The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (13 page)

Guarding the Barricades At that moment, Boeing Aircraft was hosting a high-level computer secu- rity seminar for an audience that included people from corporations, law enforcement, FBI, and the Secret Service.

Overseeing the session was Don Boelling, a man intimate with Boeing's computer security measures and the efforts to improve them. Don had been fighting the security battles internally for a number of years. "Our network and computing security was like everywhere else, it was basically zip. And I was really concerned about that."

As early as 1988, when he was with the newly formed Boeing Electronics, Don had walked into a meeting with the division president and several vice presidents and told them, "Watch what I can do with your network." He hacked modem lines and showed that there were no passwords on them, and went on to show he could attack whatever machines he wanted. The executives saw one computer after another that had a guest account with a password of "guest." And he showed how an account like that makes it easy to access the password file and download it to any other machine, even one outside the company.

He had made his point. "That started the computing security program at Boeing," Don told us. But the effort was still in its infancy when Matt and Costa began their break-ins. He had been having "a hard time convincing management to really put resources and funding into computing security." The Matt and Costa episode would prove to be "the one that did it for me."

His courageous role as a spokesman for security had led to Don organ- izing the groundbreaking computer forensics class at Boeing. "A gov- ernment agent asked us if we wanted to help start a group of law enforcement and industry people to generate information. The organiza- tion was designed to help train law enforcement in computer technology forensics, involving high-tech investigations techniques. So I was one of the key players that helped put this together. We had representatives from Microsoft, US West, the phone company, a couple of banks, several dif- ferent financial organizations. Secret Service agents came to share their knowledge of the high-tech aspects of counterfeiting."

Don was able to get Boeing to sponsor the sessions, which were held in one of the company's computer training centers. "We brought in about thirty-five law enforcement officers to each week-long class on how to seize a computer, how to write the search warrant, how to do the forensics on the computer, the whole works. And we brought in Howard Schmidt, who later was recruited onto the Homeland Security force, answering to the President for cyber-crime stuff."

On the second day of the class, Don's pager went off. "I called back the administrator, Phyllis, and she said, `There's some strange things 76 The Art of Intrusion

going on in this machine and I can't quite figure it out." A number of hidden directories had what looked like password files in them, she explained. And a program called Crack was running in the background.

That was bad news. Crack is a program designed to break the encryp- tion of passwords. It tries a word list or a dictionary list, as well as per- mutations of words like Bill1, Bill2, Bill3 to try to discern the password.

Don sent his partner, Ken ("our Unix security guru") to take a look. About an hour later, Ken paged Don and told him, "You better get up here. This looks like it might be pretty bad. We've got numerous pass- words cracked and they don't belong to Boeing. There's one in particu- lar you really need to look at."

Meanwhile, Matt had been hard at work inside the Boeing computer networks. Once he had obtained access with system administrator privi- leges, "it was easy to access other accounts by looking into some of the other machines those people had accessed." These files often had tele- phone numbers to software vendors and other computers the machine would call. "A primitive directory of other hosts that were out there," says Matt. Soon the two hackers were accessing the databases of a variety of businesses. "We had our fingers in a lot of places," Costa says.

Not wanting to leave the seminar, Don asked Ken to fax down what he was seeing on the administrator's screen. When the transmission arrived, Don was relieved not to recognize any of the user IDs. However, he was puzzled over the fact that many of them began with "Judge." Then it hit him:

I'm thinking, "Oh my God!" I walked into this classroom full of

law enforcement officers and said, "Do you guys recognize any of

these names?" I read off a list of the names. One federal officer

explained, "Those are judges in the U.S. District Court in

Seattle." And I said, "Well, I have a password file here with 26

passwords cracked." Those federal officers about turned green.

Don watched as an FBI agent he'd worked with in the past made a few phone calls.

He calls up the U.S. District Court and gets hold of the system

administrator. I can actually hear this guy on the other end of the

line going, "No, no way. We're not connected to the Internet.

They can't get our password files. I don't believe it's our

machine." And Rich is saying, "No, it is your machine. We've got

the password files." And this guy is going, "No, it can't happen.

People can't get into our machines." Chapter 4 Cops and Robbers 77

Don looked down at the list in his hand and saw that the root pass- word -- the top-level password known only to system administrators -- had been cracked. He pointed it out to Rich.

Rich says into the telephone, "Is your root password `2ovens'?"

Dead silence on the other end of the line. All we heard was a

"thunk" where this guy's head hit the table.

As he returned to the classroom, Don sensed a storm brewing. "I said, `Well, guys, it's time for some on-the-job real life training.'"

With part of the class tagging along, Don prepared for battle. First, he went to the computer center in Bellevue where the firewall was located. "We found the account that was actually running the Crack program, the one the attacker was logging in and out of, and the IP address he was coming from."

By this time, with their password-cracking program running on the Boeing computer, the two hackers had moved into the rest of Boeing's system, "spider-webbing" out to access hundreds of Boeing computers.

One of the computers that the Boeing system connected to wasn't even in Seattle. In fact, it was on the opposite coast. According to Costa:

It was one of the Jet Propulsion lab computers at NASA's Langley

Research Labs in Virginia, a Cray YMP5, one of the crown jew-

els. That was one of our defining moments.

All kinds of things cross your mind. Some of the secrets could make

me rich, or dead, or really guilty.

The folks in the seminar were taking turns watching the fun in the computer center. They were stunned when the Boeing security team dis- covered their attackers had gotten access to the Cray, and Don could hardly believe it. "We were able to very quickly, within an hour or two, determine that access point and the access points to the firewall." Meanwhile, Ken set up virtual traps on the firewall in order to determine what other accounts the attackers had breached.

Don rang the local phone company and asked to have a "trap and trace" put on the Boeing modem lines that the attackers were using. This is a method that would capture the phone number that the calls were originating from. The telephone people agreed without hesitation. "They were part of our team and knew who I was, no questions asked. That's one of the advantages of being on these law enforcement teams."

Don put laptops in the circuits between the modems and the comput- ers, "basically to store all the keystrokes to a file." He even connected 78 The Art of Intrusion

Okidata printers to each machine "to print everything they did in real time. I needed it for evidence. You can't argue with paper like you can with an electronic file." Maybe it's not surprising when you think about which a panel of jurors is more likely to believe: an electronic file or a document printed out at the very time of the incident.

The group returned to the seminar for a few hours where Don outlined the situation and defensive measures taken. The law enforcement officers were getting hands-on, graduate-level experience in computer forensics. "We went back up to do some more work and check on what we had, and while I was standing there with two federal officers and my partner, the modem goes off. Bingo, these guys came in, logged in on the account," Don said.

The local phone company tracked Matt and Costa to their homes. The team watched as the hackers logged into the firewall. They then trans- ferred over to the University of Washington, where they logged in to Matt Anderson's account.

Matt and Costa had taken precautions that they thought would protect their calls from being traced. For one thing, instead of dialing Boeing directly, they were calling into the District Court computers and then routing a call from the Court to Boeing. They figured that "if there was someone monitoring us at Boeing, they were probably having a rough time figuring out where our call was originating from," Costa said.

They had no idea their every move was being watched and recorded as Matt dialed into the Court, from there to Boeing, and then transferred to his personal student account.

Since we were so new on [the District Court] system and the pass-

word and user name were "public," at the time I didn't think it

was a threat, or I was being lazy. That direct dial is what gave

them the trace to my apartment and that's where everything

fell apart.

Don's team felt like the proverbial fly on the wall as Matt started read- ing the email on his student account. "In this guy's email is all this stuff about their hacker exploits and responses from other hackers."

The law enforcement officers are sitting there laughing their asses

off, 'cause these are basically arrogant kids, not considering

they'd get caught. And we're watching them real time produce

evidence right there in our hands.

Meanwhile, Don was ripping the sheets off the printer, having every- body sign as a witness, and sealing then as evidence. "In less than six Chapter 4 Cops and Robbers 79

hours from the point we knew we had this intrusion, we already had these guys on criminal trespass."

Boeing management was not laughing. "They were scared out of their wits and wanted the hackers terminated -- `Get them off the computers and shut all this off right now.'" Don was able to convince them it would be wiser to wait. "I said, `We don't know how many places these guys have gotten into. We need to monitor them for a while and find out what the heck is going on and what they've done.'" When you consider the risk involved, it was a remarkable testament to Don's professional skills that management capitulated.

Under Surveillance One of the federal officers attending the seminar obtained warrants for tap- ping Matt and Costa's telephones. But the wiretaps were only one part of the effort. By this time the federal government was taking the case very seriously. The action had assumed aspects of a spy movie or a crime thriller: FBI agents were sent to the campus in teams. Posing as students, they fol- lowed Matt around campus, noting his actions so they would later be able to testify that at some particular time, he was using one particular computer on campus. Otherwise it would be easy to claim, "That wasn't me -- lots of people use that computer every day." It had happened before.

On the Boeing side, the security team took every precaution they could think of. The goal wasn't to keep the boys out but to watch closely, con- tinuing to gather evidence while making sure they didn't do any damage. Don explains, "We had all of our computers' main entry points set up to where either the system administrator or the computer would page us and let us know some activity was going on." The pager's beep became a cry to "battle stations." Team members immediately notified select individuals on a call list to let them know the hackers were on the prowl again. Several times, Don's group electronically tracked Matt and Costa's activity through the University of Washington -- where key staff had been briefed -- all the way through the Internet, from point to point. It was like being beside the two as they made the actual break in.

Don decided to watch them for another four or five days because "basi- cally we had them fairly well contained and they weren't doing anything that I would consider extremely dangerous, though they had consider- able access and could have if they wanted to."

But Costa soon learned something was up:

One night my girlfriend and I were sitting in my apartment

watching TV. It was a summer night, and the window was open,

and it's funny but she looked outside ... and noticed a car in the 80 The Art of Intrusion

parking lot of the Pay & Save. Well, about an hour later, she

looked out again and said, "There's a car outside with guys in it

that was out there an hour ago."

Costa turned off the TV and lights and proceeded to videotape the FBI agents watching his place. A little later, he saw a second car pull up next to the first one. The men in the two cars discussed something and then both drove off.

The next day, a team of officers showed up at Costa's apartment. When he asked, they acknowledged that they didn't have a warrant, but Costa wanted to look like he was cooperating so didn't object to being inter- viewed. He didn't object, either, when they asked him to call Matt and draw him out about the cell phone activities, while they recorded the conversation.

Why was he willing to call his closest friend and talk about their illegal activities with law enforcement listening in? Simple: Joking around one night, playing a variation of "What if?" the two had actually anticipated a situation in which it might be hazardous to talk freely and had devised a code. If one of them dropped "nine, ten" into the conversation, it would mean "Danger! watch what you say." (They chose the number as easy to remember, being one less than the emergency phone number, 911.)