Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (41 page)

“Yes,” he said.

“Okay, Steve, choose a new password you’d like.” Then, as if I’d just had a better idea, I went on, “Oh, never mind, just tell me what your current password is, and I’ll set it to that.”

That naturally made him suspicious. “Who are you again?” he wanted to know. “Who did you say you worked for?”

I repeated what I had told him, calmly, taking it as an everyday thing.

I asked if he had a SecurID. Just as I expected, the answer was yes, so I said, “Let me pull your SecurID application.” This was a gamble. I knew he had probably filled out the form ages before and probably wouldn’t remember whether it had asked for a password. And since I already knew that one of the passwords he used was “mary,” I figured that would sound familiar to him, and he might think he had used it on the SecurID form.

I walked away, opened a drawer, shoved it closed again, came back to the phone, and started shuffling papers.

“Okay, here it is… you used the password ‘mary.’ ”

“Yeah, right,” he said, satisfied. After a slight hesitation, he blurted out, “Okay, my password is ‘bebop1.’ ”

Hook, line, and sinker.

I immediately connected to the server that Alisa had told me about, lc16, and logged on with “steveu” and “bebop1.” I was in!

It didn’t take much hunting to find several versions of the MicroTAC Ultra Lite source code; I archived and compressed them with tar and gzip, and transferred them to Colorado Supernet. Then I took the time to delete Alisa’s history file, which showed the trail of what I had asked her to do. Always a good idea to cover up your tracks.

I spent the rest of the weekend poking around. On Monday morning I stopped calling the NOC for the SecurID passcode. It had been a great run, and there was no sense tempting fate.

I think I had a smile on my face the whole time. Once again I couldn’t believe how easy it was, with no roadblocks being thrown up in front of me. I felt a great sense of accomplishment and the kind of satisfaction I had known as a kid in Little League when I hit a home run.

But later that day, I realized, Damn! I had never thought to grab the compiler—the program that translates the source code written by a programmer into “machine-readable” code, the ones and zeros that a computer, or the processor in a cell phone, can understand.

So that became my next challenge. Did Motorola develop their own compiler for the 68HC11 processor used in the MicroTac, or did they purchase it from another software vendor? And how was I going to get it?

In late October, my regular scanning of Westlaw and LexisNexis yielded an article about Justin Petersen’s most recent adventure. Sometimes the FBI will look the other way when a confidential informant doesn’t live by the book, but there are limits. It turned out that Kevin Poulsen’s associate Ron Austin, who’d been set up by Justin Petersen, was on a personal crusade to get even with the snitch and get his ass thrown back in jail. Austin found out where Justin was living—at the same Laurel Canyon Boulevard address that McGuire’s cell phone records had led me to. Justin was careless: he didn’t shred his notes before throwing them in the trash. Austin went Dumpster-diving at the house and uncovered evidence
that Justin was still committing credit card fraud. He informed the FBI of his discovery.

Once he had enough evidence in hand, Assistant U.S. Attorney David Schindler summoned Justin and his lawyer to a meeting at the Federal Courthouse in Los Angeles. When confronted by his FBI handlers and the prosecutor, Justin knew his days were numbered.

At one point during the meeting, Justin said he wanted to have a private conversation with his attorney. The two of them stepped out of the room. A few minutes later, the attorney came back in and sheepishly announced that his client had disappeared. The judge issued a no-bail warrant for Justin’s arrest.

So the snitch who tried to help send me to prison was now in the same boat I was. He was now walking in my shoes. Or rather, running.

I had a big smile on my face. The government’s chief hacking informant had vanished. And even if they found him again, his credibility would be worthless. The government would never be able to use him to testify against me.

Later on I would read of Justin’s attempt to rip off a bank while he was a fugitive. He had hacked into the computers of Heller Financial and obtained the codes necessary to execute a wire transfer from that bank to another bank account. He then telephoned in a bomb threat to Heller Financial. While the building was being evacuated, Petersen executed a $150,000 wire transfer from Heller Financial to Union Bank, routed through Mellon Bank. Fortunately for Heller Financial, the transfer was discovered before Petersen could withdraw the money from Union.

I was amused to hear about his getting caught, and at the same time surprised that he would have tried a wire-transfer scam. It showed that he was a real bad guy, an even bigger crook than I had imagined.

T
he law firm threw its annual Christmas bash in mid-December. I went only because I didn’t want people to wonder why I wasn’t there. I nibbled at the lavish food but steered clear of the flowing liquor, afraid it might loosen my tongue. I wasn’t really a drinker anyway; zeros and ones were my brand of booze.

Any good snoop watches his back, doing countersurveillance to be sure his opponents aren’t catching on to his efforts. The entire time I had been using Colorado Supernet—for eight months, ever since my arrival in Denver—I had been electronically looking over the system administrators’ shoulders to make sure they hadn’t caught on to the way I was using their servers as a massive free storage locker, as well as a launchpad into other systems. That involved observing them at work; sometimes I’d simply log on to the terminal server they used and monitor their online sessions over the span of a couple of hours or so. And I was also checking that they weren’t watching any of the other accounts I was using.

One night, I decided to target the lead admin’s personal workstation to see if any of my activity had been noticed. I searched his email for keywords that would indicate if he was aware of any ongoing security issues.

I stumbled across a message that got my attention. The admin was
sending someone log-in records about my Novell break-in. A few weeks earlier, I had been using an account named “rod” to stash the NetWare source code on a server at Colorado Supernet. Apparently it hadn’t gone unnoticed.

the login records for “rod” during the times that the folks at Novell reported break-ins, and connections FROM Novell during that time. Note that a couple of these do originate via Colorado Springs dial-up (719 575-0200).

I started frantically going through the admin’s emails.

And there it was, double-masked: an email from the admin using an account from his personal domain—“
xor.com
”—rather than his Colorado Supernet account. It had been sent to someone whose email address was not at a government domain but who was nonetheless being sent logs of my activity, which included logging in to Colorado Supernet from Novell’s network and transferring files back and forth.

I called the FBI office in Denver, gave the name the email had been addressed to, and was told there was no FBI agent by that name in the Denver office. I might want to try the Colorado Springs office, the operator suggested. So I called there and learned that, yes, dammit, the guy was indeed an FBI agent.

Oh,
shiiiiit
.

I’d better cover my ass. And quickly. But how?

Well, I have to admit that the plan I came up with may not actually have been all that low-key or cover-your-ass, though I knew I had to be very, very careful.

I sent a bogus log file from the administrator’s account to the FBI agent, telling him “we” had more logs detailing the hacker’s activities. I hoped he would investigate and end up chasing a red herring as I continued working on my hacking projects.

We call this tactic “disinformation.”

But knowing that the FBI was on the hunt for the Novell hacker wasn’t enough to make me shut down my efforts.

Since Art Nevarez had become suspicious, I assumed that the Novell Security team would be forming a posse, trying to figure out what had
happened and how much source code had been exposed. Shifting my target, I now focused on the Novell offices in San Jose, looking for the dial-up numbers in California. Social-engineering calls led me to a guy named Shawn Nunley.

“Hi, Shawn, this is Gabe Nault in Engineering in Sandy. I’m heading over to San Jose tomorrow and need a local dial-up number to access the network,” I said.

After some back and forth, Shawn asked, “Okay, what’s your username?”

“ ‘g–n–a–u–l–t,’ ” I said, spelling it out slowly.

Shawn gave me the dial-up number to the 3Com terminal server, 800-37-TCP-IP. “Gabe,” he said, “do me a favor. Call my voicemail number at my office and leave me a message with the password you want.” He gave me the number, and I left the message as he’d instructed: “Hi, Shawn, this is Gabe Nault. Please set my password to ‘snowbird.’ Thanks again,” I said.

There was no way I was going to call the toll-free 800-number Shawn had given me: when you call a toll-free number, the number you’re calling from is automatically captured. Instead, the next afternoon I called Pacific Bell and social-engineered the POTS number associated with the number Shawn had given me; it was 408 955-9515. I dialed in to the 3Com terminal server and tried to log in to the “gnault” account. It worked. Perfect.

I started using the 3Com terminal server as my access point into the network. When I remembered that Novell had acquired Unix Systems Laboratories from AT&T, I went after the source code for UnixWare, which I years earlier found on servers in New Jersey. Earlier I had compromised AT&T to get access to the SCCS (Switching Control Center System) source code and briefly got into AT&T’s Unix Development Group in Cherry Hill, New Jersey. Now I felt like it was déjà vu because the hostnames of the development systems were still the
same
. I archived and compressed the latest source code and moved it to a system in Provo, Utah, then over the weekend transferred the huge archive to my electronic storage locker at Colorado Supernet. I couldn’t believe how much disk space I was using, and often needed to search for additional dormant accounts to hide all my stuff.

On one occasion, I had a strange feeling after I dialed in to the 3Com terminal server, as if someone were standing behind me and watching everything I typed. Some sixth sense, some instinct, told me the Novell system administrators were looking over my shoulder.

I typed:

Hey, I know you are watching me, but you’ll never catch me!

(I talked with Novell’s Shawn Nunley a while back. He told me they actually
were
watching at that moment, and they started laughing, wondering,
“How could he possibly know?”
)

Nonetheless, I continued my hacking into numerous internal systems at Novell, where I planted tools to steal log-in credentials, and intercepted network traffic so I could expand my access into yet more Novell systems.

A few days later I still felt a bit uneasy. I called the RCMAC (Recent Change Memory Authorization Center) at Pacific Bell and spoke to the clerk who processed orders for the San Jose switch. I asked her to query the dial-up number in the switch and tell me exactly what the switch output message said. When she did, I discovered it had a trap-and-trace on it. Son of a bitch! How long had it been up? I called the Switching Control Center for that area, posing as Pacific Bell Security, and was transferred to a guy who could look up the trap-and-trace information.

“It went up on January twenty-second,” he said. Only three days earlier. Whoa—too close for comfort! Luckily, I had not been calling much during that time; Pacific Bell would have been able to trace my calls only as far as the long-distance carrier, but could not track the calls all the way back to me.

I breathed a sigh of relief and decided to leave Novell alone. Things were getting way too hot there.

Years later, that voicemail I’d left for Shawn Nunley would come back to bite me in the ass. Shawn for some reason saved my message, and when somebody from Novell Security got in touch, he played it for him, and then that guy in turn gave it to the San Jose High-Tech Crime Unit. The cops weren’t able to tie the voice to any particular suspect. But months later, they sent the tape to the FBI in Los Angeles to see if the
Feds could make anything out of it. The tape eventually found its way to the desk of Special Agent Kathleen Carson. She inserted it into the player on her desk, hit Play, and listened. She knew right away:
That’s Kevin Mitnick, the hacker we’re looking for!

Kathleen called Novell Security and said, “I have some good news and some bad news. The good news is that we know the identity of your hacker—it’s Kevin Mitnick. The bad news is, we have no idea how to find him.”