Suelette dreyfus julian assange



Download 6.15 Mb.
Page29/43
Date03.05.2017
Size6.15 Mb.
1   ...   25   26   27   28   29   30   31   32   ...   43

that he had come from a specific telephone number.

He and Mendax joked that if they called a `hot' site they would use

Trax's technique to send the line trace--and the bill--back to one

very special number. The one belonging to the AFP's Computer Crime

Unit in Melbourne.

All three IS hackers suspected the AFP was close on their heels.

Roving through the Canberra-based computer system belonging to the man

who essentially ran the Internet in Australia, Geoff Huston, they

watched the combined efforts of police and the Australian Academic and

Research Network (AARNET) to trace them.

Craig Warren of Deakin University had written to Huston, AARNET

technical manager, about hacker attacks on university systems. Huston

had forwarded a copy of the letter to Peter Elford, who assisted

Huston in managing AARNET. The hackers broke into Huston's system and

also read the letter:

From G.Huston@aarnet.edu.au Mon Sep 23 09:40:43 1991

Received: from [150.203.6.67] by jatz.aarnet.edu.au with SMTP id

AA00265 (5.65+/IDA-1.3.5 for pte900); Mon, 23 Sep 91 09:40:39 +1000

Date: Mon, 23 Sep 91 09:40:39 +1000

Message-Id: <9109222340.AA00265@jatz.aarnet.edu.au>

To: pte900@aarnet.edu.au

From: G.Huston@aarnet.edu.au

Subject: Re: Visitors log Thursday Night--Friday Morning

Status: RO

>Date: Sun, 22 Sep 91 19:29:13 +1000

>From: Craig Warren

>

>Just to give you a little bit of an idea about what has been



happening since we last spoke...

>

>We have communicated with Sgt Ken Day of the Federal Police about 100



times in the last week. Together with our counterparts from

Warrnambool traces have been arranged on dial-in lines and on Austpac

lines for the capella.cc.deakin.OZ.AU terminal server which was left

open to the world.

>

>On Friday afternoon we were able to trace a call back to a person in



the Warrnambool telephone district. The police have this persons name.

We believe others are involved, as we have seen up to 3 people active

at any one time. It is `suspected' students from RMIT and perhaps

students from Deakin are also involved.

>

>When I left on Friday night, there was plenty of activity still and



the police and Telecom were tracking down another number.

>

>Tomorrow morning I will talk to all parties involved, but it is



likely we will have the names of at least 2 or 3 people that are

involved. We will probably shut down access of `cappella' to AARNet at

this stage, and let the police go about their business of prosecuting

these people.

>

>You will be `pleased' (:-)) to know you have not been the only ones



under attack. I know of at least 2 other sites in Victoria that have

had people attacking them. One of them was Telecom which helped get

Telecom involved!

>

>I will brief you all in the next day or so as to what has happened.



>

>Regards, Craig

>

The `other' people were, of course, the IS hackers. There is nothing



like reading about your own hacking antics in some one's security

mail.


Mendax and Prime Suspect frequently visited ANU's computers to read

the security mail there. However, universities were usually nothing

special, just jumping-off points and, occasionally, good sources of

information on how close the AFP were to closing in on the IS hackers.

Far more interesting to Mendax were his initial forays into Telecom's

exchanges. Using a modem number Prime Suspect had found, he dialled

into what he suspected was Telecom's Lonsdale Exchange in downtown

Melbourne. When his modem connected to another one, all he saw was a

blank screen. He tried a few basic commands which might give him help

to understand the system:

Login. List. Attach.

The exchange's computer remained silent.

Mendax ran a program he had written to fire off every recognised

keyboard character--256 of them--at another machine. Nothing again. He

then tried the break signal--the Amiga key and the character B pressed

simultaneously. That got an answer of sorts.

:

He pulled up another of his hacking tools, a program which dumped 200



common commands to the other machine. Nothing. Finally, he tried

typing `logout'. That gave him an answer:

error, not logged on

Ah, thought Mendax. The command is `logon' not `login'.

:logon

The Telecom exchange answered: `username:' Now all Mendax had to do



was figure out a username and password.

He knew that Telecom used NorTel equipment. More than likely, NorTel

staff were training Telecom workers and would need access themselves.

If there were lots of NorTel employees working on many different phone

switches, it would be difficult to pass on secure passwords to staff

all the time. NorTel and Telecom people would probably pick something

easy and universal. What password best fitted that description?

username: nortel

password: nortel

It worked.

Unfortunately, Mendax didn't know which commands to use once he got

into the machine, and there was no on-line documentation to provide

help. The telephone switch had its own language, unlike anything he

had ever encountered before.

After hours of painstaking research, Mendax constructed a list of

commands which would work on the exchange's computer. The exchange

appeared to control all the special six-digit phone numbers beginning

with 13, such as those used for airline reservations or some pizza

delivery services. It was Telecom's `Intelligent Network' which did

many specific tasks, including routing calls to the nearest possible

branch of the organisation being called. Mendax looked through the

list of commands, found `RANGE', and recognised it as a command which

would allow someone to select all the phone numbers in a certain

range. He selected a thousand numbers, all with the prefix 634, which

he believed to be in Telecom's Queen Street offices.

Now, to test a command. Mendax wanted something innocuous, which

wouldn't screw up the 1000 lines permanently. It was almost 7 a.m. and

he needed to wrap things up before Telecom employees began coming into

work.

`RING' seemed harmless enough. It might ring one of the numbers in the



range after another--a process he could stop. He typed the command in.

Nothing happened. Then a few full stops began to slowly spread across

his screen:

. . . . . . .

RUNG

The system had just rung all 1000 numbers at the same time. One



thousand phones ringing all at once.

What if some buttoned-down Telecom engineer had driven to work early

that morning to get some work done? What if he had just settled down

at his standard-issue metal Telecom desk with a cup of bad instant

coffee in a styrofoam cup when suddenly ... every telephone in the

skyscraper had rung out simultaneously? How suspicious would that

look? Mendax thought it was time to high-tail it out of there.

On his way out, he disabled the logs for the modem line he came in on.

That way, no-one would be able to see what he had been up to. In fact,

he hoped no-one would know that anyone had even used the dial-up line

at all.

Prime Suspect didn't think there was anything wrong with exploring the



NorTel computer system. Many computer sites posted warnings in the

login screen about it being illegal to break into the system, but the

eighteen-year-old didn't consider himself an intruder. In Prime

Suspect's eyes, `intruder' suggested someone with ill intent--perhaps

someone planning to do damage to the system--and he certainly had no

ill intent. He was just a visitor.

Mendax logged into the NMELH1 system by using the account Prime

Suspect had given him, and immediately looked around to see who else

was on-line. Prime Suspect and about nine other people, only three of

whom were actually doing something at their terminal.

Prime Suspect and Mendax raced to get root on the system. The IS

hackers may not have been the type to brag about their conquests in

the underground, but each still had a competitive streak when it came

to see who could get control over the system first. There was no ill

will, just a little friendly competition between mates.

Mendax poked around and realised the root directory, which contained

the password file, was effectively world writable. This was good news,

and with some quick manipulation he would be able to insert something

into the root directory. On a more secure system, unprivileged users

would not be able to do that. Mendax could also copy things from the

directory on this site, and change the names of subdirectories within

the main root directory. All these permissions were important, for

they would enable him to create a Trojan.

Named for the Trojan horse which precipitated the fall of Troy, the

Trojan is a favoured approach with most computer hackers. The hacker

simply tricks a computer system or a user into thinking that a

slightly altered file or directory--the Trojan--is the legitimate one.

The Trojan directory, however, contains false information to fool the

computer into doing something the hacker wants. Alternatively, the

Trojan might simply trick a legitimate user into giving away valuable

information, such as his user name and password.

Mendax made a new directory and copied the contents of the legitimate

ETC directory--where the password files were stored--into it. The

passwords were encrypted, so there wasn't much sense trying to look at

one since the hacker wouldn't be able to read it. Instead, he selected

a random legitimate user--call him Joe--and deleted his password. With

no password, Mendax would be able to login as Joe without any

problems.

However, Joe was just an average user. He didn't have root, which is

what Mendax wanted. But like every other user on the system, Joe had a

user identity number. Mendax changed Joe's user id to `0'--the magic

number. A user with `0' as his id had root. Joe had just acquired

power usually only given to system administrators. Of course, Mendax

could have searched out a user on the list who already had root, but

there were system operators logged onto the system and it might have

raised suspicions if another operator with root access had logged in

over the dial-up lines. The best line of defence was to avoid making

anyone on the system suspicious in the first place.

The problem now was to replace the original ETC directory with the

Trojan one. Mendax did not have the privileges to delete the

legitimate ETC directory, but he could change the name of a directory.

So he changed the name of the ETC directory to something the computer

system would not recognise. Without access to its list of users, the

computer could not perform most of its functions. People would not be

able to log in, see who else was on the system or send electronic

mail. Mendax had to work very quickly. Within a matter of minutes,

someone would notice the system had serious problems.

Mendax renamed his Trojan directory ETC. The system instantly read the

fake directory, including Joe's now non-existent password, and

elevated status as a super-user. Mendax logged in again, this time as

Joe.

In less than five minutes, a twenty-year-old boy with little formal



education, a pokey $700 computer and painfully slow modem had

conquered the Melbourne computer system of one of the world's largest

telecommunications companies.

There were still a few footprints to be cleaned up. The next time Joe

logged in, he would wonder why the computer didn't ask for his

password. And he might be surprised to discover he had been

transformed into a super-user. So Mendax used his super-user status to

delete the Trojan ETC file and return the original one to its proper

place. He also erased records showing he had ever logged in as Joe.

To make sure he could login with super-user privileges in future,

Mendax installed a special program which would automatically grant him

root access. He hid the program in the bowels of the system and, just

to be safe, created a special feature so that it could only be

activated with a secret keystroke.

Mendax wrestled a root account from NMELH1 first, but Prime Suspect

wasn't far behind. Trax joined them a little later. When they began

looking around, they could not believe what they had found. The system

had one of the weirdest structures they had ever come across.

Most large networks have a hierarchical structure. Further, most hold

the addresses of a handful of other systems in the network, usually

the systems which are closest in the flow of the external network.

But the NorTel network was not structured that way. What the IS

hackers found was a network with no hierarchy. It was a totally flat

name space. And the network was weird in other ways too. Every

computer system on it contained the address of every other computer,

and there were more than 11000 computers in NorTel's worldwide

network. What the hackers were staring at was like a giant internal

corporate Internet which had been squashed flat as a pancake.

Mendax had seen many flat structures before, but never on this scale.

It was bizarre. In hierarchical structures, it is easier to tell where

the most important computer systems--and information--are kept. But

this structure, where every system was virtually equal, was going to

make it considerably more difficult for the hackers to navigate their

way through the network. Who could tell whether a system housed the

Christmas party invite list or the secret designs for a new NorTel

product?


The NorTel network was firewalled, which meant that there was

virtually no access from the outside world. Mendax reckoned that this

made it more vulnerable to hackers who managed to get in through

dial-ups. It appeared that security on the NorTel network was

relatively relaxed since it was virtually impossible to break in

through the Internet. By sneaking in the backdoor, the hackers found

themselves able to raid all sorts of NorTel sites, from St Kilda Road

in Melbourne to the corporation's headquarters in Toronto.

It was fantastic, this huge, trusting network of computer sites at

their fingertips, and the young hackers were elated with the

anticipation of exploration. One of them described it as being `like a

shipwrecked man washed ashore on a Tahitian island populated by 11000

virgins, just ripe for the picking'.

They found a YP, or yellow pages, database linked to 400 of the

computer sites. These 400 sites were dependent on this YP database for

their password files. Mendax managed to get root on the YP database,

which gave him instant control over 400 computer systems. Groovy.

One system was home to a senior NorTel computer security administrator

and Mendax promptly headed off to check out his mailbox. The contents

made him laugh.

A letter from the Australian office said that Australia's Telecom

wanted access to CORWAN, NorTel's corporate wide area network. Access

would involve linking CORWAN and a small Telecom network. This seemed

reasonable enough since Telecom did business with NorTel and staff

were communicating all the time.

The Canadian security admin had written back turning down the request

because there were too many hackers in the Telecom network.

Too many hackers in Telecom? Now that was funny. Here was a hacker

reading the sensitive mail of NorTel's computer security expert who

reckoned Telecom's network was too exposed. In fact, Mendax had

penetrated Telecom's systems from NorTel's CORWAN, not the other way

round.


Perhaps to prove the point, Mendax decided to crack passwords to the

NorTel system. He collected 1003 password files from the NorTel sites,

pulled up his password cracking program, THC, and started hunting

around the network for some spare computers to do the job for him. He

located a collection of 40 Sun computers, probably housed in Canada,

and set up his program on them.

THC ran very fast on those Sun4s. The program used a 60000 word

dictionary borrowed from someone in the US army who had done a thesis

on cryptography and password cracking. It also relied on `a

particularly nice fast-crypt algorithm' being developed by a

Queensland academic, Eric Young. The THC program worked about 30 times

faster than it would have done using the standard algorithm.

Using all 40 computers, Mendax was throwing as many as 40000 guesses

per second against the password lists. A couple of the Suns went down

under the strain, but most held their place in the onslaught. The

secret passwords began dropping like flies. In just a few hours,

Mendax had cracked 5000 passwords, some 100 of which were to root

accounts. He now had access to thousands of NorTel computers across

the globe.

There were some very nice prizes to be had from these systems. Gain

control over a large company's computer systems and you virtually

controlled the company itself. It was as though you could walk through

every security barrier unchecked, beginning with the front door. Want

each employee's security codes for the office's front door? There it

was--on-line.

How about access to the company's payroll records? You could see how

much money each person earns. Better still, you might like to make

yourself an employee and pay yourself a tidy once-off bonus through

electronic funds transfer. Of course there were other, less obvious,

ways of making money, such as espionage.

Mendax could have easily found highly sensitive information about

planned NorTel products and sold them. For a company like NorTel,

which spent more than $1 billion each year on research and

development, information leaks about its new technologies could be

devastating. The espionage wouldn't even have to be about new

products; it could simply be about the company's business strategies.

With access to all sorts of internal memos between senior executives,

a hacker could procure precious inside information on markets and

prices. A competitor might pay handsomely for this sort of

information.

And this was just the start of what a malicious or profit-motivated

hacker could do. In many companies, the automated aspects of

manufacturing plants are controlled by computers. The smallest changes

to the programs controlling the machine tools could destroy an entire

batch of widgets--and the multi-million dollar robotics machinery

which manufactures them.

But the IS hackers had no intention of committing information

espionage. In fact, despite their poor financial status as students

or, in the case of Trax, as a young man starting his career at the

bottom of the totem pole, none of them would have sold information

they gained from hacking. In their view, such behaviour was dirty and

deserving of contempt--it soiled the adventure and was against their

ethics. They considered themselves explorers, not paid corporate

spies.


Although the NorTel network was firewalled, there was one link to the

Internet. The link was through a system called

BNRGATE, Bell-Northern Research's gateway to the Internet.

Bell-Northern is NorTel's R&D subsidiary. The connection to the

outside electronic world was very restricted, but it looked

interesting. The only problem was how to get there.

Mendax began hunting around for a doorway. His password cracking

program had not turned up anything for this system, but there were

other, more subtle ways of getting a password than the brute force of

a cracking program.

System administrators sometimes sent passwords through email. Normally

this would be a major security risk, but the NorTel system was

firewalled from the Internet, so the admins thought they had no real

reason to be concerned about hackers. Besides, in such a large

corporation spanning several continents, an admin couldn't always just

pop downstairs to give a new company manager his password in person.

And an impatient manager was unlikely to be willing to wait a week for

the new password to arrive courtesy of snail mail.

In the NorTel network, a mail spool, where email was stored, was often

shared between as many as twenty computer systems. This structure

offered considerable advantages for Mendax. All he needed to do was

break into the mail spool and run a keyword search through its

contents. Tell the computer to search for word combinations such as

`BNRGATE' and `password', or to look for the name of the system admin

for BNRGATE, and likely as not it would deliver tender morsels of

information such as new passwords.

Mendax used a password he found through this method to get into

BNRGATE and look around. The account he was using only had very

restricted privileges, and he couldn't get root on the system. For

example, he could not FTP files from outside the NorTel network in the

normal way. Among Internet users FTP (file transfer protocol) is both

a noun and a verb: to FTP a program is to slurp a copy of it off one

computer site into your own. There is nothing illegal about FTP-ing

something per se, and millions of people across the Internet do so

quite legitimately.

It appeared to Mendax that the NorTel network admins allowed most

users to FTP something from the Internet, but prevented them from

taking the copied file back to their NorTel computer site. It was

stored in a special holding pen in

BNRGATE and, like quarantine officers, the system admins would

presumably come along regularly and inspect the contents to make sure

there were no hidden viruses or Trojans which hackers might use to

sneak into the network from the Internet.

However, a small number of accounts on BNRGATE had fewer restrictions.

Mendax broke into one of these accounts and went out to the Internet.

People from the Internet were barred from entering the NorTel network

through BNRGATE. However, people inside NorTel could go out to the

Internet via telnet.

Hackers had undoubtedly tried to break into NorTel through BNRGATE.

Dozens, perhaps hundreds, had unsuccessfully flung themselves against


Directory: ~suelette -> underground

Download 6.15 Mb.

Share with your friends:
1   ...   25   26   27   28   29   30   31   32   ...   43




The database is protected by copyright ©sckool.org 2020
send message

    Main page