Ghost in the Wires_ My Adventures as the World's Most Wanted Hacker - Kevin Mitnick [132]
TWENTY-NINE
Departure
126 147 172 163 040 166 172 162 040 154 170 040 157 172 162 162 166
156 161 143 040 145 156 161 040 163 147 144 040 115 156 165 144 153 153
040 163 144 161 154 150 155 172 153 040 162 144 161 165 144 161 040
150 155 040 122 172 155 040 111 156 162 144 077
The law firm threw its annual Christmas bash in mid-December. I went only because I didn’t want people to wonder why I wasn’t there. I nibbled at the lavish food but steered clear of the flowing liquor, afraid it might loosen my tongue. I wasn’t really a drinker anyway; zeros and ones were my brand of booze.
Any good snoop watches his back, doing countersurveillance to be sure his opponents aren’t catching on to his efforts. The entire time I had been using Colorado Supernet—for eight months, ever since my arrival in Denver—I had been electronically looking over the system administrators’ shoulders to make sure they hadn’t caught on to the way I was using their servers as a massive free storage locker, as well as a launchpad into other systems. That involved observing them at work; sometimes I’d simply log on to the terminal server they used and monitor their online sessions over the span of a couple of hours or so. And I was also checking that they weren’t watching any of the other accounts I was using.
One night, I decided to target the lead admin’s personal workstation to see if any of my activity had been noticed. I searched his email for keywords that would indicate if he was aware of any ongoing security issues.
I stumbled across a message that got my attention. The admin was sending someone log-in records about my Novell break-in. A few weeks earlier, I had been using an account named “rod” to stash the NetWare source code on a server at Colorado Supernet. Apparently it hadn’t gone unnoticed.
the login records for “rod” during the times that the folks at Novell reported break-ins, and connections FROM Novell during that time. Note that a couple of these do originate via Colorado Springs dial-up (719 575-0200).
I started frantically going through the admin’s emails.
And there it was, double-masked: an email from the admin using an account from his personal domain—“xor.com”—rather than his Colorado Supernet account. It had been sent to someone whose email address was not at a government domain but who was nonetheless being sent logs of my activity, which included logging in to Colorado Supernet from Novell’s network and transferring files back and forth.
I called the FBI office in Denver, gave the name the email had been addressed to, and was told there was no FBI agent by that name in the Denver office. I might want to try the Colorado Springs office, the operator suggested. So I called there and learned that, yes, dammit, the guy was indeed an FBI agent.
Oh, shiiiiit.
I’d better cover my ass. And quickly. But how?
Well, I have to admit that the plan I came up with may not actually have been all that low-key or cover-your-ass, though I knew I had to be very, very careful.
I sent a bogus log file from the administrator’s account to the FBI agent, telling him “we” had more logs detailing the hacker’s activities. I hoped he would investigate and end up chasing a red herring as I continued working on my hacking projects.
We call this tactic “disinformation.”
But knowing that the FBI was on the hunt for the Novell hacker wasn’t enough to make me shut down my efforts.
Since Art Nevarez had become suspicious, I assumed that the Novell Security team would be forming a posse, trying to figure out what had happened and how much source code had been exposed. Shifting my target, I now focused on the Novell offices in San Jose, looking for the dial-up numbers in California. Social-engineering calls led me to a guy named Shawn Nunley.
“Hi, Shawn, this is Gabe Nault in Engineering in Sandy. I’m heading over to San Jose tomorrow and need a local dial-up