Masters of Deception: The Gang That Ruled Cyberspace (22 page)

The boys' cases had been bounced out of federal court, in fact, and handed off to the Queens District Attorney. There's been a little delay as that office got up to speed. Kaiser even made a few trips out to Queens to explain the technical aspects of the case. Finally, charges were filed against Mark in state court, charging him with a misdemeanor.

So Kaiser certainly hasn't forgotten about the MOD investigation. Far from it. One worry he harbors is that hackers might harm the New York Telephone system in retaliation for the MOD prosecution. There's been nothing Kaiser can do to relieve his worry, though. He has no proof. No evidence. No tips. Nor does he have any reassurances that the hackers won't retaliate. While the phone company has a legal right to monitor its own lines, Kaiser can't abuse the privilege by randomly spying on people. Before he asks his bosses for permission to put up a DNR, he has to have convincing evidence that such a step is necessary. He can't say he wants to monitor a customer's line simply because he worries. He needs some concrete reason to do it.

On the phone with Tymnet, Kaiser goes over the procedure for a "live" trace: As soon as the intruder is spotted in your network, call me. I'll start to track him immediately. It's essential to move fast. If the connection is broken before we complete the trace, we'll never know who the intruder is.

Got it.

By the time Kaiser learned who Tymnet's secret customer was, winter had given way to spring. It is May now. It's warm, it's sunny, you can even hear birds tweeting in Manhattan, for God's sake.

Kaiser had been expecting to hear from Tymnet again. But this time, the phone call comes directly from the Tymnet customer, a client who well knows that minutes are precious during a trace. The customer is Southwestern Bell.

Southwestern Bell is a sibling of New York Telephone, another of the regional phone companies born from the AT&T

divestiture. But Southwestern Bell can't execute a trace over New York Telephone's lines, having no access to phone lines in the Northeast. Southwestern Bell's kingdom stretches across Arkansas, Kansas, Missouri, Oklahoma, and Texas, where a web of computers connects about twelve million customers. Those computers perform the company's switching operations, route calls, bill customers, and process administrative work.

Since its computer system spans so much of the country, Southwestern Bell decided to set up a subnetwork on Tymnet.

That way any Southwestern Bell employee could call into the system for the price of a local call, using a Tymnet dialup.

The Tymnet pipeline is a great convenience to Southwestern Bell's employees.

It was also a great convenience to hackers. That pipeline enabled a hacker sitting anywhere in the United States to call a local Tymnet phone number, get into Tymnet's system, and then burrow right into Southwestern Bell's computers.

Southwestern Bell became aware of the problem one morning when the administrator for one of the company's central depots, the C-SCANS system, came in to work. The administrator noticed from a log that it appeared he himself had been signed on and using the computer during the previous night. He had not. Now, C-SCANS is a sensitive and complex system. The Client Systems Computer Access Network Standards is a central operation that distributes information and administers patches throughout Southwestern Bell's region. When the Bell company wants to upgrade software across its network, the new program is funneled through C-SCANS into each switch. From C-SCANS, you can hop right into any of those switches and start looking around. C-SCANS also stores internal electronic mail sent among Southwestern Bell workers. Security memos are stored there, too.

As soon as the system administrator realized that some unauthorized user had penetrated the system, he had to bring down the computer to try to find out how the intrusions occurred. Bringing down the computer costs Southwestern Bell money, both for paying employees to fix the problem and in lost computer processing time. But the hacker didn't seem to be limited to any one spot in the system. Perhaps because he'd learned so much about the other switches he explored through C-SCANS, he was popping up all over Southwestern Bell's computers. The people at Southwestern Bell sure would appreciate Kaiser's help.

And today, on May 31, 1991, at this very moment of 4: 31 in the afternoon, a hacker is logging into Southwestern Bell's mighty Netcon VAX system in St. Louis, which controls switching networks in four states.

The hacker has a valid user ID: "Carolw. " The "Carolw" account belongs to a communications technician with access to sensitive documents about network security within the Netcon VAX system. The technician doesn't know who could have gotten hold of her ID.

"It's urgent, he's on the line right now, " the Southwestern Bell official tells Kaiser.

Southwestern Bell reports that the call came in through Tymnet. And so Kaiser keeps Southwestern Bell on one line, then immediately calls Tymnet officials on another. Let's say the hacker got into Tymnet by using the dialup at 555-4700.

"That's a number in Lower Manhattan, " Kaiser says, recognizing the prefix. The drill is to trace the call backward from the dialup to its origin.

Minutes are ticking by as Kaiser puts Tymnet on hold and dials the New York Telephone switching control center located downtown on West Street.

"This is Tom Kaiser in security. Where is the call coming from?"

Down in the West Street office, nobody hesitates. The technicians know that when security calls, it's not for a run-of-the-mill request. No, West Street might put Kaiser on hold for a fraction of a second and simultaneously call him back on another line to verify he's really who he says he is. But by the time Kaiser answers that call (he has a lot of phone lines in his office), West Street will have the answer he needs.

"The call's coming in on an AT&T trunk line, " says West Street.

If you make a long-distance call using AT&T, your call travels to its destination along a line that's designated to carry AT&T customers' calls. That's a trunk line.

"AT&T?" Kaiser repeats, and he's already dialing again. This is bad, since it means the hacker may not be calling from New York City after all. He could be anywhere, just using the New York City dialup.

Meanwhile, back at Southwestern Bell, security personnel audit the intruder's every move as it occurs, hoping the hacker won't get bored and hang up. It's maddening, not to mention terrifying, since the phones in four states are controlled by this VAX computer. They watch in shock as the hacker, disguised as Carolw, coolly calls up some internal security alerts sent by Bellcore. Bellcore, or Bell Communications Research, is the research and development arm of the seven regional Bell companies. Back in the 1980s when AT&T's monolithic empire was broken up divided into a long-distance company

that AT&T could still control and seven autonomous regional siblings one thing AT&T was allowed to keep was the

prestigious Bell Labs. The telecommunications laboratory has an illustrious history. Researchers at Bell Labs developed everything from the laser to talking motion pictures.

The Baby Bells got together and funded their own think tank, their own Disneyland of future ideas: Bellcore. Much of what Bellcore does is develop new standards for improving the phone networks. Bellcore researchers also do a lot of on-the-edge, blue-sky stuff, trying to figure out the future direction of the communications revolution.

One of Bellcore's most important functions is security. Bellcore periodically sends memos to all the regional telephone companies to announce a breach of security at one or another of the local phone companies. The memos describe intrusions, and in some cases, the intruders themselves. To a hacker this is extremely valuable information, because the memos also explain security techniques that exist to fix the loopholes. The hackers stay a step ahead.

This particular hacker is browsing in those memos now, reading files about other hackers. He's hacking Southwestern Bell's anti-hacker archives.

It's almost five o'clock in New York, and nobody knows how much longer the call will last. Kaiser has AT&T security on the phone now, and the long-distance carrier's technician quickly traces the call on trunk line to a toll-free 800 number in Pennsylvania. This can mean only one thing. The hacker is purposely hiding his tracks.

Here's how. The hacker had called a toll-free number assigned to some unsuspecting corporation in Pennsylvania, the same toll-free number the corporation's employees use to check in. The computer has a PBX, a private branch exchange to manage internal phone calls, only like most of the novices in telecommunications, the company doesn't know how to secure the system. Who would suspect that someone would want to breach it? Ah, but lots of hackers have found these vulnerabilities and were using them like free long-distance calling cards. This hacker merely pressed 9 to get a dial tone that would allow him to call back out, right from the corporation's phone system, to Tymnet. It's simple. And it's smart, because it's certainly slowing down Kaiser.

Kaiser checks his watch as he dials the officials at the Bell Atlantic switch that controls the (800) number.

"Where's the call coming from into that (800) line?" he asks.

"The call is coming from New York. "

New York. Back in Kaiser's jurisdiction again.

Even as Kaiser works the phones faster than Lily Tomlin did on "Laugh-In, " officials at Southwestern Bell are getting antsy, sending a collective mental plea to the hacker. Please don't hang up. Not yet.

"Where in New York?" Kaiser thinks he's yelling into the phone, but really, his tone is quite calm. He's only shrieking inside.

"Brooklyn. "

Kaiser calls the New York Telephone switch in Brooklyn.

Now Southwestern Bell officials are talking in his other ear saying the intruder has finished reading the memos. He's copying the files onto his own computer to read later and divide like stolen money. Is the hacker getting ready to hang up?

Into the other line, Kaiser barks at a technician at the Brooklyn switch, "Kaiser from security. Where is this call originating?

I need to know now. " The New York Telephone technician says, "The call is coming from 555-1318. "

Success.

It's 5: 09 P. M. The trace took thirty-eight minutes, much longer than a trace normally takes. But then, a typical trace request is one that comes from the cops, who say there's a potential suicide on the line. Where's he calling from? That's an easy enough matter

just call the switch, ask one question, write down one number. Five minutes, you're finished.

Kaiser's done it plenty. Today's activities, however, are of another magnitude.

Within a mere thirty-eight minutes, Kaiser has traced a call back from Southwestern Bell, through Tymnet, through a New York Telephone switch to an AT&T line, to a toll-free number in Pennsylvania, to a switch in Pennsylvania, then back to another switch in New York City, and finally, to a building in Brooklyn. The hacker threaded his call, in an attempt to escape detection, through at least six separate computers. And Kaiser smoothed out the tangles. That is a day's work.

Kaiser writes down the number, and then he looks it up on his own computer. Let's see, 555-1318 is assigned to a subscriber at 64A Kosciusko Street, in Brooklyn. Weird, it even sounds familiar. The hacker lives in the neighborhood of Bedford-Stuyvesant.

Kaiser gets back on the phone to Southwestern Bell's anxious officials and gives them the news. He hears a cheer go up on their end of the line.

Kaiser remembered where he'd seen that address and phone number before. John's number was one that Mark Abene called frequently back in 1989 and early 1990. The DNR kept track. Kaiser had seen John's name before, too, scrawled alongside the doodles in a notebook confiscated from Mark's house during the raids.

That's how Kaiser knew John Lee's handle was Corrupt. That's how Kaiser knew John Lee was in MOD.

In the days that followed, Kaiser would perform more traces for Southwestern Bell and Tymnet. Sometimes the connection got broken before he could navigate the labyrinth of phone lines. But Kaiser was successful in tracing another call, this time to Julio's address in the

Bronx.

Julio's phone number was in Mark's notebook, too. So was Julio's handle, Outlaw. Julio must be in MOD, too.

So Southwestern Bell knew that it had to deal with at least two intruders. And now Kaiser knew that he was back on MOD's trail.

The Secret Service was moving on the case. Big time. But the Secret Service was also starting a new investigation, treating the Southwestern Bell intrusions

which clearly posed a threat to a significant portion of the nation's phone lines

as a case of their own. The Secret Service didn't put it together with the old MOD case from 1990. As a new case, the Southwestern Bell problem has a new prosecutor. It's the U. S. Attorney in the Southern District, which has geographic jurisdiction over Manhattan and the Bronx.

This was the first computer crime case assigned to Stephen Fishbein in the three years he's been working as an assistant U. S. Attorney. But he is far from technophobic. In fact, Fishbein has an identical twin who is a chip designer in Boston, and Fishbein is not afraid of computers. That put him a step ahead of some of the other lawyers who would find themselves involved in what would become known as the Masters of Deception conspiracy case.

But even after Fishbein started delving into the computer intrusions that John and Julio committed from their homes, it would be months before the full scope of their involvement with the earlier case against Mark, Paul, and Eli became clear.

After the successful traces, the authorities tell the switch that controls certain phone lines to Southwestern Bell's computers to trap incoming calls. Whenever someone calls the phone numbers, a computer notes the origin of the call.

Every time John or Julio calls, a computer records the time and date. The monitoring is quite definitive.

DNRs go up again, this time on the phones at John's and Julio's houses. Here's what they show: On June 2, at two minutes before midnight, Julio calls Tymnet for nineteen minutes. As soon as he hangs up, he calls Mark.