The history of computer security in one way parallels the ancient history of cryptography. For centuries, code makers have devised ciphers that they labeled “unbreakable.” Even today, in an age of computers that can read-ily encrypt a message using a one-time pad, or a key containing hundreds of characters, most codes are still breakable. (America’s code-making and code-breaking organization, the National Security Agency, boasts a num-ber of the world’s largest, fastest, most powerful computers.)
Computer security is like a constant cat-and-mouse game, with security experts on one side and intruders on the other. The Windows operating system contains lines of code numbering in the tens of millions. It’s a
no-brainer that any software of massive size will inevitably contain vul-nerabilities that dedicated hackers will eventually discover.
Meanwhile, company workers, bureaucrats, sometimes even security professionals will install a new computer or application and overlook the step of changing the default password, or constructing one that’s rea-sonably secure — leaving the device in a vulnerable state. If you read the news of hacker attacks and break-ins, you already know that military and government sites, and even the White House Web site, have already been compromised. In some cases repeatedly.
Getting onto a site and defacing a Web page is one thing — most of the time it’s essentially trivial, if annoying. Still, many people rely on a single password for every use; if breaking into a Web site leads to capturing pass-words, the attackers might be in position to gain access to other systems on the network and do a great deal more damage. ne0h says that in 1999 he and two other members of the hacker’s group gLobaLheLL did just that, on one of the most sensitive spots in the United States: the White House.
I believe that the White House was doing a reinstall of their oper-ating system. They had everything defaulted. And for that period of ten, fifteen minutes, Zyklon and MostFearD managed to get in, get the shadowed password file, crack it, enter, and change the Web site. I was right there while they were doing it.
It was basically being at the right place at the right time. It was just by chance, just a fluke that they happened to be on line just when the site was being worked on.
We had discussed it in the gLobaLheLL chat room. I was woken up by a phone call around 3 A.M. saying they were doing it. I said, “Bullshit. Prove it.” I jumped on my computer. Sure enough, they did it.
MostFearD and Zyklon did most of it. They gave me the shadow file to crack as fast as I could. I got one [password] — a simple dictionary word. That was about it.
ne0h provided a portion of what he says is the password file that the others obtained and passed to him, listing what appears to be a few of the authorized users on the White House staff7:
root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
bing:x:1001:10:Bing Feraren:/usr/users/bing:/bin/sh orion:x:1002:10:Christopher
Adams:/usr/users/orion:/usr/ace/sdshell webadm:x:1130:101:Web
Administrator:/usr/users/webadm:/bin/sh cadams:x:1003:10:Christopher
Adams:/usr/users/cadams:/usr/ace/sdshell bartho_m:x:1004:101:Mark
Bartholomew:/usr/users/bartho_m:/usr/ace/sdshell monty:x:1139:101:Monty Haymes:/usr/users/monty:/bin/sh debra:x:1148:101:Debra Reid:/usr/users/debra:/bin/sh connie:x:1149:101:Connie
Colabatistto:/usr/users/connie:/bin/sh
bill:x:1005:101:William Hadley:/usr/users/bill:/bin/sh
This is in the form of a Unix or Linux password file, the kind used when the encrypted passwords are stored in a separate, protected file. Each line lists the name of one person who has an account on the system. The entry
“sdshell” on some lines suggests that these users, for additional security, were carrying a small electronic device called an RSA SecureID, which dis-plays a six-digit number that changes every 60 seconds. To sign on, these users must enter the six-digit number displayed at that moment on their SecureID device along with a PIN number (which may be assigned in some companies or self-chosen in others).The White House Web site was defaced at the same time as the break-in, to show they had been there, according to ne0h, who provided a link to the defacement (see Figure 2-1).8 Besides bearing a symbol for the gLobaLheLL hacker group, the message also includes a logo for the Hong Kong Danger Duo. That was, ne0h says, a phony name made up to add an element of deception.
As ne0h remembers it, the guys responsible for this White House hack didn’t feel any particular elation about having been able to break into what should be among the half dozen or dozen most secure Web sites in the nation. They were “pretty busy trying to break into everything,”
ne0h explained, “to prove to the world that we were the best.” Instead of virtual pats on the back all around, it was, he says, more an attitude of
“Good job, guys, we finally got it, what’s next?”
But they didn’t have much time left for other break-ins of any sort.
Their worlds were about to crumble, and that part of the tale brings the story back around once again to the mysterious Khalid.
Figure 2-1: Defacement page on White House Web site, May 1999.
Zyklon, otherwise known as Eric Burns, takes over the narrative at this point. He wasn’t ever actually a member of globaLheLL, he says, but did hang around on IRC with some of the guys. In his description of events, the White House hack became possible when he discovered the Web site was susceptible to being compromised by exploiting a hole in a sample program called PHF, which is used to access a Web-based phone book database. This was a critical vulnerability, but although people in the hacker community knew about it, “not many people were using it,” Zyklon says.
Carrying out a number of steps (detailed in the Insight section at the end of this chapter), he was able to gain root on whitehouse.gov and establish access to other systems on the local network, including the White House mail server. Zyklon at that point had the ability to intercept any messages between White House staffers and the public, though of course those messages would not have revealed any classified information.
But he was also, Zyklon says, able to “grab a copy of the password and shadow files.” They hung around the site, seeing what they could find, waiting until people started arriving for work. While he was waiting, he received a message from Khalid, who said he was writing an article about recent break-ins, and asking Zyklon if he had any recent exploits to tell
about. “So I told him we were right then into the White House Web site,” Zyklon said.
Within a couple of hours of that exchange, Zyklon told me, they saw a sniffer appear on the site — a system administrator was looking to see what was going on and trying to track who the people were on the site.
Just coincidence? Or did he have some reason to be suspicious at that particular moment? It would be months before Zyklon found out the answer. For the moment, as soon as they spotted the sniffer, the boys pulled the plug, got off the site, and hoped they had caught on to the administrator before he had caught on to them.
But they had stirred up the proverbial hornet’s nest. About two weeks later the FBI descended in force, rounding up every gLobaLheLL mem-ber they had been able to identify. In addition to Zyklon — then 19, arrested in Washington state — they also grabbed MostHateD (Patrick Gregory, also 19, from Texas), and MindPhasr (Chad Davis, Wisconsin), along with others.
ne0h was among the few who survived the sweep. From the safety of his remote location, he was incensed, and posted a Web site defacement page with a message of defiance; as edited for prime time, it read: “Listen up FBI m____ f_____ers. Don’t f___ with our members, you will loose.
we are holding fbi.gov as I type this. AND YOUR FEARING. We got arrested because you dumb idouts cant figure out who hacked the white-houe.. right? so you take us alll in and see if one of them narcs. GOOD F___ING LUCK.. WE WONT NARC. Don’t you understand? I SAID WORLD DOMINATION.”
And he signed it: “the unmerciful, ne0h.”9
Aftermath
So how did that system administrator happen to be sniffing so early in the morning? Zyklon doesn’t have any doubt about the answer. When the prosecutors had drawn up the papers in his case, he found a statement that information leading to knowledge of the gLobaLheLL break-in to the White House site had been provided by an FBI informant. As he remem-bers it, the paper also said that the informant was in New Delhi, India.
In Zyklon’s view, there isn’t any doubt. The only person he had told about the White House break-in — the only person — was Khalid Ibrahim. One plus one equals two: Khalid was an FBI informant.
But the mystery remains. Even if Zyklon is correct, is that the whole story? Khalid was an informant, helping the FBI locate kid hackers will-ing to conduct break-ins to sensitive sites? Or is there another possible explanation: that his role as an informant was only half the story, and he was in fact also the Pakistani terrorist that the Indian general believed he
was. A man playing a double role, helping the cause of the Taliban while he infiltrated the FBI.
Certainly his fears about one of the kids reporting him to the FBI fit this version of the story.
Only a few people know the truth. The question is, are the FBI agents and federal prosecutors who were involved among those who know the real story. Or were they, too, being duped?
In the end, Patrick Gregory and Chad Davis were sentenced to 26 months, and Zyklon Burns got 15 months. All three have finished serv-ing their time and are out of prison.