Underground: Tales of Hacking, Madness and Obsession from the Electronic Frontier (43 page)

BOOK: Underground: Tales of Hacking, Madness and Obsession from the Electronic Frontier
11.62Mb size Format: txt, pdf, ePub

Far more interesting to Mendax were his initial forays into Telecom’s exchanges. Using a modem number Prime Suspect had found, he dialled into what he suspected was Telecom’s Lonsdale Exchange in downtown Melbourne. When his modem connected to another one, all he saw was a blank screen. He tried a few basic commands which might give him help to understand the system:

Login. List. Attach.

The exchange’s computer remained silent.

Mendax ran a program he had written to fire off every recognised keyboard character--256 of them--at another machine. Nothing again. He then tried the break signal--the Amiga key and the character B pressed simultaneously. That got an answer of sorts.

:

He pulled up another of his hacking tools, a program which dumped 200

common commands to the other machine. Nothing. Finally, he tried typing ‘logout’. That gave him an answer:

error, not logged on

Ah, thought Mendax. The command is ‘logon’ not ‘login’.

:logon

The Telecom exchange answered: ‘username:’ Now all Mendax had to do was figure out a username and password.

He knew that Telecom used NorTel equipment. More than likely, NorTel staff were training Telecom workers and would need access themselves.

If there were lots of NorTel employees working on many different phone switches, it would be difficult to pass on secure passwords to staff all the time. NorTel and Telecom people would probably pick something easy and universal. What password best fitted that description?

username: nortel

password: nortel

It worked.

Unfortunately, Mendax didn’t know which commands to use once he got into the machine, and there was no on-line documentation to provide help. The telephone switch had its own language, unlike anything he had ever encountered before.

After hours of painstaking research, Mendax constructed a list of commands which would work on the exchange’s computer. The exchange appeared to control all the special six-digit phone numbers beginning with 13, such as those used for airline reservations or some pizza delivery services. It was Telecom’s ‘Intelligent Network’ which did many specific tasks, including routing calls to the nearest possible branch of the organisation being called. Mendax looked through the list of commands, found ‘RANGE’, and recognised it as a command which would allow someone to select all the phone numbers in a certain range. He selected a thousand numbers, all with the prefix 634, which he believed to be in Telecom’s Queen Street offices.

Now, to test a command. Mendax wanted something innocuous, which wouldn’t screw up the 1000 lines permanently. It was almost 7 a.m. and he needed to wrap things up before Telecom employees began coming into work.

‘RING’ seemed harmless enough. It might ring one of the numbers in the range after another--a process he could stop. He typed the command in.

Nothing happened. Then a few full stops began to slowly spread across his screen:

. . . . . . .

RUNG

The system had just rung all 1000 numbers at the same time. One thousand phones ringing all at once.

What if some buttoned-down Telecom engineer had driven to work early that morning to get some work done? What if he had just settled down at his standard-issue metal Telecom desk with a cup of bad instant coffee in a styrofoam cup when suddenly ... every telephone in the skyscraper had rung out simultaneously? How suspicious would that look? Mendax thought it was time to high-tail it out of there.

On his way out, he disabled the logs for the modem line he came in on.

That way, no-one would be able to see what he had been up to. In fact, he hoped no-one would know that anyone had even used the dial-up line at all.

Prime Suspect didn’t think there was anything wrong with exploring the NorTel computer system. Many computer sites posted warnings in the login screen about it being illegal to break into the system, but the eighteen-year-old didn’t consider himself an intruder. In Prime Suspect’s eyes, ‘intruder’ suggested someone with ill intent--perhaps someone planning to do damage to the system--and he certainly had no ill intent. He was just a visitor.

Mendax logged into the NMELH1 system by using the account Prime Suspect had given him, and immediately looked around to see who else was on-line. Prime Suspect and about nine other people, only three of whom were actually doing something at their terminal.

Prime Suspect and Mendax raced to get root on the system. The IS

hackers may not have been the type to brag about their conquests in the underground, but each still had a competitive streak when it came to see who could get control over the system first. There was no ill will, just a little friendly competition between mates.

Mendax poked around and realised the root directory, which contained the password file, was effectively world writable. This was good news, and with some quick manipulation he would be able to insert something into the root directory. On a more secure system, unprivileged users would not be able to do that. Mendax could also copy things from the directory on this site, and change the names of subdirectories within the main root directory. All these permissions were important, for they would enable him to create a Trojan.

Named for the Trojan horse which precipitated the fall of Troy, the Trojan is a favoured approach with most computer hackers. The hacker simply tricks a computer system or a user into thinking that a slightly altered file or directory--the Trojan--is the legitimate one.

The Trojan directory, however, contains false information to fool the computer into doing something the hacker wants. Alternatively, the Trojan might simply trick a legitimate user into giving away valuable information, such as his user name and password.

Mendax made a new directory and copied the contents of the legitimate ETC directory--where the password files were stored--into it. The passwords were encrypted, so there wasn’t much sense trying to look at one since the hacker wouldn’t be able to read it. Instead, he selected a random legitimate user--call him Joe--and deleted his password. With no password, Mendax would be able to login as Joe without any problems.

However, Joe was just an average user. He didn’t have root, which is what Mendax wanted. But like every other user on the system, Joe had a user identity number. Mendax changed Joe’s user id to ‘0’--the magic number. A user with ‘0’ as his id had root. Joe had just acquired power usually only given to system administrators. Of course, Mendax could have searched out a user on the list who already had root, but there were system operators logged onto the system and it might have raised suspicions if another operator with root access had logged in over the dial-up lines. The best line of defence was to avoid making anyone on the system suspicious in the first place.

The problem now was to replace the original ETC directory with the Trojan one. Mendax did not have the privileges to delete the legitimate ETC directory, but he could change the name of a directory.

So he changed the name of the ETC directory to something the computer system would not recognise. Without access to its list of users, the computer could not perform most of its functions. People would not be able to log in, see who else was on the system or send electronic mail. Mendax had to work very quickly. Within a matter of minutes, someone would notice the system had serious problems.

Mendax renamed his Trojan directory ETC. The system instantly read the fake directory, including Joe’s now non-existent password, and elevated status as a super-user. Mendax logged in again, this time as Joe.

In less than five minutes, a twenty-year-old boy with little formal education, a pokey $700 computer and painfully slow modem had conquered the Melbourne computer system of one of the world’s largest telecommunications companies.

There were still a few footprints to be cleaned up. The next time Joe logged in, he would wonder why the computer didn’t ask for his password. And he might be surprised to discover he had been transformed into a super-user. So Mendax used his super-user status to delete the Trojan ETC file and return the original one to its proper place. He also erased records showing he had ever logged in as Joe.

To make sure he could login with super-user privileges in future, Mendax installed a special program which would automatically grant him root access. He hid the program in the bowels of the system and, just to be safe, created a special feature so that it could only be activated with a secret keystroke.

Mendax wrestled a root account from NMELH1 first, but Prime Suspect wasn’t far behind. Trax joined them a little later. When they began looking around, they could not believe what they had found. The system had one of the weirdest structures they had ever come across.

Most large networks have a hierarchical structure. Further, most hold the addresses of a handful of other systems in the network, usually the systems which are closest in the flow of the external network.

But the NorTel network was not structured that way. What the IS

hackers found was a network with no hierarchy. It was a totally flat name space. And the network was weird in other ways too. Every computer system on it contained the address of every other computer, and there were more than 11000 computers in NorTel’s worldwide network. What the hackers were staring at was like a giant internal corporate Internet which had been squashed flat as a pancake.

Mendax had seen many flat structures before, but never on this scale.

It was bizarre. In hierarchical structures, it is easier to tell where the most important computer systems--and information--are kept. But this structure, where every system was virtually equal, was going to make it considerably more difficult for the hackers to navigate their way through the network. Who could tell whether a system housed the Christmas party invite list or the secret designs for a new NorTel product?

The NorTel network was firewalled, which meant that there was virtually no access from the outside world. Mendax reckoned that this made it more vulnerable to hackers who managed to get in through dial-ups. It appeared that security on the NorTel network was relatively relaxed since it was virtually impossible to break in through the Internet. By sneaking in the backdoor, the hackers found themselves able to raid all sorts of NorTel sites, from St Kilda Road in Melbourne to the corporation’s headquarters in Toronto.

It was fantastic, this huge, trusting network of computer sites at their fingertips, and the young hackers were elated with the anticipation of exploration. One of them described it as being ‘like a shipwrecked man washed ashore on a Tahitian island populated by 11000

virgins, just ripe for the picking’.

They found a YP, or yellow pages, database linked to 400 of the computer sites. These 400 sites were dependent on this YP database for their password files. Mendax managed to get root on the YP database, which gave him instant control over 400 computer systems. Groovy.

One system was home to a senior NorTel computer security administrator and Mendax promptly headed off to check out his mailbox. The contents made him laugh.

A letter from the Australian office said that Australia’s Telecom wanted access to CORWAN, NorTel’s corporate wide area network. Access would involve linking CORWAN and a small Telecom network. This seemed reasonable enough since Telecom did business with NorTel and staff were communicating all the time.

The Canadian security admin had written back turning down the request because there were too many hackers in the Telecom network.

Too many hackers in Telecom? Now that was funny. Here was a hacker reading the sensitive mail of NorTel’s computer security expert who reckoned Telecom’s network was too exposed. In fact, Mendax had penetrated Telecom’s systems from NorTel’s CORWAN, not the other way round.

Perhaps to prove the point, Mendax decided to crack passwords to the NorTel system. He collected 1003 password files from the NorTel sites, pulled up his password cracking program, THC, and started hunting around the network for some spare computers to do the job for him. He located a collection of 40 Sun computers, probably housed in Canada, and set up his program on them.

THC ran very fast on those Sun4s. The program used a 60000 word dictionary borrowed from someone in the US army who had done a thesis on cryptography and password cracking. It also relied on ‘a particularly nice fast-crypt algorithm’ being developed by a Queensland academic, Eric Young. The THC program worked about 30 times faster than it would have done using the standard algorithm.

Using all 40 computers, Mendax was throwing as many as 40000 guesses per second against the password lists. A couple of the Suns went down under the strain, but most held their place in the onslaught. The secret passwords began dropping like flies. In just a few hours, Mendax had cracked 5000 passwords, some 100 of which were to root accounts. He now had access to thousands of NorTel computers across the globe.

There were some very nice prizes to be had from these systems. Gain control over a large company’s computer systems and you virtually controlled the company itself. It was as though you could walk through every security barrier unchecked, beginning with the front door. Want each employee’s security codes for the office’s front door? There it was--on-line.

How about access to the company’s payroll records? You could see how much money each person earns. Better still, you might like to make yourself an employee and pay yourself a tidy once-off bonus through electronic funds transfer. Of course there were other, less obvious, ways of making money, such as espionage.

Mendax could have easily found highly sensitive information about planned NorTel products and sold them. For a company like NorTel, which spent more than $1 billion each year on research and development, information leaks about its new technologies could be devastating. The espionage wouldn’t even have to be about new products; it could simply be about the company’s business strategies.

With access to all sorts of internal memos between senior executives, a hacker could procure precious inside information on markets and prices. A competitor might pay handsomely for this sort of information.

Other books

1 State of Grace by John Phythyon
Last Strike by Regan Black
Conquerors' Legacy by Timothy Zahn
The Swimming-Pool Library by Alan Hollinghurst
Black Rain: A Thriller by Graham Brown
Made in Detroit by Marge Piercy
Overrun: Project Hideaway by Rusch, Michael