Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

PART FOUR

An End and a Beginning

THIRTY-THREE

Hacking the Samurai
Ozg ojglw lzw hshwj gf AH Khggxafy lzsl BKR skcwv ew stgml?
W
ith my new identity credentials in order, it was time to get clear of Las
Vegas before my luck ran out. The 1994 Christmas/New Year’s holiday
time was just ahead, and I couldn’t resist the idea of a return visit to Denver,
a city I had grown so fond of. Packing up, I took along an old ski jacket of
mine, thinking I might be able to get in a little more time on the slopes over
the holidays.
But once I arrived in Denver and settled into an attractive, medium-
priced hotel, two people I had never met—that arrogant Japanese-American
security expert whose server I had hacked into a year earlier, the other an
extraordinarily skilled computer hacker in Israel—would become actors in a
drama that would change the entire rest of my life.
I had come across an Israeli who went by his initials, “JSZ”; we met
over Internet Relay Chat, an online service for finding and chatting with
strangers who shared similar interests. In our case, the interest was hacking.
Eventually he told me that he had hacked most if not all of the major
software manufacturers that developed operating systems—Sun, Silicon
Graphics, IBM, SCO, and so on. He had copied source code from their
internal development systems and planted backdoors to get back in anytime
he wanted. That was quite a feat—very impressive.
We started sharing our hacking conquests with each other and
information on new exploits, backdooring systems, cell phone cloning,
acquiring source code, and compromising the systems of vulnerability
researchers.
During one call he asked if I had read “the Morris paper on IP
spoofing,” which revealed a major vulnerability in the core protocol of the
Internet.

Robert T. Morris, a computer prodigy, had found a clever security flaw that
could be exploited using a technique called “IP spoofing” to bypass
authentication that relied on the remote user’s IP address. Ten years after
Morris published his paper, a group of hackers, including JSZ in Israel, had
created a tool for it. Since it was only theoretical up to that time, nobody
had thought to protect against it.
For the technically minded, the IP spoofing attack in this case
relied on an older technology known as the R-services, which required
configuring each computer system so that it would accept trusted
connections, meaning that a user could log in to an account—
depending on the configuration—without needing to provide the
password. This made it possible for a system admin to configure a
server to trust other computers for the purpose of authentication. One
example is where a system admin manages multiple machines, so
when he or she is logged in as root, no password would be required to
log in to other systems that trust the server.
In the IP spoofing attack, the attacker’s first step is to look for other
systems that are likely to be trusted by the root account on the target
server, meaning a user logged in to root on a trusted system can log in
to the root account on the target server without supplying a password.
It wasn’t too difficult in this case. By using the “finger” command,
the attacker was able to identify that our victim was connected to the
target system from another computer located in the same local area
network. It was very likely that these two systems trusted each other
for root access. The next step was to establish a connection to the
target system by forging the trusted computer’s IP address.
This is where it got a bit tricky. When two systems are establishing
an initial connection over TCP, a series of packets are sent back and
forth to create a “session” between them. This is called a “three-way
handshake.” During the handshake, the target system transmits a
packet back to the machine trying to establish the connection. Because
the targeted server believes it’s responding to the 
real
system’s request
to establish a connection, the handshake process fails because the
attacker’s system never receives the packet to complete the three-way
handshake.

Enter the TCP sequence number: the protocol uses sequence
numbers to acknowledge the receipt of data. If the attacker could
predict the sequence number of the packet being sent from the target
system to the 
real
server during the initial handshake, he could
complete the process by sending an acknowledgment packet (with the
correct sequence number), and establish a connection appearing to be
from the trusted machine.
This effectively established a session by guessing the TCP
sequence number. Because the targeted system was fooled into
thinking it had established a connection with a trusted machine, it
allowed the attacker to exploit the trust relationship, and bypass the
usual password requirement—allowing full access to the machine. At
this point, the attacker could write over the current .rhosts file on the
target machine, allowing anyone access to the root account without a
password.
In summary, the attack relied on the attacker being able to predict
the TCP sequence number of the packet sent by the target computer at
the time of the initial contact. If an attacker could successfully predict
the TCP sequence number that the target would use during the
handshaking process, the attacker could impersonate a trusted
computer and bypass any security mechanisms that rely on the user’s
IP address.
I told JSZ I had read the article. “But it’s theoretical. Hasn’t been done
yet.”
“Well, my friend, methinks it has. We’ve already developed the tool, and
it works—amazingly well!” he said, referring to a piece of software that he
and some associates spread throughout Europe had been working on.
“No way! You’re kidding me!”
“I’m not.”
I asked him if I could have a copy.
“Maybe later,” he said. “But I’ll run it for you anytime you want. Just
give me a target.”
I shared with JSZ the details of my hack into Mark Lottor’s server and
his interesting connection with Tsutomu Shimomura, using his nickname. I
explained how I’d hacked into UCSD and sniffed the network until
someone named “ariel” connected to Shimomura’s server, after which I was

finally able to get in. “Shimmy somehow realized that one of the people
who had access to his computer had been hacked, and he booted me off
after several days,” I said.
I had seen some of the security bugs Shimmy had reported to Sun and
DEC and been impressed with his bug-finding skills. In time I would learn
that he had shoulder-length straight black hair, a preference for showing up
at work wearing sandals and “raggedy-ass jeans,” and a passion for cross-
country skiing. He sounded every bit like the kind of Californian conjured
by the term “dude”—as in, “Hey, dude, howz it hangin’?”
I told JSZ that Shimmy might have the OKI source code or the details of
his and Lottor’s reverse engineering efforts, not to mention any new
security bugs he might have discovered.
On Christmas Day 1994, walking out of a movie at the Tivoli Center in
downtown Denver, I powered up my cloned cell phone and called JSZ to
jokingly wish him a Jewish Merry Christmas.
“Glad you called,” he said. In a cool, collected voice, he told me, “I have
a Christmas present for you. My friend, I got into ariel tonight.” And he
gave me the port number where he’d set up the backdoor. “Once you
connect, there is no prompt. You just type ‘.shimmy.’ and you get a root
shell.”
“No fucking way!”
To me it was a great Christmas present. I had been wanting to get back
into Shimmy’s computer to find out more about what he and Mark Lottor
were up to with the OKI cell phone project, and I wanted to know if either
of them had access to the source code. Either way I was going to grab
whatever information I could find on his server related to the OKI 900 and
1150 cell phones.
It was known in the hacker community that Shimmy had a very arrogant
demeanor—he thought he was smarter than everyone else around him. We
decided to bring his ego down a few notches toward reality—just because
we could.
The drive back to the hotel in my rental car felt like just about the
longest twenty minutes of my life. But I didn’t dare drive faster than the
flow of traffic. If I got pulled over and the cop came up with something
suspicious about my driver’s license, it might be a hell of a lot longer than
twenty minutes before I could get online again. Patience, patience.

As soon as I walked into my hotel room, I powered up my laptop and
dialed up to Colorado Supernet, masking the call as usual by using my cell
phone cloned to some random Denverite.
I fired up a network talk program that would make a direct connection to
JSZ’s computer in Israel so we could communicate in one window as we
hacked Shimmy in another. I connected to Shimmy’s computer using the
backdoor that JSZ had set up. Bingo!—I was in with root privileges.
Incredible! What a high! That must be what a kid feels on reaching the
top level of a video game that he’s struggled with for months. Or like
reaching the summit of Mount Everest. Thrilled, I congratulated JSZ on a
job well done.
For openers, JSZ and I probed Shimmy’s system looking for the most
valuable information—anything to do with security bugs, his email, and any
files that had “oki” in their name. He had tons of files. As I was archiving
and compressing everything that matched my criteria, JSZ was also probing
around for anything that would be useful. Both of us were very concerned
that Shimmy might decide to log in to check his email for Christmas
greetings and find out he was being hacked. We wanted to get his stuff
before he figured it out. I was worried he might pull the network
connection, just as Lottor had done several months earlier.
We were working fast to get the information off Shimmy’s machine. My
endorphins were on major overload.
After searching, archiving, and compressing, I needed a place to store
the code for safekeeping. No problem: I already had root access to every
server at the Whole Earth ’Lectronic Link, commonly known as “the Well.”
Started by Stewart Brand and a partner, the Well had as its users a who’s
who of the Internet, but the celebrity status of the site didn’t matter to me at
all. My only concern was whether there was enough disk space and whether
I could hide the files well enough that the system admins wouldn’t notice
them. In fact, I had been spending lots of time on the site. A few days after
John Markoff’s front-page 

Download 2,97 Mb.

Do'stlaringiz bilan baham: