FBI agents (their direct phone numbers all began with the same area code,
exchange, and first extension digit: 310 996-3XXX). This last group made
it pretty certain that Martinez was an agent himself, and helped me put
together a list of the other agents probably on the same team.
The other call to Eric’s pager that jumped out at me had come from 213
500-6418. My search of that phone number proved to be a goldmine. There
were quite a few short calls in the evenings to a single, internal FBI phone
number. Likely explanation? The guy was checking his voicemail.
I dialed the number.
“This is Ken McGuire, please leave a message.”
Do'stlaringiz bilan baham: |