The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (6 page)

Target for Tonight: SIPRNET With Comrade, Khalid didn't bother setting up test exercises. From the first, the hacker says, Khalid "was only interested in military and SIPRNET." Chapter 2 When Terrorists Come Calling 29

Most things he wasn't very specific about what he wanted -- just

access to government and military sites. Except for SIPRNET.

He really wanted information from SIPRNET.

No wonder Khalid was eager; this had probably been his target all along. SIPRNET is the portion of DISN, the Defense Information System Network, which carries classified messages. More than that, SIPRNET (it's an acronym for the Secret Internet Protocol Router Network) is now the core of the command and control capability for the U.S. military.

ne0h had already refused an offer from Khalid for a SIPRNET access:

He offered $2,000. I turned him down. If I got into SIPRNET,

I'd have the Feds knocking at my door. $2,000 wasn't worth a

bullet in the head.

By the time Khalid spoke to Comrade about the assignment, the price had gone up. "He said he would pay I think it was ten thousand dollars for access," Comrade remembers, sounding a good deal less skittish than ne0h about taking on the project, though he insists convincingly that it was the challenge, not the money, that tempted him.

I actually came pretty close to SIPRNET. I got into this one com-

puter system at the Defense Information Security Agency, DISA.

That computer was just slick. It had I think four processors, like,

2,000 users had access to it, the Unix host file had, like, 5,000 dif-

ferent hosts, and half of them were using privileged accounts; you

had to be on that computer to access it -- you couldn't access it

from the outside.

However he figured it out, Comrade's hunch that he had stumbled into something important was on target. The core missions of DISA include joint command and control, and combat support computing -- a clear overlap with the functions of SIPRNET. But his efforts were cut short.

Pretty sweet to have all that access, but I never had enough time

to play around with it to get anywhere. I got busted, like, three or

four days later.

A Time for Worrying On Christmas day 1999, ne0h and Comrade received a jolt. Indian Airlines flight IC-814, en route from Katmandu to New Delhi with 178 passengers and 11 crew, was hijacked in flight. According to news 30 The Art of Intrusion

reports, the hijackers were Pakistani terrorists associated with the Taliban. Terrorists like Khalid?

Under orders of the hijackers, the Airbus A300 proceeded on a zigzag journey to the Middle East and back, landing briefly in India, Pakistan, and the United Arab Emirates, where the body of a slain passenger was removed, a young man on the way home with his new wife from their honeymoon. He had been stabbed to death for the minor offense of refusing to put on a blindfold.

The plane eventually landed in Kandahar, Afghanistan -- increasing the likelihood of a Taliban connection. The remaining passengers and crew were held on board for eight terror-filled days, and were ultimately released in exchange for the release of three jailed militants. One of those released, Sheikh Umer, would later play a role in aiding the financing of Mohammed Atta, a leader of the 9/11 World Trade Center attacks.

After the hijacking, Khalid told ne0h that his group was responsible and he himself had been involved.

That scared me to death. He was a bad guy. I felt I had to cover

my ass.

But ne0h's distress was tempered by boyish greed. "I still hoped he would pay me my money," he added.

The hijacking connection added fuel to a fire that Khalid had set ablaze earlier. At one point, apparently annoyed by the teenagers' lack of success in providing the information he was asking for, Khalid had tried a high- pressure tactic. Reporter Niall McKay, in the same story for Wired.com, wrote of seeing an old IRC message from Khalid to the youngsters in which he threatened to have them killed if they reported him to the FBI. McKay wrote that he also saw a message from the Pakistani to the kids: "I want to know: Did [anybody] tell the Feds about me?" And in another place, "Tell them [if they did that], they are dead meat. I will have snipers set on them."2

Comrade Gets Busted The situation was getting sticky, but it was about to get worse. A few days after Comrade's success in penetrating a system associated with SIPR- NET, his father was pulled over on his way to work. The cops told him, "We want to talk to your son," and showed him a search warrant. Comrade remembers:

There were some people from NASA, the DoD, the FBI. In all

there were like ten or twelve agents, and some cops, too. I had been Chapter 2 When Terrorists Come Calling 31

messing around in some NASA boxes, I put a sniffer up on

ns3.gtra.mil, just to pick up passwords. But as a side effect, it

picked up emails as well. They told me I was being charged with

illegal wiretaps for that. And then for the NASA computers I got

copyright violations or infringement. And other things.

Just the day before, a friend said, "Dude, we're going to get

busted soon." He was flipping out. I figured, "Yeah, he's got a

point." So I wiped my hard drive.

But Comrade wasn't thorough about the cleanup job. "I had forgot- ten the old drives hanging around my desk."

They questioned me. I admitted it, I said, "I'm sorry, here's what

I did, here's how to fix it, I won't do it again." They were like,

"All right, we don't consider you a criminal, don't do it again.

If you do it again, you'll leave in handcuffs." They packed up my

computers, peripherals, and spare hard drives, and they left.

Later on they tried to get Comrade to tell them the password to his encrypted hard drives. When he wouldn't tell, they said they knew how to crack the passwords. Comrade knew better: He had used PGP (Pretty Good Privacy) encryption and his password was "about a hundred char- acters long." Yet he insists it's not hard to remember -- it's three of his favorite quotes strung together.

Comrade didn't hear anything more from them for about six months. Then one day he got word that the government was going to press charges. By the time he got to court, he was being nailed for what the prosecutor claimed was a three-week shutdown of NASA computers and intercepting thousands of email messages within the Department of Defense.

(As I know all too well, the "damage" claimed by prosecutors and the real-life damage are sometimes quite different. Comrade downloaded software from the NASA's Marshall Space Flight Center in Alabama, used in controlling the temperature and humidity of the International Space Station; the government claimed that this had forced a three-week shut- down of certain computer systems. The Department of Defense attack offered more realistic cause for concern: Comrade had broken into the computer system of the Defense Threat Reduction Agency and installed a "back door" allowing him access at any time.)

The government obviously considered the case important as a warning to other teenage hackers, and made much of his conviction in the press, proclaiming him the youngest person ever convicted of hacking as a fed- eral crime. Attorney General Janet Reno even issued a statement that said in part, "This case, which marks the first time a juvenile hacker will serve 32 The Art of Intrusion

time in a detention facility, shows that we take computer intrusion seri- ously and are working with our law enforcement partners to aggressively fight this problem."

The judge sentenced Comrade to six months in jail followed by six months probation, to start after the end of the school semester. Comrade's mother was still alive at the time; she hired a new lawyer, got a lot of letters written, presented the judge what Comrade calls "a whole new case," and, incredibly, managed to get the sentence reduced to house arrest followed by four years of probation.

Sometimes in life we don't make the best of opportunities. "I did the house arrest and was going through probation. Various things happened, I started partying too much, so they sent me to rehab." Back from rehab, Comrade got a job with an Internet company and started his own Internet outfit. But he and his probation officer weren't seeing eye to eye and Comrade was sent to prison after all. He was just 16 years old, incar- cerated for acts he committed at age 15.

There aren't all that many juveniles in the federal system; the place he was sent turned out to a "camp" (apparently an appropriate word) in Alabama that housed only 10 prisoners and that Comrade describes as looking "more like a school -- locked doors and razor wire fences but otherwise not much like a jail." He didn't even have to go to class because he had already finished high school.

Back in Miami and again on probation, Comrade was given a list of hackers he would not be allowed to talk to. "The list was like this guy, this guy, and ne0h." Just "ne0h" -- the federal government knew him only by his handle. "They had no idea who he was. If I had access to two hundred things, he had access to a thousand things," Comrade says. "ne0h was pretty slick." As far as either of them knows, law enforcement still hasn't managed to pin a name on him or pinpoint his location.

Investigating Khalid Was Khalid the militant he claimed to be, or just some faker pulling the chains of the teenagers? Or maybe an FBI operation to probe how far the young hackers were willing to go? At one time or another, each of the hackers who had dealings with Khalid were suspicious that he wasn't really a militant; the idea of providing information to a foreign agent seems to have bothered them a good deal less than the idea the guy might be duping them. Comrade said that he "wondered for the longest time what [Khalid] was. I didn't know if he was a Fed or if he was for real. Talking to ne0h and talking to him, I decided he was pretty legit. But I never took money from him -- that was a barrier I didn't want to cross." (Earlier in the conversation, when he had first mentioned the Chapter 2 When Terrorists Come Calling 33

offer of $10,000 from Khalid, he had sounded impressed by the sum. Would he really have declined the money if his efforts had been successful and Khalid had actually paid up? Perhaps even Comrade himself doesn't really know the answer to that one.)

ne0h says that Khalid "sounded absolutely professional" but admits to having had doubts along the way about whether he was really a militant. "The whole time I was talking to him, I thought he was full of shit. But after researching with friends who he's contacted and given other infor- mation to, we actually think he really was who he said he was.

Another hacker, Savec0re, encountered someone on IRC who said that he had an uncle in the FBI who could arrange immunity for an entire hacker group called Milw0rm. "I thought that this would send a message to the FBI that we weren't hostile," Savec0re told journalist McKay in an email interview. "So I gave him my phone number. The next day I got a call from the so-called FBI agent, but he had an amazingly strong Pakistani accent."

"He said his name was Michael Gordon and that he was with the FBI in Washington, DC," Savec0re told the journalist. "I realized then that it had been Ibrahim all along." While some people were wondering if the sup- posed terrorist might be an FBI sting, Savec0re was reaching the opposite conclusion: that the guy claiming to be an FBI agent was really the same terrorist, trying to see if the boys were willing to blow the whistle on him.

The notion that this might have been an FBI operation doesn't seem to stand up. If the federal government wanted to find out what these kids were capable of and willing to do, money would have been flowing. When the FBI thinks a situation is serious enough to run a sting, they put money behind the effort. Promising $1,000 to ne0h and then not pay- ing it wouldn't make any sense.

Apparently only one hacker actually saw any money from Khalid: Chameleon. "I went to my post-office box one morning, and there was a check for a thousand dollars with a number to call in Boston," Chameleon was quoted as saying in another Wired News story (November 4, 1998). Khalid understood he had maps of government computer networks; the check was payment for the maps. Chameleon cashed the check. Two weeks later he was raided by the FBI and interro- gated about the payment, raising the interesting question of how the government knew about the thousand dollars. This was before 9/11, when the FBI was focused on domestic crime and paying scant attention to the terrorist threat. Chameleon admitted taking the money but insisted to the Wired News journalist that he had not provided any gov- ernment network maps. 34 The Art of Intrusion

Though he had confessed to accepting money from a foreign terrorist, which could have brought a charge of espionage and the possibility of a very long sentence, no charges were ever filed -- deepening the mystery. Perhaps the government just wanted word to spread in the hacker com- munity that doing business with foreign agents could be risky. Perhaps the check wasn't from Khalid after all, but from the FBI.

Few people know Chameleon's true identity, and he very much wants to keep it that way. We wanted to get his version of the story. He refused to talk about the matter (merely giving himself an out by mentioning he thought Khalid was a Fed just posing as a terrorist). If I were in his posi- tion, I probably wouldn't want to be interviewed on the subject either.

The Harkat ul-Mujahideen While searching the Internet Relay Chat logs, reporter McKay found that Khalid had at one point described himself to the young hackers as a mem- ber of Harkat-ul-Ansar.3 According to the South Asia Intelligence Review, "the Harkat-ul-Ansar was termed a terrorist organization by the US due to its association with the exiled Saudi terrorist Osama bin Laden in 1997. To avoid the repercussions of the US ban, the group was recast as the Harkat ul-Mujahideen in 1998."4

The U.S. Department of State has repeatedly warned about this group. One item from State reads, "Pakistani officials said that a U.S. air raid on October 23 [2001] had killed 22 Pakistani guerrillas who were fighting alongside the Taliban near Kabul. The dead were members of the Harkat ul-Mujaheddin ... [which] had been placed on the State Department's official list of terrorist organizations in 1995."5