• Choose a category
• All
• Classic-Fiction

I knew I had to give up the search and not chance getting caught hacking again… but maybe I could get just one more piece of the puzzle before I did. The Martinez phone bill had shown me the numbers of the people he was calling. Maybe I could get some clues by finding out who was calling him.

I needed to do what I call a “traffic analysis.” The process begins with looking at the call detail records (CDRs) of one person whose phone number you’ve identified and pulling information from those records. Whom does he call frequently? Who calls him? Does he sometimes make or receive a series of calls in close succession to or from certain people? Are there some people he mostly calls in the morning? In the evening? Are calls to certain phone numbers especially long? Especially short? And so on.

And then you do the same analysis of the people this person calls most often.

Next you ask, whom do those people call?

You’re beginning to get the picture: this effort was humongous, a process that was going to take up much of my spare time, hours a day. But I needed to know. There was no way around it: this effort was essential, regardless of the risk.

I felt my future depended on it.

I already had the last three months of Martinez’s cell phone records. For openers, I’d have to hack into PacTel Cellular and find out where all their real-time call detail records were located within the network, so I could search for any PacTel customer who had been calling Eric’s pager, voicemail, and home phone.

Wait, even better: if I was going to hack into PacTel anyway, I could also get the customer service records for every phone number Martinez called within their network, and I’d be able to discover who owned the phone being called.

I didn’t know much about the company’s naming conventions for internal systems, so I started with a call to the public customer service phone number used by people who wanted to sign up for a calling plan. Claiming to be from PacTel’s internal help desk, I asked, “Are you using CBIS?” (the abbreviation used in some telcos for “Customer Billing Information System”).

“No,” the customer service lady said. “I’m using CMB.”

“Oh, okay, thanks anyway.” I hung up, now possessing a key piece of information that would gain me credibility. I then called the internal Telecommunications Department, gave the name I had obtained of a manager in Accounting, and said we had a contractor coming to work on-site who would need a number assigned to him so he could receive voicemail. The lady I was talking to set up a voicemail account. I dialed it and set “3825” as a password. Then I left an outgoing voicemail message: “This is Ralph Miller. I’m away from my desk, please leave a message.”

My next call was to the IT Department to find out who managed CMB; it was a guy named Dave Fletchall. When I reached him, his first question was, “What’s your callback?” I gave him the internal extension number for my just-activated voicemail.

When I tried the “I’ll be off-site and need remote access” approach, he said, “I can give you the dial-in, but for security reasons, we’re not allowed to give passwords over the telephone. Where’s your desk?”

I said, “I’m going to be out of the office today. Can you just seal it in an envelope and leave it with Mimi?”—dropping the name of a secretary in the same department, which I had uncovered as part of my information reconnaissance.

He didn’t see any problem with that.

“Can you do me a favor?” I said. “I’m on my way into a meeting, would you call my phone and leave the dial-up number?”

He didn’t see a problem with that, either.

Later that afternoon I called Mimi, said I was stuck in Dallas, and asked her to open the envelope Dave Fletchall had left and read the information to me, which she did. I told her to toss the note in the trash since I no longer needed it.

My endorphins were running and my fingers were flying. This was exciting stuff.

But it was always in the back of my mind that the people I was social-engineering might catch on partway through and