that he had come from a specific telephone number.
He and Mendax joked that if they called a `hot' site they would use
Trax's technique to send the line trace--and the bill--back to one
very special number. The one belonging to the AFP's Computer Crime
Unit in Melbourne.
All three IS hackers suspected the AFP was close on their heels.
Roving through the Canberra-based computer system belonging to the man
who essentially ran the Internet in Australia, Geoff Huston, they
watched the combined efforts of police and the Australian Academic and
Research Network (AARNET) to trace them.
Craig Warren of Deakin University had written to Huston, AARNET
technical manager, about hacker attacks on university systems. Huston
had forwarded a copy of the letter to Peter Elford, who assisted
Huston in managing AARNET. The hackers broke into Huston's system and
also read the letter:
From G.Huston@aarnet.edu.au Mon Sep 23 09:40:43 1991
Received: from [184.108.40.206] by jatz.aarnet.edu.au with SMTP id
AA00265 (5.65+/IDA-1.3.5 for pte900); Mon, 23 Sep 91 09:40:39 +1000
Date: Mon, 23 Sep 91 09:40:39 +1000
Subject: Re: Visitors log Thursday Night--Friday Morning
>Date: Sun, 22 Sep 91 19:29:13 +1000
>From: Craig Warren
>Just to give you a little bit of an idea about what has been
>We have communicated with Sgt Ken Day of the Federal Police about 100
Warrnambool traces have been arranged on dial-in lines and on Austpac
lines for the capella.cc.deakin.OZ.AU terminal server which was left
open to the world.
>On Friday afternoon we were able to trace a call back to a person in
We believe others are involved, as we have seen up to 3 people active
at any one time. It is `suspected' students from RMIT and perhaps
students from Deakin are also involved.
>When I left on Friday night, there was plenty of activity still and
>Tomorrow morning I will talk to all parties involved, but it is
involved. We will probably shut down access of `cappella' to AARNet at
this stage, and let the police go about their business of prosecuting
>You will be `pleased' (:-)) to know you have not been the only ones
had people attacking them. One of them was Telecom which helped get
>I will brief you all in the next day or so as to what has happened.
The `other' people were, of course, the IS hackers. There is nothing
the security mail there. However, universities were usually nothing
special, just jumping-off points and, occasionally, good sources of
information on how close the AFP were to closing in on the IS hackers.
Far more interesting to Mendax were his initial forays into Telecom's
exchanges. Using a modem number Prime Suspect had found, he dialled
into what he suspected was Telecom's Lonsdale Exchange in downtown
Melbourne. When his modem connected to another one, all he saw was a
blank screen. He tried a few basic commands which might give him help
to understand the system:
Login. List. Attach.
The exchange's computer remained silent.
Mendax ran a program he had written to fire off every recognised
keyboard character--256 of them--at another machine. Nothing again. He
then tried the break signal--the Amiga key and the character B pressed
simultaneously. That got an answer of sorts.
He pulled up another of his hacking tools, a program which dumped 200
typing `logout'. That gave him an answer:
error, not logged on
Ah, thought Mendax. The command is `logon' not `login'.
The Telecom exchange answered: `username:' Now all Mendax had to do
He knew that Telecom used NorTel equipment. More than likely, NorTel
staff were training Telecom workers and would need access themselves.
If there were lots of NorTel employees working on many different phone
switches, it would be difficult to pass on secure passwords to staff
all the time. NorTel and Telecom people would probably pick something
easy and universal. What password best fitted that description?
Unfortunately, Mendax didn't know which commands to use once he got
into the machine, and there was no on-line documentation to provide
help. The telephone switch had its own language, unlike anything he
had ever encountered before.
After hours of painstaking research, Mendax constructed a list of
commands which would work on the exchange's computer. The exchange
appeared to control all the special six-digit phone numbers beginning
with 13, such as those used for airline reservations or some pizza
delivery services. It was Telecom's `Intelligent Network' which did
many specific tasks, including routing calls to the nearest possible
branch of the organisation being called. Mendax looked through the
list of commands, found `RANGE', and recognised it as a command which
would allow someone to select all the phone numbers in a certain
range. He selected a thousand numbers, all with the prefix 634, which
he believed to be in Telecom's Queen Street offices.
Now, to test a command. Mendax wanted something innocuous, which
wouldn't screw up the 1000 lines permanently. It was almost 7 a.m. and
he needed to wrap things up before Telecom employees began coming into
`RING' seemed harmless enough. It might ring one of the numbers in the
Nothing happened. Then a few full stops began to slowly spread across
. . . . . . .
The system had just rung all 1000 numbers at the same time. One
What if some buttoned-down Telecom engineer had driven to work early
that morning to get some work done? What if he had just settled down
at his standard-issue metal Telecom desk with a cup of bad instant
coffee in a styrofoam cup when suddenly ... every telephone in the
skyscraper had rung out simultaneously? How suspicious would that
look? Mendax thought it was time to high-tail it out of there.
On his way out, he disabled the logs for the modem line he came in on.
That way, no-one would be able to see what he had been up to. In fact,
he hoped no-one would know that anyone had even used the dial-up line
Prime Suspect didn't think there was anything wrong with exploring the
login screen about it being illegal to break into the system, but the
eighteen-year-old didn't consider himself an intruder. In Prime
Suspect's eyes, `intruder' suggested someone with ill intent--perhaps
someone planning to do damage to the system--and he certainly had no
ill intent. He was just a visitor.
Mendax logged into the NMELH1 system by using the account Prime
Suspect had given him, and immediately looked around to see who else
was on-line. Prime Suspect and about nine other people, only three of
whom were actually doing something at their terminal.
Prime Suspect and Mendax raced to get root on the system. The IS
hackers may not have been the type to brag about their conquests in
the underground, but each still had a competitive streak when it came
to see who could get control over the system first. There was no ill
will, just a little friendly competition between mates.
Mendax poked around and realised the root directory, which contained
the password file, was effectively world writable. This was good news,
and with some quick manipulation he would be able to insert something
into the root directory. On a more secure system, unprivileged users
would not be able to do that. Mendax could also copy things from the
directory on this site, and change the names of subdirectories within
the main root directory. All these permissions were important, for
they would enable him to create a Trojan.
Named for the Trojan horse which precipitated the fall of Troy, the
Trojan is a favoured approach with most computer hackers. The hacker
simply tricks a computer system or a user into thinking that a
slightly altered file or directory--the Trojan--is the legitimate one.
The Trojan directory, however, contains false information to fool the
computer into doing something the hacker wants. Alternatively, the
Trojan might simply trick a legitimate user into giving away valuable
information, such as his user name and password.
Mendax made a new directory and copied the contents of the legitimate
ETC directory--where the password files were stored--into it. The
passwords were encrypted, so there wasn't much sense trying to look at
one since the hacker wouldn't be able to read it. Instead, he selected
a random legitimate user--call him Joe--and deleted his password. With
no password, Mendax would be able to login as Joe without any
However, Joe was just an average user. He didn't have root, which is
what Mendax wanted. But like every other user on the system, Joe had a
user identity number. Mendax changed Joe's user id to `0'--the magic
number. A user with `0' as his id had root. Joe had just acquired
power usually only given to system administrators. Of course, Mendax
could have searched out a user on the list who already had root, but
there were system operators logged onto the system and it might have
raised suspicions if another operator with root access had logged in
over the dial-up lines. The best line of defence was to avoid making
anyone on the system suspicious in the first place.
The problem now was to replace the original ETC directory with the
Trojan one. Mendax did not have the privileges to delete the
legitimate ETC directory, but he could change the name of a directory.
So he changed the name of the ETC directory to something the computer
system would not recognise. Without access to its list of users, the
computer could not perform most of its functions. People would not be
able to log in, see who else was on the system or send electronic
mail. Mendax had to work very quickly. Within a matter of minutes,
someone would notice the system had serious problems.
Mendax renamed his Trojan directory ETC. The system instantly read the
fake directory, including Joe's now non-existent password, and
elevated status as a super-user. Mendax logged in again, this time as
In less than five minutes, a twenty-year-old boy with little formal
conquered the Melbourne computer system of one of the world's largest
There were still a few footprints to be cleaned up. The next time Joe
logged in, he would wonder why the computer didn't ask for his
password. And he might be surprised to discover he had been
transformed into a super-user. So Mendax used his super-user status to
delete the Trojan ETC file and return the original one to its proper
place. He also erased records showing he had ever logged in as Joe.
To make sure he could login with super-user privileges in future,
Mendax installed a special program which would automatically grant him
root access. He hid the program in the bowels of the system and, just
to be safe, created a special feature so that it could only be
activated with a secret keystroke.
Mendax wrestled a root account from NMELH1 first, but Prime Suspect
wasn't far behind. Trax joined them a little later. When they began
looking around, they could not believe what they had found. The system
had one of the weirdest structures they had ever come across.
Most large networks have a hierarchical structure. Further, most hold
the addresses of a handful of other systems in the network, usually
the systems which are closest in the flow of the external network.
But the NorTel network was not structured that way. What the IS
hackers found was a network with no hierarchy. It was a totally flat
name space. And the network was weird in other ways too. Every
computer system on it contained the address of every other computer,
and there were more than 11000 computers in NorTel's worldwide
network. What the hackers were staring at was like a giant internal
corporate Internet which had been squashed flat as a pancake.
Mendax had seen many flat structures before, but never on this scale.
It was bizarre. In hierarchical structures, it is easier to tell where
the most important computer systems--and information--are kept. But
this structure, where every system was virtually equal, was going to
make it considerably more difficult for the hackers to navigate their
way through the network. Who could tell whether a system housed the
Christmas party invite list or the secret designs for a new NorTel
virtually no access from the outside world. Mendax reckoned that this
made it more vulnerable to hackers who managed to get in through
dial-ups. It appeared that security on the NorTel network was
relatively relaxed since it was virtually impossible to break in
through the Internet. By sneaking in the backdoor, the hackers found
themselves able to raid all sorts of NorTel sites, from St Kilda Road
in Melbourne to the corporation's headquarters in Toronto.
It was fantastic, this huge, trusting network of computer sites at
their fingertips, and the young hackers were elated with the
anticipation of exploration. One of them described it as being `like a
shipwrecked man washed ashore on a Tahitian island populated by 11000
virgins, just ripe for the picking'.
They found a YP, or yellow pages, database linked to 400 of the
computer sites. These 400 sites were dependent on this YP database for
their password files. Mendax managed to get root on the YP database,
which gave him instant control over 400 computer systems. Groovy.
One system was home to a senior NorTel computer security administrator
and Mendax promptly headed off to check out his mailbox. The contents
made him laugh.
A letter from the Australian office said that Australia's Telecom
wanted access to CORWAN, NorTel's corporate wide area network. Access
would involve linking CORWAN and a small Telecom network. This seemed
reasonable enough since Telecom did business with NorTel and staff
were communicating all the time.
The Canadian security admin had written back turning down the request
because there were too many hackers in the Telecom network.
Too many hackers in Telecom? Now that was funny. Here was a hacker
reading the sensitive mail of NorTel's computer security expert who
reckoned Telecom's network was too exposed. In fact, Mendax had
penetrated Telecom's systems from NorTel's CORWAN, not the other way
NorTel system. He collected 1003 password files from the NorTel sites,
pulled up his password cracking program, THC, and started hunting
around the network for some spare computers to do the job for him. He
located a collection of 40 Sun computers, probably housed in Canada,
and set up his program on them.
THC ran very fast on those Sun4s. The program used a 60000 word
dictionary borrowed from someone in the US army who had done a thesis
on cryptography and password cracking. It also relied on `a
particularly nice fast-crypt algorithm' being developed by a
Queensland academic, Eric Young. The THC program worked about 30 times
faster than it would have done using the standard algorithm.
Using all 40 computers, Mendax was throwing as many as 40000 guesses
per second against the password lists. A couple of the Suns went down
under the strain, but most held their place in the onslaught. The
secret passwords began dropping like flies. In just a few hours,
Mendax had cracked 5000 passwords, some 100 of which were to root
accounts. He now had access to thousands of NorTel computers across
There were some very nice prizes to be had from these systems. Gain
control over a large company's computer systems and you virtually
controlled the company itself. It was as though you could walk through
every security barrier unchecked, beginning with the front door. Want
each employee's security codes for the office's front door? There it
How about access to the company's payroll records? You could see how
much money each person earns. Better still, you might like to make
yourself an employee and pay yourself a tidy once-off bonus through
electronic funds transfer. Of course there were other, less obvious,
ways of making money, such as espionage.
Mendax could have easily found highly sensitive information about
planned NorTel products and sold them. For a company like NorTel,
which spent more than $1 billion each year on research and
development, information leaks about its new technologies could be
devastating. The espionage wouldn't even have to be about new
products; it could simply be about the company's business strategies.
With access to all sorts of internal memos between senior executives,
a hacker could procure precious inside information on markets and
prices. A competitor might pay handsomely for this sort of
And this was just the start of what a malicious or profit-motivated
hacker could do. In many companies, the automated aspects of
manufacturing plants are controlled by computers. The smallest changes
to the programs controlling the machine tools could destroy an entire
batch of widgets--and the multi-million dollar robotics machinery
which manufactures them.
But the IS hackers had no intention of committing information
espionage. In fact, despite their poor financial status as students
or, in the case of Trax, as a young man starting his career at the
bottom of the totem pole, none of them would have sold information
they gained from hacking. In their view, such behaviour was dirty and
deserving of contempt--it soiled the adventure and was against their
ethics. They considered themselves explorers, not paid corporate
Internet. The link was through a system called
BNRGATE, Bell-Northern Research's gateway to the Internet.
Bell-Northern is NorTel's R&D subsidiary. The connection to the
outside electronic world was very restricted, but it looked
interesting. The only problem was how to get there.
Mendax began hunting around for a doorway. His password cracking
program had not turned up anything for this system, but there were
other, more subtle ways of getting a password than the brute force of
a cracking program.
System administrators sometimes sent passwords through email. Normally
this would be a major security risk, but the NorTel system was
firewalled from the Internet, so the admins thought they had no real
reason to be concerned about hackers. Besides, in such a large
corporation spanning several continents, an admin couldn't always just
pop downstairs to give a new company manager his password in person.
And an impatient manager was unlikely to be willing to wait a week for
the new password to arrive courtesy of snail mail.
In the NorTel network, a mail spool, where email was stored, was often
shared between as many as twenty computer systems. This structure
offered considerable advantages for Mendax. All he needed to do was
break into the mail spool and run a keyword search through its
contents. Tell the computer to search for word combinations such as
`BNRGATE' and `password', or to look for the name of the system admin
for BNRGATE, and likely as not it would deliver tender morsels of
information such as new passwords.
Mendax used a password he found through this method to get into
BNRGATE and look around. The account he was using only had very
restricted privileges, and he couldn't get root on the system. For
example, he could not FTP files from outside the NorTel network in the
normal way. Among Internet users FTP (file transfer protocol) is both
a noun and a verb: to FTP a program is to slurp a copy of it off one
computer site into your own. There is nothing illegal about FTP-ing
something per se, and millions of people across the Internet do so
It appeared to Mendax that the NorTel network admins allowed most
users to FTP something from the Internet, but prevented them from
taking the copied file back to their NorTel computer site. It was
stored in a special holding pen in
BNRGATE and, like quarantine officers, the system admins would
presumably come along regularly and inspect the contents to make sure
there were no hidden viruses or Trojans which hackers might use to
sneak into the network from the Internet.
However, a small number of accounts on BNRGATE had fewer restrictions.
Mendax broke into one of these accounts and went out to the Internet.
People from the Internet were barred from entering the NorTel network
through BNRGATE. However, people inside NorTel could go out to the
Internet via telnet.
Hackers had undoubtedly tried to break into NorTel through BNRGATE.
Dozens, perhaps hundreds, had unsuccessfully flung themselves against