Cuckoo's Egg
Page 15
I phoned Jeannie at work and launched into the requisite background explanation, but as soon as I dropped the words, “hacker” and “Milnet,” she said, “Okay, what do you want from me?” It turned out that the Navy research and development center she worked for had warned its support staff about the risks of leaky computers.
Jeannie did attach one thin string to her offer of help. “It would be real sweet if you could get someone to write me a nice, official thank-you note. Say, from the OSI or the FBI, or whoever.”
When I next spoke to the OSI, I relayed Jeannie’s request. They assured me that this was easy for them.… “We’re really good at writing notes.” (Hardly. Despite abundant promises in the next year, from majors, colonels and generals, my sister was never to receive her official pat on the back. Eventually, we concluded that it’s just not possible for someone in one part of the federal bureaucracy to officially thank someone in another.)
At any rate, Jeannie decided to start her investigation during her lunch break. And she called back with something to report within an hour.
“The public high school that’s closest to Mitre is McLean High School, so I started there,” she said. “I asked to talk to a math teacher named Mr. Maher. They repeated the name, said, ‘One moment please,’ and connected me to someone. At that point, I hung up.”
Could it have been that my sister, in one phone call, had gotten more done than the FBI? Gee, maybe I should impose on her further. “How about dropping by that school and see if you can spot any computers—most schools have ’em. Also, see if you can find Knute Sears in their yearbook. But be careful. The way I’ve got him scoped, he’s extremely skittish. Don’t spook the guy.”
“Okey doke, I’ll take a long lunch tomorrow.”
The next day, while I pedaled the verdant hills of Berkeley, my sister circumnavigated the Washington, D.C. beltway, feeling alternately exhilarated and foolish.
It turns out that McLean is the home of loads of elected officials, policymakers, and upper-end military leaders. Jeannie reports that it looks like the “apotheosis of the affluent second-ring suburb,” though I’m not sure what that means.
And on that bright Virginia autumn day, its high school seemed a distillation of all the myths surrounding the Great American High School. Classes had just let out. Expensively dressed kids spilled out of the front door. The student parking lot included Mercedes, BMWs, and an occasional Volvo. Jeannie’s pride and joy, a beat-up ’81 Chevy Citation, shrank to the remote outskirts of the lot in self-conscious mortification.
Jeannie reported that, like her car, she felt discomfort, not to mention an attack of absurdity, snooping around a suburban school.
Now, my sister has better reason than most to hate being in a high school. In her younger and more vulnerable years, she taught eleventh-grade English. Now, teenagers give her the hives, especially teenagers that don’t belong to her. Really affluent ones are the worst, she reports.
Under the guise of a concerned parent, Jeannie visited the school office and sat for half an hour, scanning yearbook listings of the swim team, the Latin scholars, the debaters, for just one mention of the apocryphal Knute Sears. No dice.
Having thoroughly exhausted the resource material and convinced that there was no Knute at McLean, she turned her attention to the teachers’ mailboxes. Sure enough, one was labeled, “Mr. Maher.”
Abruptly, a clerk appeared and asked what she wanted to see. With a ditsiness reminiscent of Gracie Allen, my sister burbled, “Gee, I don’t know, dear.… Well, well, what do you know? Here it is, right in front of my eyes.” The clerk smiled patronizingly as Jeannie grabbed a brochure from the nearest pile on the counter—it turned out to explain how to register for night school. Half covering a silly-me smirk with her hand, she waved bye-bye with the other hand and booked out of there.
Her covert operation complete, Jeannie called me that afternoon. Stanford’s mythical Knute Sears was to remain a myth. He’d never registered at McLean High School. And their Mr. Maher wasn’t a math teacher. He taught history, part time.
Another dead end. Even today, I can’t talk to my sister without feeling acute embarrassment for sending her on a wild goose chase.
I called Dan at Stanford with the bad news. He wasn’t surprised. “It’ll take a long investigation. We’re giving up on the FBI. The Secret Service has a computer crime division that’s eager to work on the case.”
The Secret Service was helping Stanford? Weren’t they the people that caught counterfeiters and protected the president?
“Yes,” Dan said, “but they also investigate computer crimes. The Department of the Treasury tries to protect banks from computer fraud, and the Secret Service is a branch of the Treasury Department.”
Dan had found a way around a recalcitrant FBI. “They don’t know much about computers, but they’ve got moxie. We’ll provide the computer expertise, and they’ll get the warrants.” Moxie?
It was too late for me, though. Our local FBI still didn’t care, but the FBI office in Alexandria, Virginia, had noticed. Someone—Mitre, the Air Force, or the CIA—had leaned on them, and Special Agent Mike Gibbons called.
In a couple minutes, I realized that at last, I was speaking to an FBI agent who knew computers. He’d written Unix programs, used modems, and wasn’t scared by databases and word processors. His latest hobby was playing Dungeons and Dragons on his Atari computer. J. Edgar Hoover must be rolling in his grave.
Better yet, Mike didn’t mind communicating by electronic mail, although since anyone might intercept our traffic we used an encryption scheme to keep our conversations private.
From his voice, I guessed Mike wasn’t over thirty, but he knew computer law thoroughly. “There’s at least a violation of U.S. Code Section 1030. Probably breaking and entering as well. When we find him, he’ll be looking at five years or $50,000.” I liked how Mike said “when” rather than “if.”
I explained my agreement with Mitre. “When the hacker next shows up in Berkeley, Bill Chandler will trace Mitre’s network from the inside. We’ll find him then.”
Mike wasn’t so sure, but at least he didn’t object to my plan. The only missing piece was the hacker: he hadn’t shown up since Halloween—a two-week hiatus. Each morning, I’d check the recorders. Day and night, I’d wear my beeper, waiting for the hacker to step on our invisible tripwire. But not a peep.
Finally, on November 18, my hacker returned to his Sventek account. He entered at 8:11 in the morning and stayed around for half an hour. Immediately, I called Mitre in McLean. Bill Chandler wasn’t in, and a stuffy manager told me that only Bill Chandler was authorized to trace Mitre’s internal network. He talked about “strict guidelines” and “certified secure networks.” I cut him off. With the hacker live on my system, I didn’t need to listen to some big-shot manager. Where were the technicians, the people who actually knew how Mitre’s system worked?
Another chance to catch the hacker—foiled.
He showed up again in the afternoon. This time I got through to Bill Chandler, and he ran over to check his outbound modems. Sure enough, someone had dialed out through Mitre’s modem, and it looked like a long-distance call. But where was the connection originating?
Bill explained, “Our network within Mitre is complex, and it’s not easy to trace. We don’t have individual wires connecting one computer to another. Instead, a lot of signals travel on a single wire, and connections have to be traced by decoding the addresses of each packet on our ethernet.”
In other words, Mitre couldn’t trace the calls.
Damn. Someone was calling out from Mitre, but they couldn’t find where the hacker was coming from. We still didn’t know if it was a Mitre employee or someone from the outside.
Furious, I looked over the printout from the hacker. Nothing new there. He tried once again to slip into the Army base in Anniston but was turned away. The rest of the time he spent searching my Berkeley computer for words like “nuclear bomb,” and “
SDI.”
Bill promised to get his best technicians on the problem. A few days later, when the hacker showed up, I heard the same story. No doubt that someone was dialing out from Mitre’s computer system. But they couldn’t trace it. They were baffled. Who was behind it? And where was he hiding?
On Saturday, Martha dragged me on a day’s outing to Calistoga, where the geysers and hot springs attract butterflies, geologists, and hedonists. For the latter, there are mud baths, said to be the height of Northern California decadence. For twenty dollars, you can be parboiled in an ooze of volcanic ash, peat, and mineral water.
“It’ll take your mind off your work,” Martha said. “You’ve been all twisted up over this hacker—a break will do you good.” Mired in an oversized bathtub didn’t sound like a recipe for rejuvenation, but I’ll try anything once.
Wallowing in this private swamp, my mind drifted off to thoughts of Mitre. My hacker used Mitre’s outgoing telephone lines to cross the country. Stanford had traced one hacker to McLean; likely he came through Mitre. Maybe Mitre provided a central point for hackers, a sort of switchboard to place their calls. That would mean the hackers weren’t Mitre employees, but were from outside the company.
How could this happen? Mitre would have to make three mistakes. They’d have to create a way for anyone to connect freely to their local network. Then, they’d have to allow a stranger to log onto their computer. Finally, they’d have to provide unaudited outgoing long-distance telephone service.
They’d met the third condition: the modems connected to their internal network could call all over the country. We’d traced our troubles into those very lines.
But how could someone connect into Mitre? Surely they wouldn’t allow just anyone to dial into their network. As Bill Chandler had said, they’re running a secure shop. Military secrets and stuff like that.
What other ways could you get into Mitre? Over some network, perhaps? Could a hacker get there through Tymnet? If Mitre paid for Tymnet service and didn’t protect it with passwords, you could call them from anywhere for free. Once connected, Mitre’s internal network might let you turn around and call out. Then you could dial anywhere, with Mitre picking up the tab.
It would be easy to test my hypothesis: I’d become a hacker. I’d go home and try to use Tymnet to connect to Mitre, trying to break into a place I wasn’t supposed to be.
The mud smelled of sulfur and peat moss, and felt like a hot primordial ooze. I enjoyed the mud bath and the sauna that came afterward, but I still couldn’t wait to get out of the mud and return home. I had a lead. Or at least a hunch.
Logbook, Sunday, November 23, 1986
10:30 A.M. Oakland Tymnet access number is 415/430-2900. Called from my Macintosh at home. 1200 baud, no parity. Tymnet asked for a username. I entered MITRE. Response: Welcome to Mitre-Bedford.
10:40 A.M. Mitre has an internal network which gives a menu. Fourteen choices, apparently different computers within Mitre. I try each in succession.
10:52 A.M. One choice, MWCC leads to another menu. That menu has twelve choices. One choice is DIAL. I try:
DIAL 415 486 2984 no effect
DIAL 1 415 486 2984 no effect
DIAL 9 1 415 486 2984 Connected into Berkeley computer.
Conclusion: An outsider can connect into Mitre through Tymnet. No password necessary. Once in Mitre, they can dial out, either locally or long distance.
MWCC means, “Mitre Washington Computing Center”; Bedford means “Bedford Massachusetts.” I’d entered Mitre in Bedford, and popped out five hundred miles away in McLean.
11:03 A.M. Disconnect from Berkeley computer, but remain at Mitre. I request connection into system AEROVAX. It prompts for username. I enter “Guest.” It accepts and logs me in, without any password. Explore Aerovax computer.
Aerovax has programs for some sort of airport flight safety. Program to find allowable landing angles for high-speed and low-speed aircraft approaches. Presumably funded by government contracts.
Aerovax connects to several other computers over Mitre’s network. These are password protected. “Guest” is not a valid username on these other Mitre computers. (I’m not sure they’re even at Mitre.)
Wait—something’s wrong here. The network controlling software doesn’t seem normal—its greeting message shows up too quickly, but it completes its connection too slowly. I wonder what’s in that program.…
Aha! It’s been modified. Someone has set a Trojan horse in the Aerovax network software. It copies network passwords into a secret file for later use.
Conclusion: someone’s been tampering with Mitre’s software, successfully stealing passwords.
11:35 A.M. Disconnect from Mitre and update logbook.
Reading my logbook today, I remember an hour of poking around Mitre’s internal network. At once it felt exciting and forbidden. Any minute, I expected someone to send a message on my computer screen, “We caught you. Come out with your hands up.”
No doubt Mitre had left a gaping hole in their system. Anyone could make a local telephone call, tell Tymnet to connect to Mitre, and spend an afternoon fooling around with Mitre’s computers. Most of their machines were protected with passwords, but at least one was pretty much wide open.
I remembered Mitre’s pious disclaimer, “We’re running a secure shop, and nobody can break in.” Right.
The “Guest” account on their Aerovax let anyone on. But the Trojan horse was deadly. Someone had tampered with their network program to copy passwords into a special area. Every time a legitimate employee used the Aerovax computer, her password was stolen. This gave the hacker keys to other Mitre computers. Once the hacker penetrated their armor, he could roam anywhere.
How deeply was Mitre’s system infested? By listing their directory, I saw that the Trojan horse was dated June 17. For six months, someone had silently booby-trapped their computers.
I couldn’t prove that it was the same hacker that I was dealing with. But this morning’s exercises showed that anyone could enter Mitre’s system and dial into my Berkeley computers. So the hacker wasn’t necessarily at Mitre. He might be anywhere.
In all likelihood, Mitre served as a way station, a stepping stone on the way to breaking into other computers.
The McLean connection became clear. Someone dialed into Mitre, and turned around and dialed out from them. This way, Mitre paid the bills both ways: the incoming Tymnet connection and the outgoing long-distance telephone call. Even nicer, Mitre served as a hiding place, a hole in the wall that couldn’t be traced.
Mitre, the high-security defense contractor—I’d been told that you can’t get past their lobby without showing picture ID. Their guards wear guns, and their fences are barbed. Yet all it takes is a home computer and a telephone to prowl through their databases.
Monday morning, I called Bill Chandler at Mitre and told him the news. I didn’t expect him to believe me, so I wasn’t disappointed to hear him insist that his company was “highly secured and sensitive to any security problems.”
I’d heard it before. “If you’re so concerned about security, why isn’t anyone auditing your computers?”
“We do. We keep detailed records of how each computer’s used,” Bill said. “But that’s for accounting, not to detect hackers.” I wondered what his people would do about a 75 cent accounting error.
“Ever hear about a system called the Aerovax?”
“Yeah, what about it?”
“Just wondering. Hold any classified data?”
“Not that I know. It’s for an airport control system. Why?”
“Oh, just wondering. You ought to check it over, though.” I couldn’t admit that I’d danced through his system yesterday, discovering the Trojan horse. “Know any way for a hacker to enter your system?”
“It had better be impossible.”
“You might check out your public access dial in ports. While you’re at it, try accessing Mitre’s computers over Tymnet. Anyone can connect to your syst
em, from anywhere.”
This latest news woke him up to some serious problems in his system. Mitre wasn’t inept. Just semi-ept.
Bill wasn’t sure how to react, but he wouldn’t keep his system open any longer. I couldn’t blame him. His computers were naked.
Mostly, he wanted me to keep my mouth shut.
I’d shut up, all right, on one condition. For months, Mitre’s computers had called around the country, using expensive, AT&T long-distance telephone lines. There must be phone bills for those calls.
In Berkeley, five of us shared a house. We had a monthly dinner party when the phone bill arrived. With poker faces, each of us would deny making any of the calls. But somehow, eventually, every call was accounted for, and the bill paid.
If the five of us could haggle through a phone bill, Mitre must be able to as well. I asked Bill Chandler, “Who pays the phone bills for your computer?”
“I’m not sure,” he replied. “Probably central accounting. I never see them.”
That’s how the hacker got away with it for so long. The people paying the phone bills never talked to the managers of the computers. Strange. Or was it typical? The computer’s modems run up a long-distance phone bill. The phone company sends the bill to Mitre, and some faceless accountant signs a check. Nobody closes the loop. Nobody asks about the legitimacy of those dozens of calls to Berkeley.
Bill wanted me to be quiet about these problems. Well, yes, but I had a price. “Say, Bill, could you send me copies of your computer’s phone bills?”
“What for?”
“It might be fun to see where else this hacker got into.”
Two weeks later, a thick envelope arrived, stuffed with long-distance bills from Chesapeake and Potomac.