Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (22 page)

As I approached Victorville, I dialed the number Mary had given me, reaching a guy who said his name was Omar. “Hey, Omar, this is Tony Howard with ESAC in Southern California,” I said. “We have a weird situation here. We were tracing a circuit, and it has a thousand-cycle tone on it.” I gave him the trunking information from the LA tandem, and he went off to check.

Leaving Victorville, I was now heading back into an empty stretch of desert and again concerned that the cell call might drop. I slowed
down from my open-road speed of eighty miles an hour so I wouldn’t leave Victorville behind quite so quickly.

It was some time before Omar came back on the line. “I heard that high-pitched tone,” he said, and went
“eeeeeeeeeeeeeeeeeeeeeeeeee”
in imitation of the sound, which made me chuckle to myself—I had heard the tone and didn’t really need to hear his attempt to duplicate it.

He told me the call was originating from Oakland. “Cool,” I said. “Thank you, that’s a help. Give me the trunking information from your switch so we can trace it.”

He queried the switch and gave me the info.

My next call was to the Oakland Switching Control Center. “We’re trying to trace a call from the San Francisco 4E,” I said, and provided the trunking and network information. The tech put me on hold, then came back and gave me a 510 208-3XXX number.

I had now traced the call all the way to its origin. This was the phone number dialing out to one of the boxes in the Calabasas CO that was wiretapping Teltec.

I still wanted to know if that thousand-cycle tone would ever change. If it did, what would happen? Would I hear a data signal? Would I hear a phone conversation?

I called Omar back. “Hey, has anything changed with that tone?”

He answered that he had listened to it for about fifteen minutes and never heard any change.

I asked, “Is it possible to put the handset near the speaker so I can hear the tone? I want to run some tests.” He said he’d put the phone down next to the speaker and I could just hang up when I was done.

This was awesome—with that tone coming through to my cell phone, it was almost like the time I’d eavesdropped on the eavesdroppers at the NSA. I was wiretapping the wiretap—how ironic was that?

By now I was feeling nervous and excited at the same time. But holding the phone to my ear throughout this hours-long social-engineering session had given me an earache, and my arm was getting pretty sore as well.

As I was entering the stretch of desert leading into Barstow, the halfway point to Las Vegas, where the cell coverage was crappy, the call dropped. Damn!

I called Omar back, and he set up the connection again so I could keep listening to that thousand-cycle tone over his loudspeakers. I was hoping the tone would end at some point and I would hear something that would give me some clue to what was going on, what the tone signified.

Coming into view was a complex that served all the good-buddy truckers who drove eighteen-wheelers all day and all night. I pulled in to fill the gas tank of the car and then decided to check up on my dad, who was still suffering over Adam’s death.

With my cell phone tied up with the intercept, I found a pay phone to make the call to my dad. I dialed his number and held on while the phone rang. The high-pitched tone from the cell phone suddenly stopped.

What the hell?!

I grab the cell phone and hold it to my other ear.

My dad’s voice comes over the pay phone receiver as he answers:

“Hello.”

I hear him over the pay phone
and at the same time
over the cell phone!

Fuck!

I can’t believe this.

This intercept isn’t on Teltec anymore… it’s on my dad’s phone. The tap has been moved.

They’re intercepting
us!

Oh,
shit
.

I try to sound calm but assertive, insistent. “Dad, I need you to go over to the pay phone at the Village Market across the street. I have some important news about Adam,” I tell him.

My wording has to be innocuous, something that won’t tip off the intercept listener.

“Kevin, what’s going on?” Dad says, angry at me. “I’m tired of these stupid James Bond games.”

I insist and finally manage to convince him.

I’m sweating. How long have they been intercepting my calls without my knowing? A thousand questions are running through my mind. Was Teltec really a target or was it an elaborate scheme concocted by
Pacific Bell Security to trick me—a way of social-engineering the hacker? My heart is racing as I try to recall everything I said and did on the phone from my dad’s house. What did they hear? How much do they know?

After five minutes, I call the pay phone at the market. “Dad,” I tell him, “get the fucking computer out of the house. You need to do it now! Don’t wait! Those wiretaps, they’re not on Teltec anymore, those guys are listening to
us!
You gotta get the computer out right away—
please!
”

He agrees but sounds really pissed.

My next call is to Lewis, with the same message: “We gotta go into cleanup mode.” We agree we’ll each stash our notes and floppy disks in places where no one will be able to find them.

Let the government try to prosecute: no evidence, no case.

I arrived at my mom’s place in Las Vegas with my nerves shot. I kept obsessively playing over and over in my mind all the conversations they might have intercepted.

What if they’d heard me discussing SAS with Lewis? What if they had heard me social-engineering internal Pacific Bell departments? Just imagining either of those possibilities was giving me heartburn. I was half expecting the U.S. Marshals and my Probation Officer to show up at my door and arrest me.

I needed to know when that intercept had been installed on my dad’s line.

Maybe if I knew who had ordered the taps, I could find a way to discover whether they had picked up anything I should worry about.

The phone companies had been getting so many phone phreaks and PIs calling in lately that they had started requiring verification. So I called Dispatch, the office at Pacific Bell that handed out assignments to the techs in the field, and said, “I’ve got an arson situation here, I need to page some other techs. Who’s on call tonight?”

The operator gave me four names and pager numbers. I paged each of them to call the internal Pacific Bell number I had set up, then once again reprogrammed the call forwarding to go to the number that my cell phone was currently cloned to. When each tech responded to my page, I launched into my “setting up a database” routine.

Why? Because I was asking them for very sensitive information, and
they weren’t going to give that out to just anybody. So my pretext was, “I’m setting up a database of people on call to handle mission-critical problems.” One by one, I’d first ask a series of innocuous questions—“May I get your name, please?” “You work out of which Dispatch Center?” “Who’s your manager?” Once they’d established a pattern of answering my questions, I’d ask for what I really wanted: “What’s your UUID? And your tech code?”

I got what I needed every time, as each tech rattled off his two pieces of verification (UUID, or “universally unique identifier,” and tech code), his manager’s name, and his callback number. A walk in the park.

With these credentials, I could now get back into the Line Assignment Office, the department I next needed information from.

Once my credentials had been verified, my request went like this: “I have an internal number here out of Calabasas—it’s one of ours. Can you find out the CBR number of the person who placed the order?”

“CBR” is telco-speak for “can be reached.” In effect, I was asking for the phone number where I could reach the person who’d issued the order to set up the line—in this case, the line for the thousand-cycle tone on the box tapping one of my dad’s phones.

The lady went off to do her research, then came back and told me, “The order was placed by Pacific Bell Security; the contact name is Lilly Creeks.” She gave me a phone number that began with the San Francisco area code.

I was going to enjoy this part: social-engineering the phone company’s Security Department.

Turning on the TV, I found a show with background conversation that I set at low volume, to sound like the occasional voices of typical office background noise. I needed to influence my target’s perception that I was in a building with other people.

Then I dialed the number.

“Lilly Creeks,” she answered.

“Hi, Lilly,” I said. “This is Tom from the Calabasas frame. We have a few of your boxes over here, and we need to disconnect them. We’re moving in some heavy equipment, and they’re in the way.”

“You can’t disconnect our boxes,” she answered in a voice verging on a screech.

“Listen, there’s no way around it, but I can hook them back up tomorrow afternoon.”

“No,” she insisted. “We really need to keep those boxes connected.”

I gave an audible sigh that I hoped sounded exasperated and annoyed. “We have a lot of equipment being swapped out today. I hope this is really important,” I said. “But let me see what I can do.”

I muted my cell phone and waited. After listening to her breathe into the handset for something like five minutes, I got back on the phone with her. “How about this? You stay on the line, I’ll disconnect your boxes, we’ll move the equipment into place, and then I’ll reconnect them for you. It’s the best I can do—okay?”

She reluctantly agreed. I told her it would take a few minutes.

I muted the call again. Using another cell phone, I called the Calabasas frame, explained to the guy who answered that I was with Pacific Bell Security, and gave all three numbers and their associated office equipment. He still had to look up the number in COSMOS to find out the frame location, based on the “OE.” Once he found each number on the frame, he was able to lift the jumper off for each line, which dropped the connection.

Ms. Creeks, sitting at her desk, would be able to tell when each connection was dropped.

While waiting for the frame tech to come back on the line and confirm that the jumpers had been pulled, I went to my fridge and got a Snapple to enjoy while picturing Lilly anxiously sitting in her office with her telephone to her ear.

Then came the part that the whole operation up to now had been just a lead-in for. Back on the line with Lilly, I said, “I’m done here. Do you want your boxes reconnected?”

She sounded annoyed. “Of course.”

“I’ll need the connection information for each line going into the three boxes.” She probably thought I must be a little slow-witted if I didn’t even know where the jumpers belonged that I had pulled just a few minutes earlier, but the request seemed credible because she had seen the connections drop: clearly she really was talking to the frame tech at the CO.

She gave me the information. I said, “Okay, I’ll be right back.”

I put the phone on mute again, then called back the tech in the
Calabasas CO and asked him to reconnect the cables to “our security boxes.”

When he was finished, I thanked him and got back on the other phone. “Hey, Lilly,” I said, “I’ve hooked everything back up. Are they all three working?”

She sounded relieved. “Everything is coming back up now. It all seems to be working.”

“Fine. Just to double-check, what phone numbers should be connected to these boxes? I’ll do a line verification to make sure everything is connected properly.”

She gave me the numbers.

Shit! They weren’t wiretapping just one of my dad’s lines, they were wiretapping
all three!
I wouldn’t be having any more conversations over my dad’s phones, that was for sure.

I still needed to know when the taps had been installed, so I could gauge which of my conversations had been intercepted.

Later, Lewis and I, for kicks, wanted to listen in on some of the other phones that Pacific Bell was tapping.

There was a hitch: for added security, the boxes wouldn’t start monitoring a line until a valid PIN, or “personal identification number,” was entered. I had an idea: it was a long shot, with almost no chance of working, but I tried it anyway.

First I had to be able to call in to the monitor box at the CO. So I’d call the CO and tell the frame tech who answered the phone, “I need you to drop that line because we’re testing.” He’d do it, and Pacific Bell Security’s connection would then be dropped from the intercept.

I dialed in to the box and began guessing the passwords that might have been set up by the manufacturer: “1 2 3 4”… nothing. “1 2 3 4 5”… nothing. All the way up to the last one I figured was worth trying: “1 2 3 4 5 6 7 8.”

Bingo! Incredibly, the people at Pacific Bell Security had never changed the manufacturer’s default PIN on these boxes.

With that password, I now had a complete technique that would let me listen in on any of Pacific Bell’s intercepts anywhere in California. If I found out the Security Department had one of its boxes at the Kester CO, say, or the Webster CO, I’d get a frame tech to drop the line Pacific
Bell was using to call the monitor box, and then I’d call in to the box myself and enter the default PIN, which was the same on every box. Then Lewis and I would listen in and try to figure out who was being intercepted.