The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (7 page)

In fact, the Harkat is today one of the 36 groups designated by State as foreign terrorist organizations. Our government, in other words, con- siders them among the baddest actors on the face of the globe.

The young hackers, of course, didn't know this. To them, it was all a game.

As for Khalid, a major general of the Indian armed forces, giving an address on the topic of information security in April 2002, confirmed Khalid as a terrorist, telling his audience about hacker links with "Khalid Ibrahim of Pakistani-based Harkat-ul-Ansar."6 The general seemed trou- bled, however, that Khalid himself was based not in Pakistan but in the general's own country, at Delhi, India.

In the Aftermath of 9/11 Some hackers manipulate and deceive. They fool computer systems into thinking they have authorization that they have in fact stolen; they practice Chapter 2 When Terrorists Come Calling 35

social engineering to manipulate people in order to achieve their goals. All of this means that when you talk to a hacker, you listen carefully to see if what he's telling you, and the way he's saying it, suggest that he can be believed. Sometimes you're just not certain.

My coauthor and I weren't certain about what ne0h told us of his reac- tion to 9/11. We believe it just enough to share it:

Do you know how much I cried that day? I felt for sure my life

was over.

This was accompanied by a curious nervous laugh -- signifying what? We couldn't tell.

To think that maybe I had something to do with it. If I had gone

into Lockheed Martin or Boeing and got more information, they

could have used that. It was a bad time for me and for America.

I cried because I never thought to report him. I didn't use my best

judgment. That's the reason he hired me to do all these things ...

If I had even a pinkie-finger of a hand into the Trade Center ...

[The thought] was absolutely devastating.

Actually I lost three friends in the World Trade Center; I never

felt so bad.

Many hackers are in their teens or even younger. Is that too young to recognize the potential danger of responding to requests from someone who could pose a threat to our country? Personally, I'd like to think 9/11 has made American hackers -- even very young ones -- suspicious, unlikely to be suckered by a terrorist. I just hope I'm right.

The White House Break-in The history of computer security in one way parallels the ancient history of cryptography. For centuries, code makers have devised ciphers that they labeled "unbreakable." Even today, in an age of computers that can read- ily encrypt a message using a one-time pad, or a key containing hundreds of characters, most codes are still breakable. (America's code-making and code-breaking organization, the National Security Agency, boasts a num- ber of the world's largest, fastest, most powerful computers.)

Computer security is like a constant cat-and-mouse game, with security experts on one side and intruders on the other. The Windows operating system contains lines of code numbering in the tens of millions. It's a 36 The Art of Intrusion

no-brainer that any software of massive size will inevitably contain vul- nerabilities that dedicated hackers will eventually discover.

Meanwhile, company workers, bureaucrats, sometimes even security professionals will install a new computer or application and overlook the step of changing the default password, or constructing one that's rea- sonably secure -- leaving the device in a vulnerable state. If you read the news of hacker attacks and break-ins, you already know that military and government sites, and even the White House Web site, have already been compromised. In some cases repeatedly.

Getting onto a site and defacing a Web page is one thing -- most of the time it's essentially trivial, if annoying. Still, many people rely on a single password for every use; if breaking into a Web site leads to capturing pass- words, the attackers might be in position to gain access to other systems on the network and do a great deal more damage. ne0h says that in 1999 he and two other members of the hacker's group gLobaLheLL did just that, on one of the most sensitive spots in the United States: the White House.

I believe that the White House was doing a reinstall of their oper-

ating system. They had everything defaulted. And for that period

of ten, fifteen minutes, Zyklon and MostFearD managed to get

in, get the shadowed password file, crack it, enter, and change the

Web site. I was right there while they were doing it.

It was basically being at the right place at the right time. It was

just by chance, just a fluke that they happened to be on line just

when the site was being worked on.

We had discussed it in the gLobaLheLL chat room. I was woken

up by a phone call around 3 A.M. saying they were doing it. I

said, "Bullshit. Prove it." I jumped on my computer. Sure enough,

they did it.

MostFearD and Zyklon did most of it. They gave me the shadow

file to crack as fast as I could. I got one [password] -- a simple

dictionary word. That was about it.

ne0h provided a portion of what he says is the password file that the others obtained and passed to him, listing what appears to be a few of the authorized users on the White House staff 7:

root:x:0:1:Super-User:/:/sbin/sh

daemon:x:1:1::/:

bin:x:2:2::/usr/bin:

sys:x:3:3::/:

adm:x:4:4:Admin:/var/adm:

uucp:x:5:5:uucp Admin:/usr/lib/uucp: Chapter 2 When Terrorists Come Calling 37

nuucp:x:9:9:uucp

Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico

listen:x:37:4:Network Admin:/usr/net/nls:

nobody:x:60001:60001:Nobody:/:

noaccess:x:60002:60002:No Access User:/:

nobody4:x:65534:65534:SunOS 4.x Nobody:/:

bing:x:1001:10:Bing Feraren:/usr/users/bing:/bin/sh

orion:x:1002:10:Christopher

Adams:/usr/users/orion:/usr/ace/sdshell

webadm:x:1130:101:Web

Administrator:/usr/users/webadm:/bin/sh

cadams:x:1003:10:Christopher

Adams:/usr/users/cadams:/usr/ace/sdshell

bartho_m:x:1004:101:Mark

Bartholomew:/usr/users/bartho_m:/usr/ace/sdshell

monty:x:1139:101:Monty Haymes:/usr/users/monty:/bin/sh

debra:x:1148:101:Debra Reid:/usr/users/debra:/bin/sh

connie:x:1149:101:Connie

Colabatistto:/usr/users/connie:/bin/sh

bill:x:1005:101:William Hadley:/usr/users/bill:/bin/sh

This is in the form of a Unix or Linux password file, the kind used when the encrypted passwords are stored in a separate, protected file. Each line lists the name of one person who has an account on the system. The entry "sdshell" on some lines suggests that these users, for additional security, were carrying a small electronic device called an RSA SecureID, which dis- plays a six-digit number that changes every 60 seconds. To sign on, these users must enter the six-digit number displayed at that moment on their SecureID device along with a PIN number (which may be assigned in some companies or self-chosen in others).The White House Web site was defaced at the same time as the break-in, to show they had been there, according to ne0h, who provided a link to the defacement (see Figure 2-1).8 Besides bearing a symbol for the gLobaLheLL hacker group, the message also includes a logo for the Hong Kong Danger Duo. That was, ne0h says, a phony name made up to add an element of deception.

As ne0h remembers it, the guys responsible for this White House hack didn't feel any particular elation about having been able to break into what should be among the half dozen or dozen most secure Web sites in the nation. They were "pretty busy trying to break into everything," ne0h explained, "to prove to the world that we were the best." Instead of virtual pats on the back all around, it was, he says, more an attitude of "Good job, guys, we finally got it, what's next?"

But they didn't have much time left for other break-ins of any sort. Their worlds were about to crumble, and that part of the tale brings the story back around once again to the mysterious Khalid. 38 The Art of Intrusion

Figure 2-1: Defacement page on White House Web site, May 1999.

Zyklon, otherwise known as Eric Burns, takes over the narrative at this point. He wasn't ever actually a member of globaLheLL, he says, but did hang around on IRC with some of the guys. In his description of events, the White House hack became possible when he discovered the Web site was susceptible to being compromised by exploiting a hole in a sample program called PHF, which is used to access a Web-based phone book database. This was a critical vulnerability, but although people in the hacker community knew about it, "not many people were using it," Zyklon says.

Carrying out a number of steps (detailed in the Insight section at the end of this chapter), he was able to gain root on whitehouse.gov and establish access to other systems on the local network, including the White House mail server. Zyklon at that point had the ability to intercept any messages between White House staffers and the public, though of course those messages would not have revealed any classified information.

But he was also, Zyklon says, able to "grab a copy of the password and shadow files." They hung around the site, seeing what they could find, waiting until people started arriving for work. While he was waiting, he received a message from Khalid, who said he was writing an article about recent break-ins, and asking Zyklon if he had any recent exploits to tell Chapter 2 When Terrorists Come Calling 39

about. "So I told him we were right then into the White House Web site," Zyklon said.

Within a couple of hours of that exchange, Zyklon told me, they saw a sniffer appear on the site -- a system administrator was looking to see what was going on and trying to track who the people were on the site. Just coincidence? Or did he have some reason to be suspicious at that particular moment? It would be months before Zyklon found out the answer. For the moment, as soon as they spotted the sniffer, the boys pulled the plug, got off the site, and hoped they had caught on to the administrator before he had caught on to them.

But they had stirred up the proverbial hornet's nest. About two weeks later the FBI descended in force, rounding up every gLobaLheLL mem- ber they had been able to identify. In addition to Zyklon -- then 19, arrested in Washington state -- they also grabbed MostHateD (Patrick Gregory, also 19, from Texas), and MindPhasr (Chad Davis, Wisconsin), along with others.

ne0h was among the few who survived the sweep. From the safety of his remote location, he was incensed, and posted a Web site defacement page with a message of defiance; as edited for prime time, it read: "Listen up FBI m____ f_____ers. Don't f___ with our members, you will loose. we are holding fbi.gov as I type this. AND YOUR FEARING. We got arrested because you dumb idouts cant figure out who hacked the white- houe.. right? so you take us alll in and see if one of them narcs. GOOD F___ING LUCK.. WE WONT NARC. Don't you understand? I SAID WORLD DOMINATION."

And he signed it: "the unmerciful, ne0h."9

Aftermath So how did that system administrator happen to be sniffing so early in the morning? Zyklon doesn't have any doubt about the answer. When the prosecutors had drawn up the papers in his case, he found a statement that information leading to knowledge of the gLobaLheLL break-in to the White House site had been provided by an FBI informant. As he remem- bers it, the paper also said that the informant was in New Delhi, India.

In Zyklon's view, there isn't any doubt. The only person he had told about the White House break-in -- the only person -- was Khalid Ibrahim. One plus one equals two: Khalid was an FBI informant.

But the mystery remains. Even if Zyklon is correct, is that the whole story? Khalid was an informant, helping the FBI locate kid hackers will- ing to conduct break-ins to sensitive sites? Or is there another possible explanation: that his role as an informant was only half the story, and he was in fact also the Pakistani terrorist that the Indian general believed he 40 The Art of Intrusion

was. A man playing a double role, helping the cause of the Taliban while he infiltrated the FBI.

Certainly his fears about one of the kids reporting him to the FBI fit this version of the story.

Only a few people know the truth. The question is, are the FBI agents and federal prosecutors who were involved among those who know the real story. Or were they, too, being duped?

In the end, Patrick Gregory and Chad Davis were sentenced to 26 months, and Zyklon Burns got 15 months. All three have finished serv- ing their time and are out of prison.

Five Years Later These days hacking is mostly just a memory for Comrade, but his voice becomes more alive when he talks about "the thrill of doing shit you're not supposed to be doing, going places you're not supposed to go, hoping to come across something cool."

But it's time to get a life. He says he's thinking about college. When we spoke, he was just back from scouting schools in Israel. The language wouldn't be too much of a problem -- he learned Hebrew in elementary school and in fact was surprised at how much he remembered.

His impressions of the country were mixed. The girls were "really great" and the Israelis proved very fond of America. "They seem to look up to Americans." For example, he was with some Israelis who were drinking a soft drink he had never heard of called RC Cola; it turned out to be an American product. The Israelis explained, "On the commercials, that's what Americans drink." He also encountered "some anti-American vibes with people that don't agree with the politics," but took it in stride: "I guess you get that anywhere."

He hated the weather -- "cold and rainy" while he was there. And then there was the computer issue. He had bought a laptop and wireless espe- cially for the trip, but discovered that "the buildings are build out of this huge thick stone." His computer could see 5 or 10 networks, but the sig- nals were too weak to connect and had to walk 20 minutes to a place where he could log on.

So Comrade is back in Miami. A teenager with a felony on his rap sheet, he's now living on his inheritance, trying to decide about going to college. He's 20 years old, and not doing much of anything.