Underground: Tales of Hacking, Madness and Obsession from the Electronic Frontier (42 page)

BOOK: Underground: Tales of Hacking, Madness and Obsession from the Electronic Frontier
9.42Mb size Format: txt, pdf, ePub

address--in this case 128.250.20.3. All the computers on the Internet need this IP address to relay the packets of data onto the final destination computer. NIC decided how Internet computers would translate the alphabetical name into an IP address, and vice versa.

If you controlled NIC, you had phenomenal power on the Internet. You could, for example, simply make Australia disappear. Or you could turn it into Brazil. By pointing all Internet addresses ending in

‘.au’--the designation for sites in Australia--to Brazil, you could cut Australia’s part of the Internet off from the rest of the world and send all Australian Internet traffic to Brazil. In fact, by changing the delegation of all the domain names, you could virtually stop the flow of information between all the countries on the Internet.

The only way someone could circumvent this power was by typing in the full numerical IP address instead of a proper alphabetical address.

But few people knew the up-to-twelve-digit IP equivalent of their alphabetical addresses, and fewer still actually used them.

Controlling NIC offered other benefits as well. Control NIC, and you owned a virtual pass-key into any computer on the Internet which

‘trusted’ another. And most machines trust at least one other system.

Whenever one computer connects to another across the Net, both machines go through a special meet-and-greet process. The receiving computer looks over the first machine and asks itself a few questions. What’s the name of the incoming machine?

Is that name allowed to connect to me? In what ways am I programmed to ‘trust’ that machine--to wave my normal security for connections from that system?

The receiving computer answers these questions based in large part on information provided by NIC. All of which means that, by controlling NIC, you could make any computer on the Net ‘pose’ as a machine trusted by a computer you might want to hack. Security often depended on a computer’s name, and NIC effectively controlled that name.

When Prime Suspect managed to get inside NIC’s sister system, he told Mendax and gave him access to the computer. Each hacker then began his own attack on NIC. When Mendax finally got root on NIC, the power was intoxicating. Prime Suspect got root at the same time but using a different method. They were both in.

Inside NIC, Mendax began by inserting a backdoor--a method of getting back into the computer at a later date in case an admin repaired the security flaws the hackers had used to get into the machine. From now on, if he telnetted into the system’s Data Defense Network (DDN) information server and typed ‘login 0’ he would have instant, invisible root access to NIC.

That step completed, he looked around for interesting things to read.

One file held what appeared to be a list of satellite and microwave dish coordinates--longitude, latitudes, transponder frequencies. Such coordinates might in theory allow someone to build a complete map of communications devices which were used to move the DOD’s computer data around the world.

Mendax also penetrated MILNET’s Security Coordination Center, which collected reports on every possible security incident on a MILNET

computer. Those computers--largely TOPS-20s made by DEC--contained good automatic security programs. Any number of out-of-the-ordinary events would trigger an automatic security report. Someone logging into a machine for too long. A large number of failed login attempts, suggesting password guessing. Two people logging into the same account at the same time. Alarm bells would go off and the local computer would immediately send a security violation report to the MILNET

security centre, where it would be added to the ‘hot list’.

Mendax flipped through page after page of MILNET’s security reports on his screen. Most looked like nothing--MILNET users accidentally stumbling over a security tripwire--but one notice from a US military site in Germany stood out. It was not computer generated. This was from a real human being. The system admin reported that someone had been repeatedly trying to break into his or her machine, and had eventually managed to get in. The admin was trying, without much luck, to trace back the intruder’s connection to its point of origin. Oddly, it appeared to originate in another MILNET system.

Riffling through other files, Mendax found mail confirming that the attack had indeed come from inside MILNET. His eyes grew wide as he read on. US military hackers had broken into MILNET systems, using them for target practice, and no-one had bothered to tell the system admin at the target site.

Mendax couldn’t believe it. The US military was hacking its own computers. This discovery led to another, more disturbing, thought. If the US military was hacking its own computers for practice, what was it doing to other countries’ computers?

As he quietly backed out of the system, wiping away his footprints as he tip-toed away, Mendax thought about what he had seen. He was deeply disturbed that any hacker would work for the US military.

Hackers, he thought, should be anarchists, not hawks.

In early October 1991, Mendax rang Trax and gave him the dial-up and account details for NMELH1.

Trax wasn’t much of a hacker, but Mendax admired his phreaking talents. Trax was the father of phreaking in Australia and Trax’s Toolbox, his guide to the art of phreaking, was legendary. Mendax thought Trax might find some interesting detailed information inside the NorTel network on how to control telephone switches.

Trax invented multi-frequency code phreaking. By sending special tones--generated by his computer program--down the phone line, he could control certain functions in the telephone exchange. Many hackers had learned how to make free phone calls by charging the cost to someone else or to calling cards, but Trax discovered how to make phone calls which weren’t charged to anyone. The calls weren’t just free; they were untraceable.

Trax wrote 48 pages on his discovery and called it The Australian Phreakers Manual Volumes 1-7. But as he added more and more to the manual, he became worried what would happen if he released it in the underground, so he decided he would only show it to the other two International Subversive hackers.

He went on to publish The Advanced Phreaker’s Manual,2 a second edition of the manual, in The International Subversive, the underground magazine edited by Mendax:

An electronic magazine, The International Subversive had a simple editorial policy. You could only have a copy of the magazine if you wrote an ‘article’. The policy was a good way of protecting against nappies--sloppy or inexperienced hackers who might accidentally draw police attention. Nappies also tended to abuse good phreaking and hacking techniques, which might cause Telecom to close up security holes. The result was that IS had a circulation of just three people.

To a non-hacker, IS looked like gobbledygook--the phone book made more interesting reading. But to a member of the computer underground, IS

was a treasure map. A good hacker could follow the trail of modem phone numbers and passwords, then use the directions in IS to disappear through secret entrances into the labyrinth of forbidden computer networks. Armed with the magazine, he could slither out of tight spots, outwit system admins and find the treasure secreted in each computer system.

For Prime Suspect and Mendax, who were increasingly paranoid about line traces from the university modems they used as launchpads, Trax’s phreaking skills were a gift from heaven.

Trax made his great discovery by accident. He was using a phone sprinter, a simple computer program which automatically dialled a range of phone numbers looking for modems. If he turned the volume up on his modem when his computer dialled what seemed to be a dead or non-existent number, he sometimes heard a soft clicking noise after the disconnection message. The noise sounded like faint heartbeats.

Curious, he experimented with these strange numbers and soon discovered they were disconnected lines which had not yet been reassigned. He wondered how he could use these odd numbers. After reading a document Mendax had found in Britain and uploaded to The Devil’s Playground, another BBS, Trax had an idea. The posting provided information about CCITT #5 signalling tones, CCITT being the international standard--the language spoken by telephone exchanges between countries.

When you make an international phone call from Australia to the US, the call passes from the local telephone exchange to an international gateway exchange within Australia. From there, it travels to an exchange in the US. The CCITT signalling tones were the special tones the two international gateway exchanges used to communicate with each other.

Telecom Australia adapted a later version of this standard, called R2, for use on its own domestic exchanges. Telecom called this new standard MFC, or multi-frequency code. When, say, Trax rang Mendax, his exchange asked Mendax’s to ‘talk’ to Mendax’s phone by using these tones. Mendax’s exchange ‘answered’, perhaps saying Mendax’s phone was busy or disconnected. The Telecom-adapted tones--pairs of audio frequencies--did not exist in normal telephone keypads and you couldn’t make them simply by punching keys on your household telephone.

Trax wrote a program which allowed his Amstrad computer to generate the special tones and send them down the phone line. In an act many in the underground later considered to be a stroke of genius, he began to map out exactly what each tone did. It was a difficult task, since one tone could mean several different things at each stage of the ‘conversation’

between two exchanges.

Passionate about his new calling, Trax went trashing in Telecom garbage bins, where he found an MFC register list--an invaluable piece of his puzzle. Using the list, along with pieces of overseas phreaking files and a great deal of painstaking hands-on effort, Trax slowly learned the language of the Australian telephone exchanges. Then he taught the language to his computer.

Trax tried calling one of the ‘heartbeat’ phone numbers again. He began playing his special, computer-generated tones through an amplifier. In simple terms, he was able to fool other exchanges into thinking he was his local Telecom exchange. More accurately, Trax had made his exchange drop him into the outgoing signalling trunk that had been used to route to the disconnected phone number.

Trax could now call out--anywhere--as if he was calling from a point halfway between his own phone and the disconnected number. If he called a modem at Melbourne University, for instance, and the line was being traced, his home phone number would not show up on the trace records. No-one would be charged for the call because Trax’s calls were ghosts in the phone system.

Trax continued to refine his ability to manipulate both the telephone and the exchange. He took his own telephone apart, piece by piece, countless times, fiddling with the parts until he understood exactly how it worked. Within months, he was able to do far more than just make free phone calls. He could, for instance, make a line trace think that he had come from a specific telephone number.

He and Mendax joked that if they called a ‘hot’ site they would use Trax’s technique to send the line trace--and the bill--back to one very special number. The one belonging to the AFP’s Computer Crime Unit in Melbourne.

All three IS hackers suspected the AFP was close on their heels.

Roving through the Canberra-based computer system belonging to the man who essentially ran the Internet in Australia, Geoff Huston, they watched the combined efforts of police and the Australian Academic and Research Network (AARNET) to trace them.

Craig Warren of Deakin University had written to Huston, AARNET

technical manager, about hacker attacks on university systems. Huston had forwarded a copy of the letter to Peter Elford, who assisted Huston in managing AARNET. The hackers broke into Huston’s system and also read the letter:

From [email protected] Mon Sep 23 09:40:43 1991

Received: from [150.203.6.67] by jatz.aarnet.edu.au with SMTP id AA00265 (5.65+/IDA-1.3.5 for pte900); Mon, 23 Sep 91 09:40:39 +1000

Date: Mon, 23 Sep 91 09:40:39 +1000

Message-Id: <[email protected]> To: [email protected]

From: [email protected]

Subject: Re: Visitors log Thursday Night--Friday Morning Status: RO

>Date: Sun, 22 Sep 91 19:29:13 +1000

>From: Craig Warren

>

>Just to give you a little bit of an idea about what has been happening since we last spoke...

>

>We have communicated with Sgt Ken Day of the Federal Police about 100

times in the last week. Together with our counterparts from Warrnambool traces have been arranged on dial-in lines and on Austpac lines for the capella.cc.deakin.OZ.AU terminal server which was left open to the world.

>

>On Friday afternoon we were able to trace a call back to a person in the Warrnambool telephone district. The police have this persons name.

We believe others are involved, as we have seen up to 3 people active at any one time. It is ‘suspected’ students from RMIT and perhaps students from Deakin are also involved.

>

>When I left on Friday night, there was plenty of activity still and the police and Telecom were tracking down another number.

>

>Tomorrow morning I will talk to all parties involved, but it is likely we will have the names of at least 2 or 3 people that are involved. We will probably shut down access of ‘cappella’ to AARNet at this stage, and let the police go about their business of prosecuting these people.

>

>You will be ‘pleased’ (:-)) to know you have not been the only ones under attack. I know of at least 2 other sites in Victoria that have had people attacking them. One of them was Telecom which helped get Telecom involved!

>

>I will brief you all in the next day or so as to what has happened.

>

>Regards, Craig

>

The ‘other’ people were, of course, the IS hackers. There is nothing like reading about your own hacking antics in some one’s security mail.

Mendax and Prime Suspect frequently visited ANU’s computers to read the security mail there. However, universities were usually nothing special, just jumping-off points and, occasionally, good sources of information on how close the AFP were to closing in on the IS hackers.

Other books

River of Glass by Jaden Terrell
Chosen Child by Linda Huber
Enemy Overnight by Rotham, Robin L.
Murder at the Kinnen Hotel by Brian McClellan
Memphis Movie by Corey Mesler
Destination by James Ellroy
America’s Army: Knowledge is Power by M. Zachary Sherman, Mike Penick