The Fugitive Game: Online With Kevin Mitnick (21 page)

Read The Fugitive Game: Online With Kevin Mitnick Online

Authors: Jonathan Littman

Tags: #Non-Fiction, #Biography, #History

BOOK: The Fugitive Game: Online With Kevin Mitnick
4.47Mb size Format: txt, pdf, ePub

The second week in September
I get an electronic copy of the
London Observer
Kevin Mitnick profile. Appearing in the Sunday,
September 4, "Style" section of one of London's biggest newspapers,
the six-thousand-word article is the longest to date on Mitnick and
certainly the most sympathetic. Unlike the U.S. press, the English
newspaper discusses what it calls the "paranoia" surrounding Mit-
nick's case.

TO CATCH A HACKER

By
John Sweeney

There is only one word which can describe the reaction of the
American judiciary and prison system to Kevin, a white-collar
'criminal' who had caused no physical injury and had not en-
riched himself: paranoia. Reading the transcripts from the People
v Mitnick court case, it is clear that no one in authority under-
stood how a heavily overweight techno-nerd, as the papers de-
fined Kevin, had hacked into the nation's most secret computer
databases.. ..

That Kevin had not damaged . . . anything in his travels through
cyberspace was not taken into account; that he had trespassed into

areas where he should not go was enough to condemn him in their
eyes as an outlaw.




Not only is Mitnick's case spawning articles overseas; the FBI be-
lieves he's committing international crimes. Los Angeles Special
Agent Kathleen Carson, one of the primary FBI agents on the Mit-
nick case, is corresponding with Neil Clift, Mitnick's overseas "op-
ponent," an expert in security on Digital Equipment's VAX
computers. Carson has taken a profound interest in Mitnick's case.
De Payne managed to be the third party on one of her private phone
calls with an informant, and he didn't like it when Carson compared
his friend to a child molester.

So being a prankster, De Payne was pleased when the FBI agent
confided to the informant her fondness for hot tubs. De Payne imme-
diately started appending his e-mail with the postscript "Kathleen
'Hot Tub' Carson." The taunt fit nicely with his usual host of damn-
ing statements allegedly made by FBI agents, Pac Bell security inves-
tigators, and other enemies.

Meanwhile, Carson, at least in her letter to Neil Clift, hardly
sounds confident of the FBI's abilities, describing herself and the FBI
as virtually helpless in tracking Mitnick.

U.S. Department of Justice
Federal Bureau of Investigation
11000 Wilshire Boulevard #1700
Los Angeles,
CA
90014
September
22,
1994

Mr. Neil Clift
Loughborough University

Dear Neil:

It must be quite frustrating to sit over there and wonder if the FBI
or British law enforcement authorities are ever going to do anything
and catch our "friend", KDM. I can only assure you that every little
piece of information concerning Kevin which finds its way into my
hands is aggressively pursued.

In fact, I just verified the information you provided.... It certainly
appears this computer system has been accessed and compromised
by Kevin. Our dilemma, however, is that the "NYX" system ad-
ministrator is not as helpful to law enforcement as you have been;
and we are somewhat limited in our pursuit of watching the ac-
count by the American legal procedures.

I wanted to let you know in this letter how much your cooperation
with the FBI has been appreciated. Any telephonic contact made to
you by Kevin is very important — at least to me.

... I can report that you (and only you) are the one concrete con-
nection we have to Kevin outside the world of computers. I do not
believe we will ever be able to find him via his telephone traces,
telnet or ftp connections, and/or other technological methods. It is
only through personal (or, in your case, telephonic) exchanges with
Kevin that we gain more insight as to his activities and plans. Your
assistance is crucial to this investigation.

... I can only assure you, once again, that your efforts in the Kevin
"chase" are appreciated. ... [I]f you choose to continue your coop-
eration with the FBI by providing me with information about dis-
cussions with Kevin, I promise that, one day, all the little pieces of
data filtered to me from around the world will fall into place and
lead to a computer terminal where I will find Kevin and promptly
place him in handcuffs. ...

Thanks again, Neil.

Sincerely yours,

Kathleen Carson

Special Agent

Federal Bureau of Investigation

* ■ *

"The guy looks pretty stationary in the university district," Kevin
Pazaski says, tracing his finger across the printouts of phone num-
bers and cell sites called by the phone hacker. It's the first week of
October, 1994, two months since Pazaski began his investigation,
and the phone hacker's still swiping calls.

The redheaded fellow sitting next to Pazaski nods. The printouts
show ninety-two calls made in a mere day and a half. Nearly all
originate from cell site four, sector C, the university district.

The redhead is Todd Young, a bounty hunter roving the cy-
berspace plain. He looks a bit like David Caruso, and like the movie
star, rarely smiles. He's just thirty-three, but then everybody in his
business is young. Six years with US West Cellular, three as a secu-
rity manager. He served on the Cellular Telecommunications Indus-
try Association Fraud Task Force.

The last couple of years, Young's headed up the investigative arm of
the Guidry Group, a security consulting and investigations firm head-
quartered near Houston. He's coordinated investigations in Los An-
geles, Phoenix, Houston, Wyoming, and Mexico and helped arrest
fifteen suspected cell phone hackers running call-selling operations.

Recently he was hired by a Southern California high-tech corpo-
ration to do a background check on aliases and former addresses of
relatives and friends of Kevin Mitnick, but the investigation led no-
where, and Young quickly forgot about it. Young often has to juggle
several investigations in different states. He's a new breed, a cyber-
cop for hire, trained in basic surveillance and all the latest gizmos
and gadgets. A thousand dollars a day. That's his price.

Pazaski's bosses figure it's a small price to pay. Pazaski's already
estimated what the hacker's costing CellularOne. He pulls it up on
his screen for Young.

Mobile
#
Dates Cloned Calls
Approx Losses

419-3006 June 28-July 2, 1994 $1,030

601-30ZO July i-July 5 $ 700

219-2460 July 5 $ 150

419-3588 July 12-July 19 $1,500

419-3013 July 19-July 22 $ 600

419-3005 July 22-July 29 $1,030

619-6353 July 29-July 31 $ 600

419-4081 August 6-August 17 $1,900

979-1536 August 20-August 23 $ 60

619-0105 August 24-August 25 $ 730

Total
$8,300

Roughly $250 dollars of airtime a day, and the calls keep racking up.
And that's just the stuff Pazaski has sorted out. Yet the truth is
CellularOne's actual losses are intangible. The phone hacker isn't
running up bills on stolen credit cards, he's pilfering airtime. Cellu-
larOne's losses are mostly service and time related. But those losses
are real. When they're selling a service, they can't have their cus-
tomers being inconvenienced.

Young isn't worried. So a phone hacker pirated a dozen or so ESNs
in the span of a few weeks. ESN skipping, jumping from one serial
number to another, doesn't fool Young. Pazaski has done his gumshoe
work, found the patterns, the familiar numbers that show up on
different bills: modem numbers, information calls, out of state or
international numbers. Young knows they're dealing with an operat-
ing range of one or two primary cell sites. A couple of square miles.

Besides, crime is crime, even in cyberspace. Cell phone hackers
make basic mistakes, like making too many calls from the same
place. Young figures the technology tricks them into thinking they're
invisible. But he knows what they don't. To a skilled, persistent in-
vestigator, every pirated call is a footprint.

Pazaski shows Young a list of the phone hacker's most frequently
called numbers.

Number Called Findings When Number Called

303-756-032.2 Voice mail system (Denver, CO)

303-758-0101 Modem tones (Denver, CO)

206-547-5992 Modem tones (Seattle Internet access line)

312-380-0340 Modem tones

213-718-762.6 LA cellular roamer access number

702-791-5177 Modem tones (Las Vegas, NV)

303-757-8901 Modem tones (Denver, CO)

702-734-9807 Modem tones (Las Vegas, NV)

206-346-6000 US West Network Operations Center, Seattle

503-242-7910 US West Communications Equipment Office, Portland

Young considers what the calls to Denver, Vegas, and L.A show.
The phone hacker's dialing modems, changing MINs [mobile identification numbers] every few days, racking up several hundred if not
thousands of dollars of calls on each before moving on.

Today he has a new MIN. How does Pazaski deduce the new
MIN is pirated? He runs searches on the patterns, checking the bill-
ing records. The hacker always calls the same voice mail box and
modem in Denver, the same Seattle Internet access line. The calls to
US West's operations and communications offices are also sus-
picious. Generally, only employees or vendors would call those num-
bers.

Pazaski lays the photocopy of the area map on his desk, and
Young pencils in the boundary of the university cell site. They figure
they're looking at about a hundred thousand people. One needle in a
hundred thousand straws of hay.

The bounty hunter is cool, unsmiling. A grand, he figures. Just a
day's work.

Skip Jacker

Todd Young pulls his dark
green Jeep Cherokee up in
front of the glass office building by Yarrow Bay in Kirkland, Wash-
ington. The time is a little after 1 p.m. on October 7, a sunny, un-
usually warm fall day in the Pacific Northwest.

Circled map in hand, they drive west toward the University of
Washington. They pass brick university buildings, a bike path
crowded with roller bladers and cyclists, and pull into a parking lot
in the shadow of Husky Stadium.

Pazaski takes the wheel and the bounty hunter readies his equip-
ment. Young sticks the small Doppler Systems directional display
unit on the velcro swatch glued to his dash. Red pinhead LEDs on
the six-inch plastic box indicate north, south, east, and west. Lodged
behind the front seat sits a bulky green metal ICOM 7000 receiver
tuned to 824-849 megahertz, the frequency cellular calls transmit
on. The receiver is wired to the cigarette lighter, a cable connecting it
to the Doppler display. A black metallic dish with four rubber
nipple-shaped antennae sprouts from the roof.

Young boots up the Toshiba that sits in his lap. Cellscope 2000 is
the name of the whole elaborate setup. It cost about $15,000 when
Young bought it a couple of years ago. Only employees of cellular

carriers and cops can legally own Cellscopes. And licensed bounty
hunters, too.

Radio Direction Finding, or RDFing, is what the pros call it,
tracing cellular radio transmissions back to their origin. The trick is
to get close enough to the caller to pick up what's known as the
reverse voice channel, the weaker portion of the call, which is
transmitted from the cell phone to the nearby cell site. The Doppler
antenna and display work like radar, with the added advantage that
the Doppler helps filter out signals bouncing off buildings or walls
to provide a more accurate reading. When the Cellscope locks onto
a call, one of the sixteen LEDs lights up, showing the direction of
the suspect.

Cellular phones transmit at 600 milliwatts, but within a very
short distance the signal weakens dramatically. Decibel strength
readings on the Toshiba estimate the proximity of the caller. Signal
readings of -100 dBm are weak, just one tenth of a billionth of a
milliwatt, or over a thousand feet away, while -40 dBm is one ten
thousandth of a million milliwatts, less than a hundred feet away.

But technical as the setup sounds, Young is as comfortable with
his tracking rig as a cop with his trusty 38. After forty hours of
formal training on the Cellscope and another three hundred hours in
the field tracking cell phone hackers and call-selling operations, he
knows his equipment.

At 2 p.m. the cybercops fuel up at the Quality Food Center in the
University Village Plaza. Two Snapples, some chips, and a couple of
hot jalapeno bagels. Pazaski punches a number into his cell phone
and slowly walks around the Jeep to make certain the Cellscope's
accurately reading his direction. Young watches Pazaski's test call
light up his directional display, the LEDs mirroring Pazaski's prog-
ress around the Jeep.

"Good enough!" Young declares after one revolution.

Other books

Settling Down by Nicole Forcine
The Soul's Mark: Broken by Ashley Stoyanoff
Ruby's Wish by Shirin Yim
Speaking for Myself by Cherie Blair
Ravenous by Sharon Ashwood
Now a Major Motion Picture by Stacey Wiedower