Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

or FTP connections, and/or other technological methods. It is only
through personal (or, in your case, telephonic) exchanges with Kevin
that we gain more insight as to his activities and plans. Your assistance
is crucial to this investigation
. [Emphasis added.]
… I can only assure you, once again, that your efforts in the Kevin
“chase” are appreciated…. If you choose to continue your cooperation
with the FBI by providing me with information about discussions with
Kevin, I promise that, one day, all the little pieces of data filtered to me
from around the world will fall into place and lead to a computer
terminal where I will find Kevin and promptly place him in
handcuffs….
Thanks again, Neill.
Sincerely yours,
Kathleen Carson
Special Agent
Federal Bureau of Investigation
Rereading this now, I’m struck by how frustrated Special Agent Carson
sounds about not being able to catch me—and how willing she was to admit
that in writing.
In my job-hunting efforts in Seattle, I found a newspaper ad for a Help
Desk analyst at the Virginia Mason Medical Center. I went in for an
interview, which lasted for a couple of hours and led, a few days later, to a
job offer. It didn’t sound like something that was going to present the same
challenges that my job in the law firm in Denver had. But my apartment
was depressing, and I didn’t want to commit to a better place until I was set
with an income and knew which part of town I’d be working in, so I took
the job despite the drawbacks.
When I picked up the new-employee package from Human Resources, I
found that the application form asked for a print of my index finger.
Bad news. Did those prints get sent out to be checked against FBI
records? I made another of my pretext calls, this one to the Washington

State Patrol, claiming I was with the Oregon State Police Identification
Division.
“Our department is setting up a program to aid city and county
organizations by screening their job applicants for criminal records,” I said.
“So I’m looking for some guidance. Do you ask for fingerprints?”
“Yes, we do.”
“Do you just run the prints against state files, or do you send them to the
FBI?”
“We don’t submit to any outside agencies,” the guy on the other end of
the line told me. “We check state records only.”
Excellent! I didn’t have any criminal record in Washington State, so I
knew it’d be safe for me to hand in the application with my fingerprint on
it.
I started work a few days later, sharing an office with a tall, very detail-
oriented guy named Charlie Hudson and one other coworker. The job
wasn’t even moderately interesting; my work consisted mostly of answering
Help Desk questions from doctors and other hospital staff members who
brought to mind those jokes about users so numskulled about technology
that they attempted to copy floppy disks on a Xerox machine.
Practically all the employees in the place, for example, were using their
Social Security number as the secret question for resetting their computer
passwords. I tried to talk to my boss about how unsafe that was, but he blew
me off. I thought for a minute about giving him a little demonstration of
how easy it was to obtain anyone’s Social Security number, but then
realized that would be a very bad idea. When I started writing scripts on the
VMS system to solve some technical support problems, I was told that the
project was beyond my job responsibilities, and I should quit working on it.
My mental attitude was in pretty good shape. In all the time I had been
on the run, I had never had any alarming events that made me fear for my
security. But I could never let my guard down completely. One day I
walked out of my apartment building and saw a Jeep Cherokee parked
across the street. What caught my attention was that there were almost no
cars parked on the street at that hour, yet this one was stopped at a place that
wasn’t convenient to any house or apartment building entrance. And there
was a man sitting in it. As a kind of challenge, I stared straight at him. We

made eye contact briefly and then he glanced away, showing no interest. It
made sense to be cautious but I decided I was being a little paranoid, and
continued on my way.
About two months after I moved to Seattle, Lewis put me in touch with Ron
Austin, Poulsen’s one-time hacking buddy, a guy I knew about but had
never talked to. My main topic of conversation with Ron was Justin
Petersen, who had touched all three of our lives by snitching on us. Austin
and I started communicating frequently. He had provided me with a list of
pay-phone numbers in the West Los Angeles area, and I would let him
know which phone number I’d be calling him on and at what time.
I was routing all my calls from Seattle to switches in Denver, Portland,
Sioux Falls, and Salt Lake City, and adding another layer of protection by
manipulating the switch software so it would be very time-consuming for
anyone to trace my calls. Although I didn’t trust Austin, I felt safe talking to
him because we used so many pay phones, a different one each time.
There was another reason I felt safe with him: he shared with me a very
powerful research tool he had learned about from Justin. In a bizarre
coincidence, Justin—long before I met him—had snuck into a building I
was very familiar with: 5150 Wilshire Boulevard, where Dave Harrison had
his offices. Justin was interested in stealing credit card data as it was sent to
the card processor for verification, and he was targeting the same GTE
Telenet network that I had gone after, though with a different intent.
When Justin started playing back the recording of the modem tones
through a setup that translated them into text on the computer screen, he
realized that among all the other data was the sign-on credentials of some
agency that was accessing California DMV records—credentials he and any
other hacker could use to retrieve any information from the DMV.
Incredible! I could just picture Justin’s jaw dropping. He probably couldn’t
believe his good luck, and began using these credentials himself to run
license plates and driver’s licenses.
Ron wasn’t just telling me a story about Justin. He was actually sharing
the details with me: “The GTE Telenet address is 916268.05. As soon as the
display goes blank, you type ‘DGS.’ The password is ‘LU6.’ And you’re
in!”
I couldn’t get off the phone fast enough to try it out. It worked!

From then on, I would never have to social-engineer the DMV for
information again. I could get everything I wanted, quickly, cleanly, and
safely.
Austin’s sharing of this hack put my mind to rest about whether he
might really be a snitch trying to get information to help the Feds find me.
If he were an informant, the Feds would never have allowed him to give me
access to protected DMV records. I was convinced that he was safe to deal
with.
During my investigation of Eric, I had spent countless hours online and on
the phone with a well-known Dutch hacker who went by the hacker name
“RGB,” working to figure out bugs and hack into different systems. He had
been busted in May 1992, arrested at his home in Utrecht, the Netherlands,
by government agents posing as salesmen for a computer company—a
combined force made up of local police and the PILOT team, a law
enforcement group formed to battle hacking-related offenses. RGB told me
the police had hundreds of pages of transcripts of his conversations with
me.
When he was released from detention, we went back to hacking together
again. RGB started probing systems at Carnegie Mellon University and
monitoring their network traffic using a program called “tcpdump.” After
weeks of monitoring, he finally intercepted a CERT staff member’s
password. As soon as he confirmed that the password worked, he contacted
me, full of pure excitement, and asked for my help in finding anything of
interest, most particularly any reported security vulnerabilities that we
could leverage in our hacking.
The Computer Emergency Response Team, CERT, based at Carnegie
Mellon University, in Pittsburgh, was a federally funded research and
development center established in November 1988, after the Morris Worm
brought down 10 percent of the Internet. CERT was intended to prevent
major security incidents by setting up a Network Operations Center to
communicate with security experts. The Center created a vulnerability
disclosure program with the mission of publishing advisories about security
vulnerabilities, usually after the software manufacturer had developed a
patch or created a work-around to mitigate the risk of the security flaw.
Security professionals relied on CERT to protect their clients’ systems and

networks from intrusions. (CERT’s functions would be taken over by the
Department of Homeland Security in 2004.)
Now think about this for a moment: if someone discovered and reported
a security hole, CERT would issue an advisory. Most CERT security
advisories focused on “exposed network services”—operating system
elements that could be accessed remotely—but they also reported security
holes that could be exploited by “local users,” people who already had
accounts on the system. The vulnerabilities were usually associated with the
Unix-based operating systems–including SunOS, Solaris, Irix, Ultrix, and
others—that made up most of the Internet back then.
New security bug reports were often sent to CERT, sometimes in
unencrypted emails. These were what RGB and I were after, new bugs that
we could leverage to get into systems, almost as if we had a master key to
the server. Our goal was to leverage the “window of exposure,” the time
lapse until the manufacturer came up with a patch and companies could get
it installed. Such security holes had a limited shelf life: we would have to
make use of them before they were fixed or otherwise blocked.
I had known about RGB’s plan but doubted he would be able to capture
the credentials to a CERT staff member’s account. Yet he had pulled it off
in a short time. I was shocked but happy to share the spoils with him. As a
team, we hacked into the workstations of several other CERT staff members
and grabbed everyone’s email spools, meaning all their email messages.
And we hit the mother lode, because many of those emails contained
unencrypted messages disclosing so-called zero-day vulnerabilities—
meaning that they had just been discovered, and the software manufacturers
had not yet developed or distributed patches to fix the problems.
When RGB and I found that most bugs were sent “in the clear”—
unencrypted—we could hardly contain ourselves.
As I said, that had all happened a couple of years earlier. But now,
sometime around September 1994, an unexpected message popped up from
RGB, drawing my attention back to CERT:
Hi, Here’s some info for you:

there is a vax/vms system on 145.89.38.7 login name:
opc/nocomm there might be x.25 access on here but i’m not sure, on
the network there is a host called hutsur, this host does have access to
x.25 for sure.
you might wonder why this has to be so secret, but i’m starting to hack
again and I dont want the police to know anything about it. in order to
start again, i need you to do me a favor. could you get me some
numbers of terminal servers all over the u.s., i will use some outdials i
got to get to them, and will go from these terminal servers on to the
internet.
This time around i’m really gonna setup all the things right, so
nothing will be noticed. The preparation for the whole thing will take
about 1 month or so, after that i will be found regularly on the internet,
i will then give you some more info on what projects i’m working. i’m
all ready busy trying to get access to cert again, i have gotten different
passwords for cmu systems, which i will use in a later stage.
Thanxs,
P.s.)
Included is my pgp key
He wanted to get back into CERT again!
One day in early October 1994, not long after RGB’s email, I went out to
lunch carrying a small package containing a defective OKI 900 cell phone
that I was planning to mail back to the store that day. As was almost always
the case when I was out on foot, I was talking on my cell phone. I walked
down Brooklyn Avenue toward the heart of the U District. When I crossed
52nd Street, about two blocks from my apartment, I heard the faint sound of
a helicopter.
The sound gradually grew louder, then was suddenly 
very
loud and right
overhead, very low, as the helicopter evidently headed for a landing at a
nearby schoolyard.

But it didn’t land.
As I walked, it stayed right over my head and appeared to be
descending. 

Download 2,97 Mb.

Do'stlaringiz bilan baham: