Hacker, Cracker, Watchman, Spy

Like a lot of thieves, Gambit only works at night. It's half past 10 in Phoenix when he boots up his laptop. Darth Vader's voice intones "What is thy bidding, my master?" Gambit double-clicks on a desktop icon shaped like a chess queen and offers no reply. He's about to break into a law firm's office three time zones away. Someone asks how he feels. "Skittish," he says. "Like a cat burglar casing a mansion. Except when a burglar steals a rich man's jewels, it's obvious. When the lawyers come to work tomorrow, they'll never know I was there."

Gambit is a hacker for hire, an electronic spy and saboteur. His fee for hacking into the law firm's office network is $1,000. His mission: to obtain the firm's case strategy for an upcoming lawsuit over a real estate development deal gone sour. The other side has hired a private-investigations firm that specializes in corporate espionage, who in turn subcontracted Gambit.

The law firm doesn't have a Web page to attack, so Gambit has to find a way in through a direct dial-up modem line--one that allows remote access to the system, so lawyers and legal secretaries can dial into their computers from home. "This is an old-school hack," says Gambit. "WarGames-style."

Normally, a hacker mounting a direct-dial assault would start by using a War Dialer--a program that rapidly dials thousands of phone numbers and keeps track of which ones answer with a modem tone. Since most office networks use the same prefix for modem lines and voice lines, hackers usually program their War Dialers to change-up the last four numbers only. To thwart security alarms that detect sequential dialing, War Dialers randomize their dialing. The whole point is to seek and identify a target network's modem lines.

Gambit's employers, however, have provided him with a little recon: four direct-dial lines that lead into the law firm's network, plus the corresponding user log-in names. But not the passwords. To get those, Gambit splices a chunk of code from a popular War Dialer called Tone Loc into a password cracker program. Once he launches the "script," it speed-dials the four numbers in revolving order, logs on with the corresponding user name, then tries to break the password with educated guessing: First the program attempts various abbreviations and anagrams of the user name. When that fails, it starts to methodically work its way through a database of common passwords.

Gambit sips from a mug of lukewarm Mountain Dew as the program begins its run. "Okay," he says, "let's rattle some doorknobs." The law firm's system lets the program try three passwords per dial-up before it breaks the connection. Then the War Dialer calls the next number and repeats the process with three new passwords. The hacker is gambling--if the program can't unlock a password before morning, phone logs will record the suspicious modem activity in the middle of the night. "Of course, that's only a problem if anyone actually bothers to check the logs," Gambit says. "But I'd rather not have to worry."

Bingo. Gambit gets a hit on the 37th round--user two's password is "sunshine." "At least it wasn't 'password' or 'computer,'" he says. "I've seen a lot of those. That's when you really feel sorry for the stupid people."

Once he's connected to the network, Gambit hacks around until he gains "root" access--the carte blanche "superuser" status of a system's chief administrator. Once he's got root, Gambit erases the incriminating phone logs. Then he weaves a tiny "back door" program into the network's source code--the foundation program that actually runs the system. It's like propping open a basement window from the inside--now Gambit or another hacker he sells or trades the back-door location to can sneak into the firm's system at will.

For his last trick, Gambit installs a "network sniffer" program. Originally designed to help increase system efficiency, sniffer programs basically sit quietly in a corner and record network traffic for later analysis. Gambit has modified his sniffer to flag any e-mail or file exchange containing certain key words--the names of the plaintiffs, defendants and representing attorneys in the case and the property in question--and secretly copy the data into a file hidden in a complex hierarchy of subdirectories within the network. Essentially, Gambit has set an information trap line he can return to check later. Once it's in place, he punches out. The entire hack took just more than five hours.

An editorial in the Winter 1997 issue of 2600, a hacker quarterly published since 1984, slams mercenary hackers like Gambit. "One thing we must be careful of is the temptation of true crime," it reads. "Once that world is entered, the spirit of adventure and discovery is replaced by the incentive for profit. Not to mention you turn into an utter sleazebag."

KEEP PHOENIX NEW TIMES FREE... Since we started Phoenix New Times, it has been defined as the free, independent voice of Phoenix, and we'd like to keep it that way. With local media under siege, it's more important than ever for us to rally support behind funding our local journalism. You can help by participating in our "I Support" program, allowing us to keep offering readers access to our incisive coverage of local news, food and culture with no paywalls.
David Holthouse
Contact: David Holthouse