Hacking Bhabha

Adam L. Penenberg
Forbes.com, 11.16.98

NINETEEN NINETY-EIGHT MAY WELL GO DOWN AS THE YEAR of the hack. Not since the arrest of hacker Kevin Mitnick in 1995 have there been so many high-profile computer break-ins. The latest victim was The New York Times, which had to shut its web site down for 9 hours on September 13 when a gang calling itself Hacking for Girlies (HFG) replaced Times content with a page of their own design. And earlier in the year, there were a number of security breaches that were far more serious-high-profile hacks of the Pentagon, a TV satellite in California, and potentially the most devastating, a nuclear research center in India.

ICSA, a computer security company based in Pennsylvania, estimates there are about 1 million hackers out there in cyberland. Here is the story of two of them, the first ones to penetrate the computers of Bhabha, India’s number one nuclear research center, located in Bombay, India, which led to perhaps as many as 100 hackers wilding through the center’s network over the course of several days.

A now defunct hacker group called “milw0rm” claimed credit for the hack. Although the hack received extensive media coverage, the fact is that milw0rm copped credit for a hack they merely inherited. Here’s what happened.

It was mid-May, 1998, when 15-year-old 10th grader, Joey Westwood (not his real name) was watching the TV coverage of India’s underground nuclear tests. For some reason it stuck in his craw. Joey was not sure exactly why. After all, he’s much too young to remember Hiroshima, Nagasaki and the Cuban Missile Crisis. He couldn’t even find India on the map. Some third-world hole that can’t even feed its own people was getting into a nuclear arms race with Pakistan and China. The more he thought about it, the madder he got.

Joey decided to wreak vengeance on the Indians. And he would accomplish this without leaving his bedroom in suburban America. In cyberspace, where Joey spent much of his life, he went by the name t3k-9. He’s especially adept at cracking passwords and log-ins, the keys to illegally accessing computer systems.

On this particular day, t3k-9 stomped upstairs carrying his favorite hack snacks-chocolate pop tarts, Coca-Cola and sour jawbreakers-and went to his bedroom, where he booted up his computer and listened to the comforting squawk of his modem. He checked in with search engine Infoseek, and plugged in “.in atomic,” the equivalent of typing “India, atomic research.” One of the first sites to come up was India’s Bhabha Atomic Research Center (BARC), which he read had been instrumental in helping India develop the A-bomb.

Forty-five seconds after he’d started, t3k-9 was amazed to discover that he’d cracked one of the passwords.

Joey pointed and clicked his way to the BARC site and accessed the John the Ripper DES Encryption Cracker software he had downloaded off the Internet, where literally thousands of complex hacker applications and “how-to” guides are available from web sites and hacker chat channels.

The password cruncher worked by setting up a phony log-in program so that BARC thought it was accepting a connection from a friendly machine. Then, by brute force, the cruncher tried every single combination of letters and numbers until it hit the jackpot. First, the application ran through all the lettered combinations at the speed of digital light-a, b, aa, bb, cc-then after going through the entire alphabet, backtracking to ab, ac, ad, etc. t3k-9 had also added special customized word lists that combine letters and numbers he’d downloaded over the course of his cybertravels.

Forty-five seconds after he’d started, t3k-9 was amazed to discover that he’d cracked one of the passwords. He was inside India’s number one atomic research network.

His eyes bugged. He checked the password: “ANSI.” Someone’s name, he thought, the same as the log-in prompt. He couldn’t believe his luck. The administrator hadn’t followed standard password selection rules, which would have meant complex strings of numbers and letters-more difficult to crack because the longer it takes, the greater the likelihood you’ll get caught.

t3k-9’s first step was to download all the passwords and log-in names. Then he installed a “backdoor” that would enable him to gain entry into the system without being detected. After that, he consulted the network map, which was open to public display. He headed over to the web server and read through E-mails written in scientific geek-speak, then rifled through some documents on particle physics. Boring stuff, he thought.

t3k-9 decided to get out while the getting was good, downloading a few E-mails and a scientific document for souvenirs. Then, after erasing logs to ensure no one would be able to track him, he logged off.

If he’d kept this to himself, no one would have ever known. And in the days to follow, India’s top nuclear research facility would probably never have suffered the ignominy of perhaps 100 hackers running roughshod through its computer network like gangs on a rampage. But t3k-9 couldn’t keep mum. He did what every self-respecting hacker would do. He bragged.

After logging on to Internet Relay Chat, t3k-9 headed over to one of the hacker channels. IRC is a place on the Internet where you can conduct real-time chat without anyone being able to track you. After checking who was around, t3k-9 found out that IronLogik, a hacker he calls his friend but has never met in the flesh, was also floating about. Here’s their conversation:

IronLogik> what’s the address yer working on?

t3k-9> hehehe. i’ll probably get on news.com or cnn.

IronLogik> just give me the url, I’m bored.

t3k-9> phenix.barc.ernet.in.

IronLogik> india? kewl.

t3k-9> yep. just use IRIX cgi-bin exploit.

IronLogik> irix? sweet.

t3k-9> hehehe. I already controlled the www.barc.ernet.in by way of backdoors now.

IronLogik> and that is? this a *nuclear* facility?

t3k-9> yep.

IronLogik> double the pain :>)

t3k-9> it has top secret #@$%. I have the pw file, it has like 800 passwords.

IronLogik> thanks. i’ll be there soon.

t3k-9> if you haxor it put like stop nuke testing and stuff.

IronLogik> on the web site? no problem.

t3k-9> bye got to go eat…

IronLogik> later.

IronLogik immediately left IRC and got to work, entering BARC via t3k-9’s backdoor. Within 45 minutes, he was able to achieve superuser status. That meant IronLogik had gotten “root,” or total control, as if he were the network’s system administrator. IronLogik could read any document or E-mail he felt like. If he were malicious, he could do extensive damage-uncork a virus, plant a logic bomb, joyride through their servers and trash their data. But he wasn’t here to vandalize; he was here for information. Constant vigilance is his motto.

IronLogik created two new “users” with passwords of his own invention, so that even if BARC changed its password protection scheme he’d still be able to gain access. Once he’d done all this, he installed his own backdoors, then disconnected from BARC and lay on two mattresses stacked on the floor to reflect. The room was dimly lit by a single lamp. His shades were drawn like they always were when he hacked: Constant vigilance is his motto.

IronLogik’s real first name is Ratko and he’s an 18-year-old immigrant from Serbia. For fun, he DJs parties from his laptop with pirated music he’s downloaded off the Internet. He chose the name “IronLogik” because his childhood was spent behind the Iron Curtain and ‘logic’ in his native tongue is spelled ‘logik.’

Ratko weighed whether he should go on or not. His father, formerly a computer programmer stationed in Russia, is now an aerospace engineer in the U.S. He worries his son could get deported if caught hacking. And if the authorities ever conducted a background check on his family, they’d find out that Ratko’s Serbian grandfather had been born in Russia and employed by the KGB, which his father fears would not sit well with either the Indians or the Americans.

While t3k-9 talks big about the threat of nukes but has no direct experience with them, Ratko is different. He grew up near a military base with hated Russian MIGs constantly roaring overhead, carrying nuclear warheads and spreading intimidation. Ratko thinks nuclear weapons should be strictly for protection, not genocide. “If a country uses nuclear arms to threaten other nations, then they do not deserve to carry them,” he says. This is what clinched it for him. Those stupid Indians aren’t responsible enough to control nukes. He’d prove this.

Ratko cracked open a notebook and began scribbling ideas. Starting from a hacked Internet account, IronLogik hopped through several different Internet service providers in the U.S. and Europe and, while at Los Alamos, picked up a new Internet Protocol (IP) address-a unique number that is assigned to the computer. Equipped with a military IP, BARC would identify him as a regular U.S.-based researcher.

Changing his IP address to one associated with the military was like changing into a soldier’s uniform. It made for good camouflage.

IronLogik hopped through several more ISPs, plus university networks, corporate servers and military research centers, more than 30 in all, to make it extremely difficult for anyone to trace his steps. Once he got to BARC, he erased the administrator logs that detailed his intrusions along the way. “Even Tsunami-boy (Tsutomu Shimomura), the guy who caught Kevin Mitnick, would find it impossible to track me,” he boasts. They’d need a wiretap at the precise moment IronLogik was hopping through cyberspace and what were the odds of that? About a billion to one.

He maneuvered over to BARC’s R&D server and sifted through E-mail, both new and already read. The UNIX system BARC relies on saves all mail until the system administrator deletes it. One of BARC’s biggest mistakes, besides its irresponsible password protection scheme, was that it allowed workers to keep old mail. Much of the mail was encrypted, which IronLogik realized meant it was probably quite sensitive.

He read some of the unencrypted mail, eavesdropping on conversations between scientists at BARC, Los Alamos and other research centers. Some detailed the recent atomic detonations, including one that postulated that one of the blasts had been faked. Another offered information on Co2 laser radiation. A third criticized a recently published paper on particle physics. He also saw plant layouts and noticed that almost all the users had their own projects stored in their own network files.

Next, he began to download E-mail. He traveled around the server until he found BARC’s intranet, which is a kind of internal Internet. That’s where the sensitive stuff would be-details of the recent atomic tests. He also knew if he cracked BARC’s intranet, he’d be a major international cyberfugitive.

At this point, IronLogik decided he’d gone far enough; the risks didn’t outweigh the rewards. During breakfast that morning, he told his father he’d hacked BARC and his father was both impressed and angry. His father pleaded with him not to return. But Ratko knew that although his father was worried, he really didn’t mean it. He was proud of his son’s hacking skills.

At school the next day, Ratko showed two of his Indian classmates the printouts of BARC’s logs and “threatened to sell the information to my Russian superiors.” They were impressed, and even helped Ratko by translating some of the E-mails. Meanwhile, if someone as disciplined as Ratko felt the need to brag, imagine how t3k-9 must have felt. Which is why t3k-9 posted the whole BARC password file-all 800 passwords and log-in names-on one of the hacker channels.

Immediately, hackers began accessing this information and preparing to attack BARC. When IronLogik went online later that day and found out what t3k-9 had done, he was not pleased. “Information is not free,” he chided t3k-9, “it is earned.” But it was too late. BARC was about to get hacked on all sides.

Shortly after, Wired News broke the story with an exclusive interview with milw0rm, whose members buttressed their claims by producing a mirror of BARC’s hacked home page. Other media outlets followed suit, also fixating on milw0rm as the culprits and waiting breathlessly as its members prepared for its next announced hack attack: Pakistan’s nuclear research networks.

Why did milw0rm receive all the glory? Essentially because its members had acted like drunken fraternity boys, digitally defacing BARC’s home page, trashing a couple of its servers and then crowing about it. Unfortunately, when it comes to media coverage in the digital domain, that’s the most effective PR.

IronLogik, unsurprisingly, was irritated. It wasn’t fair, he thought. t3k-9 had been the first one in, then IronLogik. All the rest of those hackers, including milw0rm-especially milw0rm-had coasted in on their work. And milw0rm’s claim that it used a sendmail bug to penetrate BARC was false. Rather, “they had used the backdoors that t3k-9 and I set up,” says IronLogik. “Besides, all this talk about attacking Pakistan next was so bogus, because Pakistan’s atomic research centers are all offline. I know. I checked. milw0rm is just a bunch of stupid kids.”

IronLogik says that if he had decided to try his hand at cracking BARC’s intranet, he is sure he could have accessed extremely sensitive material. Given BARC’s woefully inadequate security, this would not have been out of the realm of possibilities. What’s worse, if he had been a terrorist or corporate spy, who knows what he could have downloaded.

As for t3k-9, he says he dreams of the day when someone will pay him $100,000 to hack. At that price he doesn’t care whether it’s legal or not. IronLogik plans to attend the University of Belgrade like his father. He either wants to be a system administrator (“The people I outsmart,” Ratko says) or a penetration tester, someone who’s paid to hack systems to show their vulnerabilities.

In the meantime both have moved on. t3k-9 recently found a security hole in Microsoft’s Front Page software product and IronLogik has been exploring other atomic targets-Iran, Iraq, Italy and Turkey. In fact, a few days after he hacked BARC, IronLogik nailed a nuclear research center in Turkey.

Connecting to host .

Cnaem login: ***** Password: ***** Welcome to Cekmece Nuclear Research Center…

“I just want to live my life to the fullest,” said Ratko, happily scrolling through reams of Turkish technical data.

Copyright 1998 Adam L. Penenberg (penenberg.com)