==Phrack Inc.== Volume Two, Issue 22, File 11 of 12 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN P h r a c k W o r l d N e w s PWN PWN ~~~~~~~~~~~ ~~~~~~~~~ ~~~~~~~ PWN PWN Issue XXII/Part 3 PWN PWN PWN PWN Created by Knight Lightning PWN PWN PWN PWN Written and Edited by PWN PWN Knight Lightning and Taran King PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Computer Break-In November 11, 1988 ~~~~~~~~~~~~~~~~~ >From Intercom, Vol 28, No. 24, Air Force Communications Command Newsletter By Special Agent Mike Forche, AFOSI Computer Crime Investigator A computer hacker penetrated an Air Force Sperry 1160 computer system in the San Antonio, Texas, area. The hacker was discovered by alert Air Force Communications Command computer operators who notified the data base administrator than an un-authorized user was in the system. The data base administrator was able to identify the terminal, password, and USERID (system level) used by the hacker. The data base administrator quickly disabled the USERID/password (which belonged to a computer system monitor). The data base administrator then observed the hacker trying to get into the system using the old USERID/password. He watched as the hacker successfully gained entry into the system using another unauthorized USERID/password (which was also a system administrator level password). The hacker was an authorized common user in the computer system; however, he obtained system administrator access level to the government computer on both occasions. Review of the audit trail showed that the hacker had successfully gained unauthorized access to the computer every day during the two weeks the audit was run. In addition, the hacker got unauthorized access to a pay file and instructed the computer floor operator to load a specific magnetic tape (pay tape). The hacker was investigated by Air Force Office of Special Investigation computer crime investigators for violation of federal crimes (Title 18 US Codes 1030 computer fraud, and 641 wrongful conversion of government property), Texas state crimes (Title 7, Section 33.02 Texas computer crime wrongful access) and military crimes (obtaining services under false pretense, Uniform Code of Military Justice, Article 134). The computer crime investigators made the following observations: - USERIDs used by the hacker were the same ones he used at his last base when he had authorized system access in his job. The use of acronyms and abbreviations of job titles will hardly fool anyone; plus the use of standard USERID base to base is dangerous. - The passwords the hacker used were the first names of the monitors who owned the USERIDs. The use of names, phone numbers, and other common easily-guessed items have time and time again been beaten by even the unsophisticated hackers. Special Thanks To Major Douglas Hardie _______________________________________________________________________________ "Big Brotherish" FBI Data Base Assailed November, 21, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >From Knight-Ridder Newspapers (Columbia Daily Tribune) "Professionals Unite To Halt Expansion Of Files" PALO ALTO, California -- For the first time in more than a decade, civil libertarians and computer professionals are banding together to stop what many consider a Big Brotherish attempt by the FBI to keep track of people's lives. Computer Professionals for Social Responsibility, based in Palo Alto, has been instrumental in preventing the FBI from expanding its data base to include information such as credit card transactions, telephone calls, and airline passenger lists. "We need computer professionals acting like public interest lawyers to make sure the FBI is acting responsibly," said Jerry Berman, chief legislative counsel for the American Civil Liberties Union. Berman was part of a panel Saturday at Stanford University that went head-to-head with the FBI's assistant director for technical services, William Bayse, over expansion of the National Crime Information Center. Law enforcement officials use the NCIC system's 19.4 million files about 700,000 times a day for routine checks on everyone from traffic violators to Peace Corps applicants. "The FBI would like us to believe that they are protecting us from the hick Alabama sheriff who wants to misuse the system," said Brian Harvey, a computer expert at the University of California-Berkeley. "The FBI is the problem." Not since the fight to pass the Privacy Act of 1974 have computer experts, civil libertarians, and legislators come together on the issue of citizen rights and access to information. In the early 1970s, the government's efforts to monitor more than 125,000 war protesters sparked concerns about privacy. The 1974 law limited the movement of information exchanged by federal agencies. But computers were not so sophisticated then, and the privacy act has a number of exceptions for law enforcement agencies, Rotenberg said. No laws curtail the FBI's data base. Two years ago, the FBI announced its plan to expand the data base and came up with 240 features to include, a sort of "wish list" culled from the kinds of information law enforcement officials who use the system would like to have. Rep. Don Edwards, D-Calif., balied at moving ahead with the plan without suggestions from an independent group, and put together a panel that includes members of the Palo Alto computer organization. Working with Bayse, FBI officials eventually agreed to recommend a truncated redesign of the data base. It drops the most controversial features, such as plans to connect the data base to records of other government agencies - including the Securities and Exchange Commission, the IRS, the Immigration and Naturalization Service, the Social Security Administration, and the Department of State's passport office. But FBI director William Sessions could reject those recommendations and include all or part of the wish list in the redesign. The 20-year-old system has 12 main files containing information on stolen vehicles, missing people, criminal arrests and convictions, people who are suspected of plotting against top-level government officials, and people for whom arrest warrents have been issued. _______________________________________________________________________________ Big Guns Take Aim At Virus November 21, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~ Taken From Government Computer News In the aftermath of the most recent virus infection of the Defense Data Network and Arpanet, Defense Department and National Institute of Standards and Technology computer security officials are scrambling to head off further attacks. Officials of the facilities struck by the virus met this month to discuss its nature and impact. The meeting at National Security Agency headquarters in Fort Meade, Md., included representatives of NSA and NIST as 'observers,' according to NIST computer security chief Stuart Katzke. Two days later, NSA and NIST officials met again to discuss how to avert future infections, Katzke said. Katzke, who attended both meetings, said no decisions had been reached on how to combat viruses, and NSA and NIST representatives will meet again to firm up recommendations. Katzke, however, suggested one solution would be the formation of a federal center for anti-virus efforts, operated jointly by NSA's National Computer Security Center (NCSC) and NIST. The center would include a clearinghouse that would collect and disseminate information about threats, such as flaws in operating systems, and solutions. However, funding and personnel for the center is a problem, he said, because NIST does not have funds for such a facility. The center also would help organize responses to emergencies by quickly warning users of new threats and defenses against them, he said. People with solutions to a threat could transmit their answers through the center to threatened users, he said. A database of experts would be created to speed response to immediate threats. The center would develop means of correcting flaws in software, such as trapdoors in operating systems. Vendors would be asked to develop and field solutions, he said. NIST would work on unclassified systems and the NCSC would work on secure military systems, he said. Information learned about viruses from classified systems might be made available to the public through the clearinghouse, Katzke said, although classified information would have to be removed first. Although the virus that prompted these meetings did not try to destroy data, it made so many copies of itself that networks rapidly became clogged, greatly slowing down communications. Across the network, computer systems crashed as the virus continuously replicated itself. During a Pentagon press conference on the virus outbreak, Raymond Colladay, director of the Defense Advanced Research Projects Agency (DARPA), said the virus hit 'several dozen' installations out of 300 on the agency's unclassified Arpanet network. Thousands Affected The virus also was found in Milnet, which is the unclassified portion of the Defense Data Network. Estimates of how many computers on the network were struck varied from 6,000 to 250,000. The virus did not affect any classified systems, DOD officials said. The virus hit DARPA computers in Arlington, Va., and the Lawrence Livermore Laboratories in California as well as many academic institutions, Colladay said. It also affected the Naval Ocean Systems Command in San Diego and the Naval Research Laboratory in Maryland, a Navy spokesman said. Written in C and aimed at the UNIX operating system running on Digital Equipment Corp. VAX and Sun Microsystems Inc. computers, the virus was released November 2, 1988 into Arpanet through a computer at the Massachusetts Institute of Technology in Cambridge, Mass. The Virus apparently was intended to demonstrate the threat to networked systems. Published reports said the virus was developed and introduced by a postgraduate student at Cornell University who specializes in computer security. The FBI has interviewed the student. Clifford Stoll, a computer security expert at Harvard University who helped identify and neutralize the virus, said the virus was about 40 kilobytes long and took 'several weeks' to write. It replicated itself in three ways. Spreading the Virus The first method exploited a little-known trapdoor in the Sendmail electronic-mail routine of Berkeley UNIX 4.3, Stoll said. The trapdoor was created by a programmer who wanted to remove some bugs, various reports said. However, the programmer forgot to remove the trapdoor in the final production version. In exploiting this routine, the virus tricked the Sendmail program into distributing numerous copies of the virus across the network. Another method used by the virus was an assembly language program that found user names and then tried simple variations to crack poorly conceived passwords and break into more computers, Stoll said. Yet another replication and transmission method used a widely known bug in the Arpanet Finger program, which lets users know the last time a distant user has signed onto a network. By sending a lengthy Finger signal, the virus gained access to the operating systems of Arpanet hosts. The virus was revealed because its creator underestimated how fast the virus would attempt to copy itself. Computers quickly became clogged as the virus rapidly copied itself, although it succeeded only once in every 10 copy attempts. Users across the country developed patches to block the virus' entrance as soon as copies were isolated and analyzed. Many users also used Arpanet to disseminate the countermeasures, although transmission was slowed by the numerous virus copies in the system. DARPA officials 'knew precisely what the problem was,' Colladay said. 'Therefore, we knew precisely what the fix was. As soon as we had put that fix in place, we could get back online.' Colladay said DARPA will revise security policy on the network and will decide whether more security features should be added. The agency began a study of the virus threat two days after the virus was released, he said. All observers said the Arpanet virus helped raise awareness of the general virus threat. Several experts said it would help promote computer security efforts. 'Anytime you have an event like this it heightens awareness and sensitivity,' Colladay said. However, Katzke cautioned that viruses are less of a threat than are access abusers and poor management practices such as inadequate disaster protection or password control. Excellent technical anti-virus defenses are of no use if management does not maintain proper control of the system, he said. Congress also is expected to respond to the virus outbreak. The Computer Virus Eradication Act of 1988, which lapsed when Congress recessed in October, will be reintroduced by Rep. Wally Herger (R-Calif.), according to Doug Griggs, who is on Herger's staff. _______________________________________________________________________________ Congressmen Plan Hearings On Virus November 27, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >From The Seattle Times (Newhouse News Services) WASHINGTON - The computer virus that raced through a Pentagon data network earlier this month is drawing the scrutiny of two congressional committee chairmen who say they plan hearings on the issue during the 101st Congress. Democratic Reps. Robert Roe, chairman of the House Science Space and Technology Committee, and William Hughes, chairman of the crime subcommittee of the House Judiciary Committee, say they want to know more about the self-replicating program that invaded thousands of computer systems. The two chairmen, both from New Jersey, say the are concerned about how existing federal law applies to the November 2, 1988 incident in which a 23-year-old computer prodigy created a program that jammed thousands of computers at universities, research centers, and the Pentagon. Roe said his committee also will be looking at ways to protect vital federal computers from similar viruses. "As we move forward and more and more of our national security is dependent on computer systems, we have to think more about the security and safety of those systems," Roe said. Hughes, author of the nation's most far-reaching computer crime law, said his 1986 measure is applicable in the latest case. He said the law, which carries criminal penalties for illegally accessing and damaging "federal interest" computers, includes language that would cover computer viruses. "There is no question but that the legislation we passed in 1986 covers the computer virus episodes,' Hughes said. Hughes noted that the law also includes a section creating a misdemeanor offense for illegally entering a government-interest computer. The network invaded by the virus, which included Pentagon research computers, would certainly meet the definition of a government-interest computer, he said. "The 1986 bill attempted to anticipate a whole range of criminal activity that could involve computers," he said. _______________________________________________________________________________ Pentagon Severs Military Computer From Network Jammed By Virus Nov. 30, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By John Markoff (New York Times) NEW YORK - The Pentagon said on Wednesday that it had temporarily severed the connections between a nonclassifed military computer network and the nationwide academic research and corporate computer network that was jammed last month by a computer virus program. Department of Defense officials said technical difficulties led to the move. But several computer security experts said they had been told by Pentagon officials that the decision to cut off the network was made after an unknown intruder illegally gained entry recently to several computers operated by the military and defense contractors. Computer specialists said they thought that the Pentagon had broken the connections while they tried to eliminate a security flaw in the computers in the military network. The Department of Defense apparently acted after a computer at the Mitre Corporation, a Bedford, Mass., company with several military contracts, was illegally entered several times during the past month. Officials at several universities in the United States and Canada said their computers had been used by the intruder to reach the Mitre computer. A spokeswoman for Mitre confirmed Wednesday that one of its computers had been entered, but said no classified or sensitive information had been handled by the computers involved. "The problem was detected and fixed within hours with no adverse consequences," Marcia Cohen said. The military computer network, known as Milnet, connects hundreds of computers run by the military and businesses around the country and is linked through seven gateways to another larger computer network, Arpanet. It was Arpanet that was jammed last month when Robert T. Morris, a Cornell University graduate student, introduced a rogue program that jammed computers on the network. In a brief statement, a spokesman at the Defense Communication Agency said the ties between Milnet and Arpanet, known as mail bridges, were severed at 10 p.m. Monday and that the connections were expected to be restored by Thursday. "The Defense Communications Agency is taking advantage of the loop back to determine what the effects of disabling the mail bridges are," the statement said. "The Network Information Center is collecting user statements and forwarding them to the Milnet manager." Several computer security experts said they had been told that the network connection, which permits military and academic researchers to exchange information, had been cut in response to the intruder. "We tried to find out what was wrong (Tuesday night) after one of our users complained that he could not send mail," said John Rochlis, assistant network manager at the Massachusetts Institute of Technology. "Inititally we were given the run around, but eventually they unofficially confirmed to us that the shut-off was security related." Clifford Stoll, a computer security expert at Harvard University, posted an electronic announcement on Arpanet Wednesday that Milnet was apparently disconnected as a result of someone breaking into several computers. Several university officials said the intruder had shielded his location by routing telephone calls from his computer through several networks. A manager at the Mathematics Faculty Computer Facility at the University of Waterloo in Canada said officials there learned that one of their computers had been illegally entered after receiving a call from Mitre. He said the attacker had reached the Waterloo computer from several computers, including machines located at MIT, Stanford, the University of Washington and the University of North Carolina. He said that the attacks began on November 3, 1988 and that some calls had been routed from England. A spokeswoman for the Defense Communications Agency said that she had no information about the break-in. Stoll said the intruder used a well-known computer security flaw to illegally enter the Milnet computers. The flaws are similar to those used by Morris' rogue program. It involves a utility program called "file transfer protocol (FTP" that is intended as a convenience to permit remote users to transfer data files and programs over the network. The flaw is found in computers that run the Unix operating system. The decision to disconnect the military computers upset a number of computer users around the country. Academic computer security experts suggested that the military may have used the wrong tactic to attempt to stop the illegal use of its machines. "There is a fair amount of grumbling going on," said Donald Alvarez, an MIT astrophysicist. "People think that this is an unreasonable approach to be taking." He said that the shutting of the mail gateways did not cause the disastrous computer shutdown that was created when the rogue program last month stalled as many as 6,000 machines around the country. [The hacker suspected of breaking into MIT is none other than Shatter. He speaks out about the hacker community in PWN XXII/4. -KL] _______________________________________________________________________________ MCI's New Fax Network December 1988 ~~~~~~~~~~~~~~~~~~~~~ >From Teleconnect Magazine MCI introduced America's first dedicated fax network. It's available now. The circuit-switched network, called MCI FAX, takes a slice of MCI's existing bandwidth and configures it with software to handle only fax transmissions. Customers - even MCI customers - have to sign up separately for the service, though there's currently no fee to join. Users must dedicate a standard local phone line (e.g. 1MB) to each fax machine they want on the MCI network (the network doesn't handle voice) and in return get guaranteed 9600 baud transmission, and features like management reports, customized dialing plans, toll-free fax, cast fax, several security features, delivery confirmation and a separate credit card. The system does some protocol conversion, fax messages to PCs, to telex machines or from a PC via MCI Mail to fax. The service is compatible with any make or model of Group III and below fax machine and will be sold, under a new arrangement for MCI, through both a direct sales force and equipment manufacturers, distributors and retailers. For more info 1-800-950-4FAX. MCI wouldn't release pricing, but it said it would be cheaper. _______________________________________________________________________________ Military Bans Data Intruder December 2, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Compiled From News Services NEW YORK -- The Pentagon has cut the connections between a military computer network (MILNET) and an academic research network (ARPANET) that was jammed last month by a "computer virus." The Defense Department acted, not because of the virus, but rather because an unknown intruder had illegally gained entry to several computers operated by the armed forces and by defense contractors, several computer security experts said. The Defense Department apparently acted after a computer at the Mitre Corporation of Bedford, Mass., a company with several military contracts, was illegally entered several times in the past month. Officials at several universities in the United States and Canada said their computers had been used by the intruder to reach the Mitre computer. A spokeswoman for Mitre confirmed Wednesday that one of its computers had been entered, but said no classified or sensitive information had been handled by the computers involved. "The problem was detected and fixed within hours, with no adverse consequences," Marcia Cohen, the spokeswoman said. The military computer network, known as Milnet, connects hundreds of computers run by the armed forces and businesses around the country and is linked through seven gateways to another larger computer network, Arpanet. Arpanet is the network that was jammed last month by Robert T. Morris, a Cornell University graduate student. _______________________________________________________________________________