Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

system in the UK. I could simply upload a script to run my commands
under Sarah’s account.
I was going to get in! I was ecstatic.
I used a security bug to get full system privileges and then created my
own fully privileged account—all in about five minutes. Within about an
hour, I was able to find a script that allowed me to extract the source code
for any Nokia handset currently under development. I transferred source
code for several different firmware releases for the Nokia 101 and Nokia
121 phones to Colorado Supernet. Afterward, I decided to see how security
aware the administrators were. It turned out they had security auditing
enabled for events such as creating accounts and adding privileges to
existing accounts. It was just another speed bump on my way to getting the
code.
I uploaded a small VAX Macro program that fooled the operating
system and allowed me to disable all the security alarms, without detection,
just long enough to change passwords and add privileges on a few dormant
accounts—probably belonging to terminated employees—in case I needed
to get back in.
Apparently, though, one of the system admins noticed alerts that were
triggered when I initially created an account for myself, before I had
disabled the alarms. So the next time I tried to get into the Camberley VMS
system, I found myself locked out. I called Sarah to see if I could learn
anything about this. She told me, “Hannu disabled remote access ’cause
there’s some hackering going on.”
“Hackering”—was that what the Brits called it?
Shifting gears, I decided to target getting a copy of the source code for a
product referred to internally as “HD760”: the first Nokia digital phone that
was currently under development. Reaching the lead developer, Markku, in
Oulu, Finland, I convinced him to extract and compress the latest source
code version for me.
I wanted him to transfer it via an FTP connection to a server in the
United States, but Nokia had just blocked outbound file transfers because of
the Mobira security breach.
How about loading it onto a tape? Markku didn’t have a tape drive. I
started calling around to other people in Oulu, looking for a drive.
Eventually I located a guy in IT who was very friendly, had a good sense of
humor, and even more important, had a tape drive. I had Markku send him

an archived file containing the code I wanted, and then talked to him about
shipping the tape, once the code had been copied onto it, to the Nokia USA
office in Largo, Florida. This took a good deal of arranging, but I finally got
it put together.
Around the time I knew the package should be arriving, I began calling the
mail room at Largo to see if it had gotten there yet. During the last of my
several calls, I was put on hold for a long time. When the lady came back
on the line, she apologized and said that because the department was
moving offices, she would have to “look harder” for my package. Yeah,
right: my gut instinct was that they were onto me.
A few days later, I enlisted the help of Lewis De Payne, who was also
excited about the idea of getting the source code for this hot new phone. He
did a little research and learned that the president of Nokia USA was a guy
named Kari-Pekka (“K-P”) Wilska. For some lamebrained reason, Lewis
decided to pose as Wilska, a Finnish national, and called the Largo office in
that guise to request that the package be reshipped.
We would find out much later that FBI agents had been alerted and had
gone to the Largo offices, where they were set up to record the next call
either one of us made.
Lewis called, again as Wilska. He confirmed that the package had
arrived and asked that it be shipped to a Ramada Inn near his office. I called
the hotel to make a reservation for Wilska, knowing that the front desk
would hold a package addressed to a guest who was booked to arrive.
The next afternoon, I called the hotel to make sure the package was
ready for pickup. The lady I spoke to sounded uncomfortable and put me on
hold but then came back on the line to say that yes, the package was there. I
asked her to tell me how big it was. She said, “They have it at the bell desk,
I’ll go find out.”
She put me on hold again and was gone for a 
long
time. I became antsy,
then a little panicky. This was a huge red flag.
Finally she came back on the line and described the size of the package,
which did sound about right for a computer tape.
But by now I was feeling really uneasy. Did the bell desk really have it,
or was this a setup, a trap? I asked, “Was it delivered by FedEx or UPS?”
She said she’d find out and again put me on hold. Three minutes. Five.

Something like eight minutes passed before I heard her voice again, telling
me, “FedEx.”
“Fine,” I said. “Do you have the package in front of you?”
“Yes.”
“Okay, please read me the tracking number.”
Instead, she put me on hold yet again.
I didn’t need to be a rocket scientist to figure out that something was
seriously wrong.
I fretted for half an hour, wondering what to do. The only sensible option,
of course, would be to just walk away and forget the whole thing. But I had
gone to so much trouble to get that source code, I 
really
wanted it.
“Sensible” didn’t seem to enter into the equation.
After half an hour, I called the hotel again and asked to speak to the
manager on duty.
When he came on the line, I said, “This is Special Agent Wilson with
the FBI. Are you familiar with the situation on your premises?” I was half
expecting him to reply that he didn’t know what I was talking about.
Instead he answered, “Of course I am! The police have the whole place
under surveillance!”
His words hit me like a ton of bricks.
He told me that one of the officers had just come into his office, and I
should speak with him.
The officer came on the line. In an authoritative voice, I asked for his
name. He told me.
I said I was Special Agent Jim Wilson with the White Collar Crime
Squad. “What’s happening down there?” I asked.
The cop said, “Our guy hasn’t shown up yet.”
I said, “Okay, thanks for the update,” and hung up.
Way too close for comfort.
I called Lewis. He was just walking out the door to go and pick up the
package. I practically yelled into the phone, “
Wait!
It’s a trap.”
But I couldn’t leave it there. I called a different hotel and made a
reservation for K-P Wilska, then phoned back the lady at the Ramada Inn
and told her, “I need to have you reship the package to another hotel. My

plans have changed, and I’m staying there tonight so I can make an early-
morning meeting tomorrow.” I gave her the name and address of the new
hotel.
I figured I might as well let the Feds chase another red herring for a
while.
When I saw an ad for NEC’s newest cell phone, I didn’t care too much
about the phone itself; I just knew I had to have the source code. It didn’t
matter that I had already grabbed source code for several other hot cell
phones: this was going to be my next trophy.
I knew that NEC, a subsidiary of NEC Electronics, had an account on
the Internet service provider called Netcom. This ISP had become one of
my principal routes for accessing the Internet, in part because it
conveniently offered dial-up numbers in nearly every major city.
A call to NEC’s U.S. headquarters in Irving, Texas, provided the
information that the company developed all its cellular phone software in
Fukuoka, Japan. A couple of calls to NEC Fukuoka led me to their Mobile
Radio Division, where a telephone receptionist found someone who spoke
English to translate for me. That’s always an advantage, because the
translator lends authenticity: she’s right there in the same building, speaking
the same language as your target. The person at the end of the chain tends to
assume you’ve already been vetted. And in this case, it also helped that the
level of trust is so high in the Japanese culture.
The translator found a guy to help me who she said was one of the
group’s lead software engineers. I told her to tell him, “This is the Mobile
Radio Division in Irving, Texas. We have a crisis here. We’ve had a
catastrophic disk failure and lost our most recent versions of source code
for several mobile handsets.”
His answer came back, “Why can’t you get it on mrdbolt?”
Hmmm. What was that?
I tried, “We can’t get onto that server because of the crash.” It passed the
test—“mrdbolt” was obviously the name of the server used by this software
group.
I asked the engineer to FTP it to the NEC Electronics account on
Netcom. But I got push back because that would mean sending this
sensitive data to a system outside the company.

Now what? To buy some time, I told the translator that I had to take
another incoming call and would phone back in a few minutes.
My brain conjured up a work-around that seemed as if it might do the
trick: I would use as an intermediary NEC’s Transmission Division, in the
automotive sector of the company, where the staff probably didn’t deal with
much in the way of sensitive, company-confidential information and so
would be less security-conscious. And besides, I wouldn’t even be asking
for any information.
Telling the guy I reached in the Automotive Group, “We’re having
networking difficulties between NEC Japan and the network in Texas,” I
asked if he would set up a temporary account so I could FTP a file to him.
He didn’t see any problem with doing that. While I waited on the phone, he
set up the account and gave me the hostname for the NEC server, as well as
the log-in credentials.
I called Japan back and gave the information to the translator to pass
along. Now they would be transferring the source code to another NEC
facility, which got them out of their discomfort zone. It took about five
minutes for them to complete the transfer. When I called back the guy in the
Transmission Division, he confirmed that the file had arrived. Because of
the way I had set this up, he naturally assumed that 
I
had sent it. I gave him
instructions for FTPing the file to the NEC Electronics account at Netcom.
Then I went up on Netcom and transferred the source code to one of the
servers at USC that I was using as a storage locker.
This hack was a big deal, but for me, it had been too easy. Where was the
satisfaction?
So next I set myself an even bigger challenge: to break into NEC’s
network and download the source code for all the NEC cell phones used in
the United States. And while I was at it, I might as well get set up for
England and Australia too, in case one day I decided to try living in either
of those countries, right?
Matt Ranney, at NEC in Dallas, was willing to create a dial-in account
for me, based on my story that I was visiting temporarily from the NEC
facility in San Jose, California, and needed local connectivity—though first
I had to convince his boss as well. Once I was logged in, it was easy to get
root using one of the exploits I had found in my earlier hack into Sun.

Adding a backdoor to the log-in program, I gave myself a secret password
—“.hackman.”—that allowed me to log in to anyone’s account, including
root. With another tool from my hacker’s bag of tricks, I “tweaked the
checksum,” so the backdoored version of log-in would be less likely to be
detected.
Back in those days, a system administrator would do a checksum on a
system program, such as “log-in,” to see if it had been modified. After I
compiled a new version of log-in, I modified the checksum back to its
original value, so that even though the program had been backdoored, any
check would come back as clean.
The Unix “finger” command gave me the names of users who were
currently logged in to mrdbolt. One was Jeff Lankford; the listing gave his
office phone number and showed that he had been typing on his keyboard
until just two minutes earlier.
I called Jeff, posing as “Rob in the IT Department,” and asked, “Is Bill
Puknat in?” giving the name of another engineer in the Mobile Radio
Division. No, Bill wasn’t in.
“Oh, damn. He called us with a trouble ticket, saying he couldn’t create
files that began with a period. Have you had any problem like that?”
No.
“Do you have a .rhosts file?”
“What’s that?”
Ahhh: music to my ears. It was like a carnival worker’s slipping a chalk
mark onto the back of someone’s jacket to let other carneys know the guy
was a patsy, or a “mark” (the origin of that meaning of the word).
“Well, okay,” I said. “Do you have a few moments to run a test with me
so I can close this trouble ticket?”
“Sure.”
I told him to type:
echo “+ +” >~ .rhosts
Yes, a variation of the .rhosts hack. I provided him with a reasonable-
sounding explanation for each step, very nonchalantly, so he thought he
understood what was happening.
Next I asked him to type “ls- al” to get a directory listing of his files.

As his directory listing was being displayed on his workstation, I typed
rlogin lankforj@mrdbolt
which logged me into his account, “lankforj,” on the mrdbolt server.
And I was into his account without needing his password.
I asked Jeff if he saw the .rhosts file that we had just created, and he
confirmed that he did. “Great,” I said. “Now I can close the trouble ticket.
Thanks for taking the time to test it.”
And then I had him delete the file to make it appear that everything was
back to its original state.
I was so excited. As soon as we hung up, I quickly obtained root access and
set up the log-in backdoor on the mrdbolt server. I started typing at
hyperspeed, so charged I couldn’t slow my fingers down.
My guess had been correct: mrdbolt was the mother lode, the link used
to share development work among the Mobile Radio Division, NEC USA,
and NEC Japan. I found several versions of source code for several
different NEC handhelds. But the source code I really wanted, for the NEC
P7, wasn’t online. Damn! All that effort, and I wasn’t hitting pay dirt.
Since I was already into the internal network, maybe I could get the
code from NEC Japan. Over the next several weeks, I would be able
without much difficulty to get access to all the servers used by the Mobile
Radio Division in Yokohama.
I continued my search for the cell phone source code but found that
there was a massive excess of information: the company was developing
phones for a number of different markets, including the United Kingdom,
other European countries, and Australia. Enough, already; it was time for an
easier approach.
I checked the mrdbolt server to see who was logged in. Jeff Lankford
appeared to be a workaholic: well after the end of the normal working day,
he was still online.

For what I had in mind, I needed privacy. Darren and Liz had already
left for the day; Ginger had the swing shift, so she was still around, but her
office was on the opposite side of the computer room. I partly closed the
door to the space I shared with my coworkers, leaving it just far enough ajar
that I could see if anyone approached.
What I was about to do was gutsy. I was no Rich Little when it came to
doing accents, but I was going to try to pass myself off as Takada-san, from
NEC Japan’s Mobile Radio Division.
I called Lankford at his desk. When he picked up the phone, I launched
into my act:
“Misterrrrr, ahhh, Lahngfor, I Takada-san… from Japan.” He knew the
name and asked how he could help.
“Misterrrrr Lahng… for—we no find, ahhhh, vers’n three ohh five for
hotdog uhh project”—using the codename I’d picked up for the NEC P7
source code. “Can you, ahhh, put on mrdbolt?”
He assured me that he had Version 3.05 on floppy and could upload it.
“Ahhh, thank… ahhh, thank you, Mr. Jeff…. I check mrdbolt soon.
Bye.”
Just as I was ringing off in my apparently not-too-pathetic accent, the
door swung all the way open, and Ginger was standing there.
“Eric… what are you 
doing?
” she asked.
Bad timing.
“Oh, just playing a joke on a buddy of mine,” I told her.
She gave me a weird look, then turned and walked away.
Whoa! Close call!
I logged into mrdbolt and waited for Jeff to finish uploading the code,
which I then immediately transferred to a system at USC for safekeeping.
During this period, I was constantly searching through all the administrator
emails at NEC for certain keywords, including 

Download 2,97 Mb.

Do'stlaringiz bilan baham: