The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (5 page)

Marco called his partners en route home. He sounded frantic. He said, "I want to tell you guys what happened. I sort of screwed up."

Mike headed straight for their headquarters. "Alex and I were freaked when we heard what happened. I started tearing the machines apart and dumping pieces all over the city."

Alex and Mike were both unhappy with Marco for one of the unneces- sary risks he ran. He wouldn't put the button in his shoe like the other two, stubbornly insisting on carrying the device in his jacket pocket and triggering it with his hand. Alex described Marco as a guy who "thought the security people were so dumb that he could keep pushing the enve- lope with how much he was doing right under their noses."

Alex is convinced he knows what happened, even though he wasn't present. (In fact, the other three didn't know Marco had gone on a casino trip despite the agreement to clue each other in on their plans.) The way Alex figures, "They just saw that he was winning a ridiculous amount and that there was something going on with his hand." Marco simply wasn't bothering to think about what could cause the floor peo- ple to notice him and wonder.

That was the end of it for Alex, though he's not entirely sure about the others. "Our decision at the beginning was that if any of us was ever caught, we would all stop." He said, "We all adhered to that as far as I know." And after a moment, he added with less certainty, "At least I did." Mike concurs, but neither of them has ever asked Marco the ques- tion directly.

The casinos don't generally prosecute attacks like the one that the guys had pulled. "The reason is they don't want to publicize that they have these vulnerabilities," Alex explains. So it's usually, "Get out of town before sundown. And if you agree never to set foot in a casino again, then we'll let you go."

Aftermath About six months later, Marco received a letter saying that charges against him were not being pressed.

The four are still friends, though they aren't as close these days. Alex figures he made $300,000 from the adventure, part of which went to Larry as they had agreed. The three casino-going partners, who took all Chapter 1 Hacking the Casinos for a Million Bucks 19

the risk, had initially said they would split equally with each other, but Alex thinks Mike and Marco probably took $400,000 to half a million each. Mike wouldn't acknowledge walking away with any more than $300,000 but admits that Alex probably got less than he did.

They had had a run of about three years. Despite the money, Alex was glad it was over: "In a sense, I was relieved. The fun had worn off. It had become sort of a job. A risky job." Mike, too, wasn't sorry to see it end, lightly complaining that "it got kind of grueling."

Both of them had been reluctant at first about telling their story but then took to the task with relish. And why not -- in the 10 or so years since it happened, none of the four has ever before shared even a whis- per of the events with anyone except the wives and the girlfriend who were part of it. Telling it for the first time, protected by the agreement of absolute anonymity, seemed to come as a relief. They obviously enjoyed reliving the details, with Mike admitting that it had been "one of the most exciting things I've ever done."

Alex probably speaks for them all when he expresses his attitude toward their escapade:

I don't feel that bad about the money we won. It's a drop in the

bucket for that industry. I have to be honest: we never felt morally

compromised, because these are the casinos.

It was easy to rationalize. We were stealing from the casinos that

steal from old ladies by offering games they can't win. Vegas felt

like people plugged into money-sucking machines, dripping their

life away quarter by quarter. So we felt like we were getting back

at Big Brother, not ripping off some poor old lady's jackpot.

They put a game out there that says, "If you pick the right cards,

you win." We picked the right cards. They just didn't expect any-

body to be able to do it.

He wouldn't try something like this again today, Alex says. But his rea- son may not be what you expect: "I have other ways of making money. If I were financially in the same position I was in then, I probably would try it again." He sees what they did as quite justified.

In this cat-and-mouse game, the cat continually learns the mouse's new tricks and takes appropriate measures. The slot machines these days use software of much better design; the guys aren't sure they would be suc- cessful if they did try to take another crack at it.

Still, there will never be a perfect solution to any techno-security issue. Alex puts the issue very well: "Every time some [developer] says, 20 The Art of Intrusion

`Nobody will go to the trouble of doing that,' there's some kid in Finland who will go to the trouble."

And not just in Finland but in America, as well.

INSIGHT In the 1990s, the casinos and the designers of gambling machines hadn't yet figured out some things that later became obvious. A pseudo random number generator doesn't actually generate random numbers. Instead, it in effect warehouses a list of numbers in a random order. In this case, a very long list: 2 to the 32nd power, or over four billion numbers. At the start of a cycle, the software randomly selects a place in the list. But after that, until it starts a new cycle of play, it uses the ensuing numbers from the list one after the other.

By reverse-engineering the software, the guys had obtained the list. From any known point in the "random" list, they could determine every subsequent number in the list, and with the additional knowledge about the iteration rate of a particular machine, they could determine how long in minutes and seconds before the machine would display a royal flush.

COUNTERMEASURES Manufacturers of every product that uses ROM chips and software should anticipate security problems. And for every company that uses software and computer-based products -- which these days means pretty nearly every company down to one-person shops -- it's dangerous to assume that the people who build your systems have thought about all the vulnerabilities. The programmers of the software in the Japanese slot machine had made a mistake in not thinking far enough ahead about what kinds of attacks might be made. They hadn't taken any security measures to protect people from getting at the firmware. They should have foreseen somebody gaining access to a machine, removing the ROM chip, reading the firmware, and recovering the program instruc- tions that tell the machine how to work. Even if they considered that pos- sibility, they probably assumed that knowing precisely how the machine worked wouldn't be enough, figuring that the computational complexity of cracking the random number generator would defeat any attempt -- which may well be true today but was not at the time.

So your company markets hardware products that contain computer chips; what should you be doing to provide adequate protection against Chapter 1 Hacking the Casinos for a Million Bucks 21

the competitor who wants a look at your software, the foreign company that wants to do a cheap knockoff, or the hacker who wants to cheat you?

The first step: Make it difficult to gain access to the firmware. Several approaches are available, including:

Purchase chips of a type designed to be secure against attack.

Several companies market chips specifically designed for situ-

ations where the possibility of attack is high.

Use chip on-board packaging -- a design in which the chip is

embedded into the circuit board and cannot be removed as a

separate element.

Seal the chip to the board with epoxy, so that if an attempt is

made to remove it, the chip will break. An improvement on

this technique calls for putting aluminum powder in the

epoxy; if an attacker attempts to remove the chip by heating

the epoxy, the aluminum destroys the chip.

Use a ball grid array (BGA) design. In this arrangement, the

connectors do not come out from the sides of the chip but

instead are beneath the chip, making it difficult if not impos-

sible to capture signal flow from the chip while it is in place

on the board.

Another available countermeasure calls for scratching any identifying information off the chip, so an attacker will be deprived of information about the manufacturer and type of chip.

A fairly common practice, one used by the machine manufacturers in this story, calls for the use of checksumming (hashing) -- including a checksum routine in the software. If the program has been altered, the checksum will not be correct and the software will not operate the device. However, knowledgeable hackers familiar with this approach simply check the software to see whether a checksum routine has been included, and if they find one, disable it. So one or more of the methods that pro- tect the chip physically is a much better plan.

THE BOTTOM LINE If your firmware is proprietary and valuable, consult the best security sources to find out what techniques hackers are currently using. Keep your designers and programmers up-to-date with the latest information. And be sure they are taking all appropriate steps to achieve the highest level of security commensurate with cost.

When Terrorists Come Calling I don't know why I kept doing it. Compulsive nature? Money hungry? Thirst for power? I can name a number of possibilities.

-- ne0h

T

he 20-year-old hacker who signs as Comrade is just hanging

around these days in a house that he owns jointly with his

brother in a nice part of Miami. Their father lives with them, but that's only because the kid brother is still a juvenile and Child Services insists there be an adult living in the home until the boy turns 18. The brothers don't mind, and Dad has his own apartment elsewhere, which he'll move back to when the time comes.

Comrade's mom died two years ago, leaving the house to her sons because she and the boys' father were divorced. She left some cash as well. His brother goes to high school, but Comrade is "just hanging out." Most of his family disapproves, he says, "but I don't really care." When you've been to prison at a young age -- in fact, the youngest per- son ever convicted on federal charges as a hacker -- the experience tends to change your values.

Hacking knows no international borders, of course, so it makes no dif- ference to either of them that Comrade's hacker friend ne0h is some 3,000 miles away. Hacking was what brought them together, and hack- ing was what took them along a slippery course that would eventually lead to what they would later conjecture was serving the cause of inter- national terrorism by conducting break-ins to highly sensitive computer systems. These days, that's a heavy burden to bear.

23 24 The Art of Intrusion

A year older than Comrade, ne0h has been "using computers since I could reach the keyboard." His father ran a computer hardware store and would take the youngster along on customer appointments; the boy would sit on his father's lap through the sales session. By age 11, he was writing dBase code for his father's business.

Somewhere along the line, ne0h came upon a copy of the book Takedown (Hyperion Press, 1996) -- which is a highly inaccurate account of my own hacking exploits, my three years on the run, and the FBI's search for me. ne0h was captivated by the book:

You inspired me. You're my f___ing mentor. I read every possible

thing about what you did. I wanted to be a celebrity just like you.

It was the motivation that got him into hacking. He decorated his room with computers and networking hubs and a 6-foot-long pirate flag, and set out to walk in my footsteps.

ne0h began to accumulate solid hacker knowledge and capabilities. Skills came first; discretion would come later. Using the hackers' term for a youngster who's still a beginner, he explained, "In my script kiddie days, I defaced Web sites and put up my real email address."

He hung around Internet Relay Chat (IRC) sites -- text-based Internet chat rooms where people with a common interest can meet online and exchange information in real time with others who share the interest -- in fly fishing, antique airplanes, home brewing, or any of thousands of other topics, including hacking. When you type in a mes- sage on an IRC site, everybody online at that time sees what you've writ- ten and can respond. Though many people who use IRC regularly don't seem to be aware of it, the communications can be easily logged. I think the logs must by now contain nearly as many words as all the books in the Library of Congress -- and text typed in haste with little thought of posterity can be retrieved even years later.

Comrade was spending time on some of the same IRC sites, and he struck up a long-distance friendship with ne0h. Hackers frequently form alliances for exchanging information and carrying out group attacks. ne0h, Comrade, and another kid decided to create their own group, which they dubbed the "Keebler Elves." A few additional hackers were allowed into the group's conversations, but the three original members kept the others in the dark about their black-hat attacks. "We were break- ing into government sites for fun," Comrade said. He estimates they broke into "a couple of hundred" supposedly secure government sites.

A number of IRC channels are watering holes where hackers of differ- ent stripes gather. One in particular, a network called Efnet, is a site Comrade describes as "not exactly the computer underground -- it's a Chapter 2 When Terrorists Come Calling 25

pretty big group of servers." But within Efnet were some less well-known channels, places you didn't find your way to on your own but had to be told about by some other black hat whose trust you had gained. Those channels, Comrade says, were "pretty underground."

Khalid the Terrorist Dangles Some Bait Around 1998 on these "pretty underground" channels, Comrade began encountering chat about a guy who had been "hanging around" using the handle RahulB. (Later he would also use Rama3456.) "It was sort of known that he wanted hackers to break into government and military computers -- .gov and .mil sites," Comrade said. "Rumor had it that he worked for Bin Laden. This was before 9/11, so Bin Laden wasn't a name you heard on the news every day."

Eventually Comrade crossed paths with the mystery man, who he would come to know as Khalid Ibrahim. "I talked to him a few times [on IRC] and I talked to him on the phone once." The man had a foreign accent and "it definitely sounded like an overseas connection."

ne0h, too, was targeted; with him Khalid was more direct and more blatant. ne0h recalls:

Around 1999, I was contacted by email by a man who called him-

self a militant and said he was in Pakistan. He gave the name

Khalid Ibrahim. He told me he worked for Pakistani militants.

Would someone looking for naive kid hackers really wrap himself in a terrorist flag -- even in the days before 9/11? At first glance the notion seems absurd. This man would later claim he had gone to school in the United States, done a little hacking himself, and associated with hackers while he was here. So he may have known, or thought he knew, some- thing of the hacker's mindset. Every hacker is to some extent a rebel who lives by different standards and enjoys beating the system. If you want to set out a honeypot for hackers, maybe announcing that you too are a rule-breaker and an outsider wouldn't be so stupid after all. Maybe it would make your story all the more believable, and your intended con- federates that much less wary and suspicious.

And then there was the money. Khalid offered ne0h $1,000 for hack- ing into the computer networks of a Chinese university -- a place that ne0h refers to as the MIT of China -- and providing him the student database files. Presumably this was a test, both of ne0h's hacking ability and of his ingenuity: How do you hack into a computer system when you don't read the language? Even harder: How do you social engineer your way in when you don't speak the language? 26 The Art of Intrusion

For ne0h, the language issue turned out to be no barrier at all. He began hanging around the IRC sites used by a hacker group called gLobaLheLL and through that group had made contact with a computer student at the university. He got in touch and asked the student for a couple of usernames and passwords. The sign-on information came back in short order -- one hacker to another, no questions asked. ne0h found that computer security at the university ranked somewhere between dreadful and lousy, especially surprising for a technology/engineering university where they should have known better. Most of the students have chosen passwords identical to their usernames -- the same word or phrase for both uses.

The short list that the student had provided was enough to give ne0h access, allowing him to start snooping around electronically -- sniffing, in hackerspeak. This turned up a student -- we'll call him Chang -- who was accessing FTPs (download sites) in the United States. Among these FTPs was a "warez" site -- a place for retrieving software. Using a stan- dard social engineering trick, ne0h drifted around the college network picking up some of the campus lingo. This was easier than it at first sounds, since "most of them speak English," ne0h says. Then he got in touch with Chang, using an account that made it seem as if ne0h was contacting him from the campus computer science lab.

"I'm from Block 213," he told Chang electronically, and he made a straightforward request for student names and e-mail addresses, like any student interested in getting in touch with classmates. Because most of the passwords were so easy, getting into the student's files was a no-brainer.

Very soon he was able to deliver to Khalid database information on about a hundred students. "I gave him those and he said, `I've got all I need.'" Khalid was satisfied; clearly he hadn't wanted the names at all; he had just wanted to see if ne0h could actually come up with the informa- tion from such a remote source. "That's pretty much where our rela- tionship started," ne0h sums up. "I could do the job, he knew I could do the job, so he started giving me other things to do."

Telling ne0h to watch his mailbox for his thousand dollars, Khalid started calling by cell phone about once a week, "usually while he was driving." The next assignment was to hack into the computer systems of India's Bhabha Atomic Research Center. The outfit was running a Sun workstation, which is familiar ground for every hacker. ne0h got into it easily enough but found the machine didn't have any information of interest on it and appeared to be a standalone, not connected to any net- work. Khalid seemed unfazed by the failure.

Meanwhile, the money for the Chinese university hack still hadn't shown up. When ne0h asked, Khalid got upset. "You never got it?! I sent it to you in cash in a birthday card!" he insisted. Obviously this was the Chapter 2 When Terrorists Come Calling 27

timeworn "Your check is in the mail" ploy, yet ne0h was willing to keep on accepting assignments. Why? Today he leans toward introspection:

I kept on because I'm stubborn. It was actually a thrill to think I

was going to be paid for it. And I was thinking, "Maybe it really

was lost in the mail, maybe he will pay me this time."

I don't know why I kept doing it. Compulsive nature? Money

hungry? Thirst for power? I can name a number of possibilities.

At the same time that Khalid was feeding assignments to ne0h, he was also trolling the IRC sites for other willing players. Comrade was willing, though wary of accepting payment:

I had understood that he was paying people but I never wanted to

give out my information in order to receive money. I figured that

what I was doing was just looking around, but if I started receiv-

ing money, it would make me a real criminal. At most I would

talk to him on IRC and throw him a few hosts now and then.

Reporter Niall McKay talked to another fish that Khalid caught in his net, a California teen whose handle was Chameleon (and who is now cofounder of a successful security software company). The McKay story on Wired.com1 dovetailed with the details provided by ne0h and Comrade. "I was on IRC one night when this guy said he wanted the DEM soft- ware. I didn't have it and I was just messing about with the guy," the hacker claimed. By this time Khalid was growing serious: "DEM" is the nickname for the Defense Information Systems Network Equipment Manager, networking software used by the military. The program was cap- tured by the hacker group Masters of Downloading, and word was get- ting around that the program was available if you asked the right person. No one seems to know whether Khalid ever got his hands on it -- or at least, no one is saying. In fact, it's not even certain the software would have been of any value to him -- but he obviously thought it would. Khalid was through playing games about Chinese universities and the like.

"He tried to integrate himself into what the guys in the group were doing," ne0h told us. Before it was over, Khalid would shadow the hackers for a year and a half, "not like some random person popping in and out but on a regular basis. He was just there, and it was understood that this was his thing." By "his thing," ne0h meant breaking into military sites or the com- puter systems of commercial companies working on military projects.

Khalid asked ne0h to get into Lockheed Martin and obtain the schematics of certain aircraft systems they were manufacturing for Boeing. ne0h did succeed in getting some limited penetration into 28 The Art of Intrusion

Lockheed, "about three steps into the internal network," but couldn't get any deeper than two servers (to a level that security people call the "DMZ" -- in effect, a no-man's-land). This was not far enough to pen- etrate past the firewalls that protect the most sensitive corporate infor- mation, and he couldn't locate the information he had been told to look for. According to ne0h:

[Khalid] got irritated. What he said was basically, "You're not

working for me any more. You can't do anything." But then he

accused me of withholding. He said I was just keeping the infor-

mation for myself.

Then he said, "Forget Lockheed Martin. Get directly into Boeing."

ne0h found that Boeing "wasn't that secure, if you wanted it bad enough." He got in, he says, by exploiting a known vulnerability of a Boeing system exposed to the Internet. Then, installing a "sniffer," he was able to eavesdrop on all the packets of data going to and from a computer -- a kind of computer wiretap. From this he was able to capture passwords and unencrypted email. Information he gleaned from the emails revealed enough intelligence to get into its internal network.

I found six or seven schematics to doors and the nose of Boeing

747s -- just getting passed through clear-text email.

Unencrypted attachments. Isn't that great?! (And he laughs.)

Khalid was ecstatic. He said he was going to give me $4,000. It

never showed up -- surprise, surprise.

In fact, $4,000 would have been a gross overpayment for the informa- tion. According to former Boeing security executive Don Boelling, this hack could well have been carried out against Boeing as described. But it would have been a waste of time: Once an aircraft model goes into serv- ice, all customer airlines are given complete sets of schematics. At that point the information is no longer considered company-sensitive; any- body who wants it can have it. "I even saw a CD of the 747 schematics being offered on eBay recently," Don said. Of course, Khalid would not likely have known this. And it wouldn't be until two years later that the nation would find out some terrorists had strong reasons for wanting the schematics of major transport planes used by U.S. airlines.