Ghost in the Wires_ My Adventures as the World's Most Wanted Hacker - Kevin Mitnick [122]
“Hi, this is Neil Hansen with Sun in Mountain View. Who’s this?” I asked.
“Scott Lyons. I’m the support person in the Denver office.”
“Cool. Later today I’m flying to Denver for some meetings. I was wondering if you guys had a local dial-up number so I can access my email without having to make long-distance calls back to Mountain View.”
“Sure, we have a dial-up, but I have to program it to dial you back. The system does that for security reasons,” he told me.
“No problem,” I said. “The Brown Palace Hotel has direct-dial numbers for the guest rooms. When I get into Denver later this evening, I can give you the number.”
“What’s your name again?” he asked, sounding a little suspicious.
“Neil Hansen.”
“What’s your employee number?” he demanded.
“10322.”
He put me on hold for a moment, presumably to check me out. I knew he was using the same tool I’d used to look up Hansen’s information.
“Sorry, Neil, I just had to verify you in the employee database. Give me a call when you get in, and I’ll set that up for you.”
I waited until just before quitting time, called Scott back, and gave him a local 303 (Denver) number that I had cloned to my cell phone. When I started a connection, a callback would come to the cell phone, I’d manually answer it, and then my modem would make a connection. For several days, I used this access point to get into Sun’s internal network.
But then, abruptly, the callbacks stopped working. Damn! What had happened?
I dialed back into Mountain View and accessed the system in Denver. Oh, shit! Scott had fired off an urgent email to Brad Powell with Sun’s Security Department. He had turned on the logging feature on the dial-up I was using and captured all my session traffic. He quickly realized that I was not checking my mail at all but poking around in places I shouldn’t be. I deleted the log files so there wouldn’t be any evidence of my visits and immediately stopped using the cell phone number I had given him.
Did this discourage me from hacking into Sun? Of course not. I just went back to using Sun’s Mountain View dial-up to find more connections into SWAN (Sun’s Wide-Area Network) in case I got locked out of the system. I wanted to establish multiple access points so I’d always have a variety of ways of getting in. I targeted all of Sun’s sales offices in the United States and Canada, each of which had its own local dial-up so its staff could access SWAN without needing to make long-distance calls to the company’s Mountain View headquarters. Compromising these offices was a piece of cake.
While exploring Sun’s network, I stumbled across a server with the hostname “elmer,” which stored the entire database of bugs for all of Sun’s operating systems. Each entry included everything from the initial report or detection of a bug, to the name of the engineer assigned to tackle the issue, to the specific new code implemented to fix the problem.
A typical bug report read:
Synopsis: syslog can be used to overwrite any system file
Keywords: security, password, syslog, overwrite, system
Severity: 1
Priority: 1
Responsible Manager: kwd
Description:
syslog and syslogd feature of LOG_USER can be used to overwrite *any* system file. The obvious security violation is using syslog to overwrite /etc/passwd. This can be done to remote systems if LOGHOST is not set to localhost.
bpowell: breakin code removed for security reason
If you need a copy of the breakin code see Staci Way (contractor) (staciw@castello.corp).
Work around: NONE except turning off syslog which is unacceptable
Interest list: brad.powell@corp, dan.farmer@corp, mark.graff@Corp