The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (12 page)

malicious types of programs, such as the following:

Spycop (available at www.spycop.com)

PestPatrol (available at www.pestpatrol.com)

Adware (available from www.lavasoftusa.com)

Audit systems for software integrity. Employees or malicious insid-

ers could replace critical operating system files or applications that

could be used by bypass security controls. In this story, the inmate

hackers had changed the PC Anywhere application to run without

displaying an icon in the system tray so they would not be detected.

The prison officials in this story never realized that their every move

was periodically being monitored while Danny and William virtually

looked over their shoulders.

In some circumstances, it may be appropriate to conduct an

integrity audit, and to use a third-party application that notifies the

appropriate staff when any changes are made to system files and

applications on the "watch list."

Excessive privileges. In Windows-based environments, many end-

users are logged into accounts with local administrator rights on

their own machines. This practice, while more convenient, makes it

very easy for a disgruntled insider to install a keystroke logger or

networking monitoring (sniffer) on any systems where he has local

administrator privileges. Remote attackers also may send malicious

programs hidden within an email attachment that may be opened

by the unsuspecting user. The threat posed by these attachments

can be minimized by using the "least privilege" rule, which means

that users and programs should run with the fewest privileges nec-

essary to perform their required tasks.

THE BOTTOM LINE In some situations, common sense dictates that elaborate security pre- cautions are a waste of time. In a military school, for example, you would not expect the student body to be filled with people looking for every possible opportunity to cheat or challenge the rules. In an elementary school, you would not expect ten-year-olds to be more knowledgeable about computer security than the staff technology guru.

And in a prison, you would not expect that inmates, closely watched, living under a set of rigid rules, would find the means not just to work their way onto the Internet but then to spend hours at a time, day after Chapter 3 The Texas Prison Hack 67

day, enjoying music, movies, communications with the opposite sex, and learning more and more about computers.

The moral: If you are in charge of information security for any school, workgroup, company, or other entity -- you have to assume that some malicious adversary, including someone inside your organization -- is looking for that small crack in the wall, the weakest link of your security chain to break your network. Don't assume that everyone is going to play by the rules. Do what is cost-effective to prevent potential intrusions, but don't forget to keep looking out for what you missed. The bad guys are counting on you to be careless.

Cops and Robbers I walked into this classroom full of law enforcement officers and said, "Do you guys recognize any of these names?" I read off a list of the names. One federal officer explained, "Those are judges in the U.S. District Court in Seattle." And I said, "Well, I have a password file here with 26 passwords cracked." Those federal officers about turned green.

-- Don Boelling, Boeing Aircraft

M

att and Costa weren't planning an attack on Boeing Aircraft;

it just turned out that way. But the outcome of that incident

and others in their chain of hacker activities stand as a warn- ing. The two could be the poster boys in a campaign to warn other kid hackers too young to appreciate the consequences of their actions.

Costa (pronounced "COAST-uh") Katsaniotis started learning about computers when he got a Commodore Vic 20 at age 11 and began pro- gramming to improve the machine's performance. At that tender age, he also wrote a piece of software that allowed his friend to dial up and see a list of the contents of his hard drive. "That's where I really started with computers and loving the what-makes-things-work aspect of having a computer." And not just programming: He probed the hardware, unworried, he said, about losing the screws "because I started out taking things apart when I was three."

His mother sent him to a Christian private school until eighth grade and then to a public school. At that age his tastes in music leaned toward U2 (it was his first album and he's still a big fan), as well as Def Leppard and "some of the darker music"; meanwhile his tastes in computing were expanding to include "getting into what I could do with phone numbers."

69 70 The Art of Intrusion

A couple of older kids had learned about 800-WATS extenders, phone numbers they could use to make free long-distance calls.

Costa loved computers and had a natural understanding of them. Perhaps the absence of a father heightened the teen's interest in a world where he enjoyed complete control.

Then in high school I kinda took a break and I figured out what

girls were. But I still always had my passion for computers and

always kept those close at hand. I really didn't start taking off

with the hacking until I had a computer that could handle it and

that was the Commodore 128.

Costa met Matt -- Charles Matthew Anderson -- on a BBS (bulletin board system) in the Washington state area. "We were friends for I think probably a year via telephone and messaging on these bulletin boards before we actually even met." Matt -- whose handle is "Cerebrum" -- describes his childhood as "pretty normal." His father was an engineer at Boeing and had a computer at home that Matt was allowed to use. It's easy to imagine the father so uncomfortable with the boy's preferences in music ("industrial and some of the darker stuff") that he overlooked what the dangerous path Matt was following on the computer.

I started learning how to program basic when I was about nine

years old. I spent most of my teenage years getting into graphics

and music on the computer. That's one of the reasons I still like com-

puters today -- the hacking on that multimedia stuff is really fun.

I first got into the hacking stuff in my senior year in high school,

getting into the phreaking side of it, learning how to take advan-

tage of the telephone network that was used by the teachers and

administrators to make long distance calls. I was heavily into

that in my high school years.

Matt finished high school among the top 10 in his class, entered the University of Washington, and began learning about legacy computing: mainframe computing. At college, with a legitimate account on a Unix machine, he started teaching himself about Unix for the first time, "with some help from the underground bulletin-board and web sites."

Phreaking After they became a team, it seemed as if Matt and Costa were leading each other in the wrong direction, down the road of hacking into the telephone system, an activity known as "phreaking." One night, Costa remembers, the two went on an expedition that hackers call "dumpster Chapter 4 Cops and Robbers 71

diving," scouring through the trash left outside the relay towers of the cell phone companies. "In the garbage amongst coffee grounds and other stinky stuff, we got a list of every tower and each phone number" -- the phone number and electronic serial number, or ESN, that is a unique identifier assigned to each cell phone. Like a pair of twins remembering a shared event from childhood, Matt chimes in: "These were test numbers that the technicians would use to test signal strengths. They would have special mobile phones that would be unique to that tower."

The boys bought OKI 900 cells phones and a device to burn new pro- gramming onto the computer chips in the phones. They did more than just program new numbers; while they were at it, they also installed a spe- cial firmware upgrade that allowed them to program any desired phone number and ESN number into each of the phones. By programming the phones to the special test numbers they had found, the two were provid- ing themselves free cell phone service. "The user chooses which number he wants to use for placing a call. If we had to we could switch through to another number real quick," Costa said.

(This is what I call "the Kevin Mitnick cellular phone plan" -- zero a month, zero a minute, but you may end up paying a heavy price at the end, if you know what I mean.)

With this reprogramming, Matt and Costa could make all the cell phone calls they wanted, anywhere in the world; if the calls were logged at all, they would have gone on the books as official business of the cell company. No charges, no questions. Just the way any phone phreaker or hacker likes it.

Getting into Court Landing in court is about the last thing any hacker wants to do, as I know only too well. Costa and Matt got into court early in their hacking together, but in a different sense.

Besides dumpster diving and phone phreaking, the two friends would often set their computers war dialing, looking for dial-up modems that might be connected to computer systems they could break into. They could between them check out as many as 1,200 phone numbers in a night. With their machines dialing non-stop, they could run through an entire telephone prefix in two or three days. When they returned to their machines, the com- puter logs would show what phone numbers they had gotten responses from. "I was running my wardialer to scan a prefix up in Seattle, 206-553," Matt said. "All those phone numbers belong to federal agencies of some sort or another. So just that telephone prefix was a hot target because that's where you would find the federal government computers." In fact, they had no particular reason for checking out government agencies. 72 The Art of Intrusion

Costa: We were kids. We had no master plan.

Matt: What you do is you just kinda throw the net out in the sea

and see what kind of fish you come back with.

Costa: It was more of a "What can we do tonight?" type thing,

"What can we scan out tonight?"

Costa looked at his war dialer log one day and saw that the program had dialed into a computer that returned a banner reading something like "U.S. District Courthouse." It also said, "This is federal property," He thought, "This looks juicy."

But how to get into the system? They still needed a username and pass- word. "I think it was Matt that guessed it," Costa says. The answer was too easy: Username: "public." Password: "public." So there was "this really strong, scary banner" about the site being federal property, yet no real security barring the door.

"Once we were into their system, we got the password file," Matt says. They easily obtained the judges' sign-on names and passwords. "Judges would actually review docket information on that court system and they could look at jury information or look at case histories."

Sensing the risk, Matt says, "We didn't explore too far into the court." At least, not for the moment.

Guests of the Hotel Meanwhile, the guys were busy in other areas. "One of the things we also compromised was a credit union. Matt discovered a pattern in the num- bers for their codes that made it easy for us to make telephone calls" at the association's expense. They also had plans to get into the computer system of the Department of Motor Vehicles "and see what kind of dri- ver's licenses and stuff we could do."

They continued to hone their skills and break into computers. "We were on a lot of computers around town. We were on car dealerships. Oh, and there was one hotel in the Seattle area. I had called them and acted like I was a software technician for the company that made the hotel reservation software. I talked to one of the ladies at the front desk and explained that we were having some technical difficulties, and she wouldn't be able to do her job correctly unless she went ahead and made a few changes."

With this standard, familiar social engineering gambit, Matt easily found out the logon information for the system. "The username and password were `hotel' and `learn.'" Those were the software developers' default settings, never changed. Chapter 4 Cops and Robbers 73

The break-in to the computers of the first hotel provided them a learn- ing curve on a hotel reservations software package that turned out to be fairly widely used. When the boys targeted another hotel some months later, they discovered that this one, too, might be using the software they were already familiar with. And they figured this hotel might be using the same default settings. They were right on both counts. According to Costa:

We logged into the hotel computer. I had a screen basically just

like they would have right there in the hotel. So I logged in and

booked a suite, one of the top $300 a night suites with a water

view and the wet bar and everything.

I used a fake name, and put a note that a $500 cash deposit had

been made on the room. Reserved for a night of hell-raising. We

basically stayed there for the whole weekend, partied, and emptied

out the mini bar.

Their access to the hotel's computer system also gave them access to information on guests who had stayed at the hotel, "including their financial information."

Before checking out of the hotel, the boys stopped by the front desk and tried to get change from their "cash deposit." When the clerk said the hotel would send a check, they gave him a phony address and left.

"We were never convicted of that," Costa says, adding, "Hopefully the statute of limitations is up." Any regrets? Hardly. "That one had a little bit of a payoff in that wet bar."

Opening a Door After that wild weekend, the emboldened boys went back to their com- puters to see what else they could do with the hack into the District Court. They quickly found out that the operating system for the court computer had been purchased from a company we'll call Subsequent. The software had a built-in feature that would trigger a phone call to Subsequent anytime software patches were needed -- for example, "If a customer of a Subsequent computer bought a firewall and the operating system needed patches for the firewall to run, the company had a method for logging in to their corporate computer system to get the patches. That's basically how it was back then," Costa explained.

Matt had a friend, another C programmer, who had the skills to write a Trojan -- a piece of software that provides a secret way for a hacker to get back onto a computer he has made his way into earlier. This was very handy if passwords are changed or other steps are taken to block access. Through the computer at the District Court, Matt sent the Trojan to the 74 The Art of Intrusion

Subsequent corporate computer. The software was designed so that it would also "capture all the passwords and write them to a secret file, as well as allow us a root [administrator access] bypass in case we ever got locked out."

Getting into the Subsequent computer brought them an unexpected bonus: access to a list of other companies running the Subsequent oper- ating system. Pure gold. "It told us what other machines we could access." One of the companies named on the list was a giant local firm, the place where Matt's father worked: Boeing Aircraft.

"We got one of the Subsequent engineer's username and password, and they worked on the boxes that he had sold Boeing. We found we had access to login names and passwords to all the Boeing boxes," Costa said.

The first time Matt called the phone number for external connections to the Boeing system, he hit a lucky break.

The last person that called in hadn't hung up the modem properly

so that when I dialed in I actually had a session under some user.

I had some guy's Unix shell and it's like, "Wow, I'm suddenly into

the guy's footprint."

(Some early dial-up modems were not configured so they would auto- matically log off the system when a caller hung up. As a youngster, when- ever I would stumble across these types of modem configurations, I would cause the user's connection to be dropped by either sending a command to a telephone company switch, or by social engineering a frame technician to pull the connection. Once the connection was bro- ken, I could dial in and have access to the account that was logged in at the time of the dropped connection. Matt and Costa, on the other hand, had simply stumbled into a connection that was still live.)

Having a user's Unix shell meant that they were inside the firewall, with the computer in effect standing by, waiting for him to give instructions. Matt recalls:

So immediately I went ahead and cracked his password and then

I used that on some local machines where I was able to get root

[system administrator] access. Once I had root, we could use some

of the other accounts, try going onto some of the other machines

those people accessed by looking at their shell history.

If it was a coincidence that the modem just happened to online when Matt called, what was going on at Boeing when Matt and Costa started their break-in to the company was an even greater coincidence. Chapter 4 Cops and Robbers 75