every sixty seconds
, seemingly making it impossible for
an intruder to guess it. Anytime a remote user needs to dial in to Motorola’s
campus, he or she has to enter a PIN followed by the passcode displayed on
their SecurID device.
I called the Network Operations Center and reached a guy I’ll call Ed
Walsh. “Hi,” I said. “This is Earl Roberts, with the Cellular Subscriber
Group”—giving the name and group of a real employee.
Ed asked how things were going, and I said, “Well, not so great. I can’t
get into the office because of the snowstorm. And the problem is, I need to
access my workstation from home, but I left my SecurID in my desk. Can
you go grab it for me? Or can somebody? And then read off my code when
I need to get in? Because my team has a critical deadline, and I can’t get my
work done. And there’s no way I can get to the office, the roads are much
too dangerous.”
He said, “I can’t leave the NOC.”
I jumped right in: “Do you have a SecurID for the Operations Group?”
“There’s one here in the NOC,” he said. “We keep one for the operators
in case of an emergency.”
“Listen,” I said, “can you do me a big favor? When I need to dial into
the network, can you read me the code from your SecurID? Just until it’s
safe for me to drive in.”
“Who are you again?” he asked.
“Earl Roberts.”
“Who do you work for?”
“For Pam Dillard.”
“Oh, yeah, I know her.”
When he’s liable to be faced with tough sledding, a good social engineer
does more than the usual amount of research. “I’m on the second floor,” I
went on. “Next to Steve Littig.”
He knew that name as well. Now I went back to work on him. “It’d be
much easier just to go to my desk and grab my SecurID for me.”
Walsh didn’t want to say no to a guy who needed some help, but he
didn’t want to say yes, either. So he sidestepped the decision: “I’ll have to
ask my boss. Hang on.” He put the phone down, and I could hear him pick
up another phone, put in the call, and explain the request. Walsh then did
something inexplicable: he told his boss, “I know him. He works for Pam
Dillard. Can we let him temporarily use our SecurID? We’d tell him the
code over the phone.”
He was actually vouching for me—amazing!
After another couple of moments, Walsh came back on the line and said,
“My manager wants to talk to you himself,” and gave me the guy’s name
and cell phone number.
I called Ed’s manager and went through the whole story one more time,
adding a few details about the project I was working on and emphasizing
that my product team had to meet a mission-critical deadline. “It’d be a
whole lot easier if someone just went and got my Secur-ID,” I said. “My
desk isn’t locked, and it should be there in my upper left-hand drawer.”
“Well,” said the manager, “just for the weekend, I think we can let you
use the one in the NOC. I’ll tell the guys on duty that when you call, it’s
okay to read off the pass code,” and he gave me the PIN to use with it.
For the whole weekend, every time I wanted to dial in to Motorola’s
internal network, all I had to do was call the Network Operations Center
and ask whoever answered to read off the six digits displayed on the
SecurID.
But I wasn’t home free yet. When I dialed in to Motorola’s dial-up
terminal server, the systems I was trying to reach, in the Cellular Subscriber
Group, weren’t available. I’d have to find some other way in.
The next step took chutzpah: I called back Walsh in the Network
Operations Center. I complained, “None of our systems are reachable from
the dial-up terminal server, so I can’t connect. Could you set me up with an
account on one of the computers in the NOC so I can connect to my
workstation?”
Ed’s manager had already said it was okay to give me the passcode
displayed on the SecurID, so this new request didn’t seem unreasonable.
Walsh temporarily changed the password on his own account on one of the
NOC’s computers and gave me the information to log in, then said, “Call
me when you don’t need it anymore so I can change my password back.”
I tried to connect to any one of the systems in the Cellular Subscriber
Group, but I kept being blocked; apparently they were all firewalled. By
probing around Motorola’s network, I finally found one system with the
“guest” account enabled—meaning that the gates had been left open, and I
could log in. (I got a surprise when I identified this system as a NeXT
workstation, produced by the short-lived company Steve Jobs founded
before he returned to Apple.) I downloaded the password file and cracked
the password of somebody who had access to that machine, a guy named
Steve Urbanski. It didn’t take my password cracker long: the username he
used to access the NeXT computer was “steveu,” and he had chosen “mary”
as his password.
I immediately tried to log in to the “lc16” host in the Cellular Subscriber
Group from the NeXT workstation, but the password didn’t work. Huge
bummer!
Fine. The information about Urbanski’s credentials would come in
handy later. What I needed, though, was not his NeXT account but the
password for his account on the Cellular Subscriber Group’s servers, which
held the source code I wanted.
I tracked down Urbanski’s home phone number and called him.
Claiming to be from “the NOC,” I announced, “We’ve suffered a major
hard disk failure. Do you have any files you need to recover?”
Duh! He did!
“Well, we can do that on Thursday,” I told him. Thursday meant he
would be without his work files for three days. I held the phone away from
my ear as I got the expected explosion.
“Yeah, I can understand,” I said sympathetically. “I guess I can make an
exception and put you ahead of everybody else if you’ll keep it to yourself.
We’re setting up the server on a brand-new machine, and I’ll need to re-
create your user account on the new system. Your username is ‘steveu,’
right?”
“Yes,” he said.
“Okay, Steve, choose a new password you’d like.” Then, as if I’d just
had a better idea, I went on, “Oh, never mind, just tell me what your current
password is, and I’ll set it to that.”
That naturally made him suspicious. “Who are you again?” he wanted to
know. “Who did you say you worked for?”
I repeated what I had told him, calmly, taking it as an everyday thing.
I asked if he had a SecurID. Just as I expected, the answer was yes, so I
said, “Let me pull your SecurID application.” This was a gamble. I knew he
had probably filled out the form ages before and probably wouldn’t
remember whether it had asked for a password. And since I already knew
that one of the passwords he used was “mary,” I figured that would sound
familiar to him, and he might think he had used it on the SecurID form.
I walked away, opened a drawer, shoved it closed again, came back to
the phone, and started shuffling papers.
“Okay, here it is… you used the password ‘mary.’ ”
“Yeah, right,” he said, satisfied. After a slight hesitation, he blurted out,
“Okay, my password is ‘bebop1.’ ”
Hook, line, and sinker.
I immediately connected to the server that Alisa had told me about, lc16,
and logged on with “steveu” and “bebop1.” I was in!
It didn’t take much hunting to find several versions of the MicroTAC
Ultra Lite source code; I archived and compressed them with tar and gzip,
and transferred them to Colorado Supernet. Then I took the time to delete
Alisa’s history file, which showed the trail of what I had asked her to do.
Always a good idea to cover up your tracks.
I spent the rest of the weekend poking around. On Monday morning I
stopped calling the NOC for the SecurID passcode. It had been a great run,
and there was no sense tempting fate.
I think I had a smile on my face the whole time. Once again I couldn’t
believe how easy it was, with no roadblocks being thrown up in front of me.
I felt a great sense of accomplishment and the kind of satisfaction I had
known as a kid in Little League when I hit a home run.
But later that day, I realized, Damn! I had never thought to grab the
compiler—the program that translates the source code written by a
programmer into “machine-readable” code, the ones and zeros that a
computer, or the processor in a cell phone, can understand.
So that became my next challenge. Did Motorola develop their own
compiler for the 68HC11 processor used in the MicroTac, or did they
purchase it from another software vendor? And how was I going to get it?
In late October, my regular scanning of Westlaw and LexisNexis yielded an
article about Justin Petersen’s most recent adventure. Sometimes the FBI
will look the other way when a confidential informant doesn’t live by the
book, but there are limits. It turned out that Kevin Poulsen’s associate Ron
Austin, who’d been set up by Justin Petersen, was on a personal crusade to
get even with the snitch and get his ass thrown back in jail. Austin found
out where Justin was living—at the same Laurel Canyon Boulevard address
that McGuire’s cell phone records had led me to. Justin was careless: he
didn’t shred his notes before throwing them in the trash. Austin went
Dumpster-diving at the house and uncovered evidence that Justin was still
committing credit card fraud. He informed the FBI of his discovery.
Once he had enough evidence in hand, Assistant U.S. Attorney David
Schindler summoned Justin and his lawyer to a meeting at the Federal
Courthouse in Los Angeles. When confronted by his FBI handlers and the
prosecutor, Justin knew his days were numbered.
At one point during the meeting, Justin said he wanted to have a private
conversation with his attorney. The two of them stepped out of the room. A
few minutes later, the attorney came back in and sheepishly announced that
his client had disappeared. The judge issued a no-bail warrant for Justin’s
arrest.
So the snitch who tried to help send me to prison was now in the same
boat I was. He was now walking in my shoes. Or rather, running.
I had a big smile on my face. The government’s chief hacking informant
had vanished. And even if they found him again, his credibility would be
worthless. The government would never be able to use him to testify against
me.
Later on I would read of Justin’s attempt to rip off a bank while he was a
fugitive. He had hacked into the computers of Heller Financial and obtained
the codes necessary to execute a wire transfer from that bank to another
bank account. He then telephoned in a bomb threat to Heller Financial.
While the building was being evacuated, Petersen executed a $150,000 wire
transfer from Heller Financial to Union Bank, routed through Mellon Bank.
Fortunately for Heller Financial, the transfer was discovered before
Petersen could withdraw the money from Union.
I was amused to hear about his getting caught, and at the same time
surprised that he would have tried a wire-transfer scam. It showed that he
was a real bad guy, an even bigger crook than I had imagined.
Do'stlaringiz bilan baham: |