At that moment, Boeing Aircraft was hosting a high-level computer secu-rity seminar for an audience that included people from corporations, law enforcement, FBI, and the Secret Service.
Overseeing the session was Don Boelling, a man intimate with Boeing’s computer security measures and the efforts to improve them. Don had been fighting the security battles internally for a number of years. “Our network and computing security was like everywhere else, it was basically zip. And I was really concerned about that.”
As early as 1988, when he was with the newly formed Boeing Electronics, Don had walked into a meeting with the division president and several vice presidents and told them, “Watch what I can do with your network.” He hacked modem lines and showed that there were no passwords on them, and went on to show he could attack whatever machines he wanted. The executives saw one computer after another that had a guest account with a password of “guest.” And he showed how an account like that makes it easy to access the password file and download it to any other machine, even one outside the company.
He had made his point. “That started the computing security program at Boeing,” Don told us. But the effort was still in its infancy when Matt and Costa began their break-ins. He had been having “a hard time convincing management to really put resources and funding into computing security.”
The Matt and Costa episode would prove to be “the one that did it for me.”
His courageous role as a spokesman for security had led to Don organ-izing the groundbreaking computer forensics class at Boeing. “A gov-ernment agent asked us if we wanted to help start a group of law enforcement and industry people to generate information. The organiza-tion was designed to help train law enforcement in computer technology forensics, involving high-tech investigations techniques. So I was one of the key players that helped put this together. We had representatives from Microsoft, US West, the phone company, a couple of banks, several dif-ferent financial organizations. Secret Service agents came to share their knowledge of the high-tech aspects of counterfeiting.”
Don was able to get Boeing to sponsor the sessions, which were held in one of the company’s computer training centers. “We brought in about thirty-five law enforcement officers to each week-long class on how to seize a computer, how to write the search warrant, how to do the forensics on the computer, the whole works. And we brought in Howard Schmidt, who later was recruited onto the Homeland Security force, answering to the President for cyber-crime stuff.”
On the second day of the class, Don’s pager went off. “I called back the administrator, Phyllis, and she said, ‘There’s some strange things
going on in this machine and I can’t quite figure it out.” A number of hidden directories had what looked like password files in them, she explained. And a program called Crack was running in the background.
That was bad news. Crack is a program designed to break the encryp-tion of passwords. It tries a word list or a dicencryp-tionary list, as well as per-mutations of words like Bill1, Bill2, Bill3 to try to discern the password.
Don sent his partner, Ken (“our Unix security guru”) to take a look.
About an hour later, Ken paged Don and told him, “You better get up here. This looks like it might be pretty bad. We’ve got numerous pass-words cracked and they don’t belong to Boeing. There’s one in particu-lar you really need to look at.”
Meanwhile, Matt had been hard at work inside the Boeing computer networks. Once he had obtained access with system administrator privi-leges, “it was easy to access other accounts by looking into some of the other machines those people had accessed.” These files often had tele-phone numbers to software vendors and other computers the machine would call. “A primitive directory of other hosts that were out there,”
says Matt. Soon the two hackers were accessing the databases of a variety of businesses. “We had our fingers in a lot of places,” Costa says.
Not wanting to leave the seminar, Don asked Ken to fax down what he was seeing on the administrator’s screen. When the transmission arrived, Don was relieved not to recognize any of the user IDs. However, he was puzzled over the fact that many of them began with “Judge.” Then it hit him:
I’m thinking, “Oh my God!” I walked into this classroom full of law enforcement officers and said, “Do you guys recognize any of these names?” I read off a list of the names. One federal officer explained, “Those are judges in the U.S. District Court in Seattle.” And I said, “Well, I have a password file here with 26 passwords cracked.” Those federal officers about turned green.
Don watched as an FBI agent he’d worked with in the past made a few phone calls.
He calls up the U.S. District Court and gets hold of the system administrator. I can actually hear this guy on the other end of the line going, “No, no way. We’re not connected to the Internet.
They can’t get our password files. I don’t believe it’s our machine.” And Rich is saying, “No, it is your machine. We’ve got the password files.” And this guy is going, “No, it can’t happen.
People can’t get into our machines.”
Don looked down at the list in his hand and saw that the root pass-word — the top-level passpass-word known only to system administrators — had been cracked. He pointed it out to Rich.
Rich says into the telephone, “Is your root password ‘2ovens’?”
Dead silence on the other end of the line. All we heard was a
“thunk” where this guy’s head hit the table.
As he returned to the classroom, Don sensed a storm brewing. “I said,
‘Well, guys, it’s time for some on-the-job real life training.’”
With part of the class tagging along, Don prepared for battle. First, he went to the computer center in Bellevue where the firewall was located.
“We found the account that was actually running the Crack program, the one the attacker was logging in and out of, and the IP address he was coming from.”
By this time, with their password-cracking program running on the Boeing computer, the two hackers had moved into the rest of Boeing’s system, “spider-webbing” out to access hundreds of Boeing computers.
One of the computers that the Boeing system connected to wasn’t even in Seattle. In fact, it was on the opposite coast. According to Costa:
It was one of the Jet Propulsion lab computers at NASA’s Langley Research Labs in Virginia, a Cray YMP5, one of the crown jew-els. That was one of our defining moments.
All kinds of things cross your mind. Some of the secrets could make me rich, or dead, or really guilty.
The folks in the seminar were taking turns watching the fun in the computer center. They were stunned when the Boeing security team dis-covered their attackers had gotten access to the Cray, and Don could hardly believe it. “We were able to very quickly, within an hour or two, determine that access point and the access points to the firewall.”
Meanwhile, Ken set up virtual traps on the firewall in order to determine what other accounts the attackers had breached.
Don rang the local phone company and asked to have a “trap and trace” put on the Boeing modem lines that the attackers were using. This is a method that would capture the phone number that the calls were originating from. The telephone people agreed without hesitation.
“They were part of our team and knew who I was, no questions asked.
That’s one of the advantages of being on these law enforcement teams.”
Don put laptops in the circuits between the modems and the comput-ers, “basically to store all the keystrokes to a file.” He even connected
Okidata printers to each machine “to print everything they did in real time. I needed it for evidence. You can’t argue with paper like you can with an electronic file.” Maybe it’s not surprising when you think about which a panel of jurors is more likely to believe: an electronic file or a document printed out at the very time of the incident.
The group returned to the seminar for a few hours where Don outlined the situation and defensive measures taken. The law enforcement officers were getting hands-on, graduate-level experience in computer forensics.
“We went back up to do some more work and check on what we had, and while I was standing there with two federal officers and my partner, the modem goes off. Bingo, these guys came in, logged in on the account,” Don said.
The local phone company tracked Matt and Costa to their homes. The team watched as the hackers logged into the firewall. They then trans-ferred over to the University of Washington, where they logged in to Matt Anderson’s account.
Matt and Costa had taken precautions that they thought would protect their calls from being traced. For one thing, instead of dialing Boeing directly, they were calling into the District Court computers and then routing a call from the Court to Boeing. They figured that “if there was someone monitoring us at Boeing, they were probably having a rough time figuring out where our call was originating from,” Costa said.
They had no idea their every move was being watched and recorded as Matt dialed into the Court, from there to Boeing, and then transferred to his personal student account.
Since we were so new on [the District Court] system and the pass-word and user name were “public,” at the time I didn’t think it was a threat, or I was being lazy. That direct dial is what gave them the trace to my apartment and that’s where everything fell apart.
Don’s team felt like the proverbial fly on the wall as Matt started read-ing the email on his student account. “In this guy’s email is all this stuff about their hacker exploits and responses from other hackers.”
The law enforcement officers are sitting there laughing their asses off, ’cause these are basically arrogant kids, not considering they’d get caught. And we’re watching them real time produce evidence right there in our hands.
Meanwhile, Don was ripping the sheets off the printer, having every-body sign as a witness, and sealing then as evidence. “In less than six
hours from the point we knew we had this intrusion, we already had these guys on criminal trespass.”
Boeing management was not laughing. “They were scared out of their wits and wanted the hackers terminated — ‘Get them off the computers and shut all this off right now.’” Don was able to convince them it would be wiser to wait. “I said, ‘We don’t know how many places these guys have gotten into. We need to monitor them for a while and find out what the heck is going on and what they’ve done.’” When you consider the risk involved, it was a remarkable testament to Don’s professional skills that management capitulated.