==Phrack Inc.== Volume Two, Issue 22, File 12 of 12 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN P h r a c k W o r l d N e w s PWN PWN ~~~~~~~~~~~ ~~~~~~~~~ ~~~~~~~ PWN PWN Issue XXII/Part 4 PWN PWN PWN PWN Created by Knight Lightning PWN PWN PWN PWN Written and Edited by PWN PWN Knight Lightning and Taran King PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Networks Of Computers At Risk From Invaders December 3, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By John Markoff (New York Times) Basic security flaws similar to the ones that let intruders gain illegal entry to military computer networks in recent weeks are far more common than is generally believed, system designers and researchers say. And there is widespread concern that computer networks used for everyday activities like making airline reservations and controlling the telephone system are highly vulnerable to attacks by invaders considerably less skilled than the graduate student whose rogue program jammed a nationwide computer network last month. For example, the air traffic control system could be crippled if someone deliberately put wrong instructions into the network, effectively blinding controllers guiding airplanes. The two recent episodes have involved military computers: One at the Mitre Corporation, a company with Pentagon contracts, and the other into Arpanet, a Defense Department network with links to colleges. But illegal access to computer systems can compromise the privacy of millions of people. In 1984, TRW Inc. acknowledged that a password providing access to 90 million credit histories in its files had been stolen and posted on a computerized bulletin board system. The company said the password may have been used for as long as a month. This year an internal memorandum at Pacific Bell disclosed that sophisticated invaders had illegally gained access to telephone network switching equipment to enter private company computers and monitor telephone conversations. Computer security flaws have also been exploited to destroy data. In March 1986 a computer burglar gained access by telephone to the office computer of Rep. Ed Zschau of California, destroyed files and caused the computer to break down. Four days later, staff workers for Rep. John McCain of Arizona, now a senator, told the police they had discovered that someone outside their office had reached into McCain's computer and destroyed hundreds of letters and mailing addresses. In Australia last year, a skilled saboteur attacked dozens of computers by destroying an underground communication switch. The attack cut off thousands of telephone lines and rendered dozens of computers, including those at the country's largest banks, useless for an entire day. Experts say the vulnerability of commercial computers is often compounded by fundamental design flaws that are ignored until they are exposed in a glaring incident. "Some vulnerabilities exist in every system," said Peter Neumann, a computer scientist at SRI International in Menlo Park, California. "In the past, the vendors have not really wanted to recognize this." Design flaws are becoming increasingly important because of the rapidly changing nature of computer communications. Most computers were once isolated from one another. But in the last decade networks expanded dramatically, letting computers exchange information and making virtually all large commercial systems accessible from remote places. But computer designers seeking to shore up security flaws face a troubling paradox: By openly discussing the flaws, they potentially make vulnerabilities more known and thus open to sabotage. Dr. Fred Cohen, a computer scientist at the University of Cincinnati, said most computer networks were dangerously vulnerable. "The basic problem is that we haven't been doing networks long enough to know how to implement protection," Cohen said. The recent rogue program was written by Robert Tappan Morris, a 23-year-old Cornell University graduate student in computer science, friends of his have said. The program appears to have been designed to copy itself harmlessly from computer to computer in a Department of Defense network, the Arpanet. Instead a design error caused it to replicate madly out of control, ultimately jamming more than 6,000 computers in this country's most serious computer virus attack. For the computer industry, the Arpanet incident has revealed how security flaws have generally been ignored. Cohen said most networks, in effect, made computers vulnerable by placing entry passwords and other secret information inside every machine. In addition, most information passing through networks is not secretly coded. While such encryption would solve much of the vulnerability problem, it would be costly. It would also slow communication between computers and generally make networks much less flexible and convenient. Encryption of data is the backbone of security in computers used by military and intelligence agencies. The Arpanet network, which links computers at colleges, corporate research centers and military bases, is not encrypted. The lack of security for such information underscored the fact that until now there has been little concern about protecting data. Most commercial systems give the people who run them broad power over all parts of the operation. If an illicit user obtains the privileges held by a system manager, all information in the system becomes accessible to tampering. The federal government is pushing for a new class of military and intelligence computer in which all information would be divided so that access to one area did not easily grant access to others, even if security was breached. The goal is to have these compartmentalized security systems in place by 1992. On the other hand, one of the most powerful features of modern computers is that they permit many users to share information easily; this is lost when security is added. In 1985 the Defense Department designed standards for secure computer systems, embodied in the Orange Book, a volume that defines criteria for different levels of computer security. The National Computer Security Center, a division of the National Security Agency, is now charged with determining if government computer systems meet these standards. But academic and private computer systems are not required to meet these standards, and there is no federal plan to urge them on the private sector. But computer manufacturers who want to sell their machines to the government for military or intelligence use must now design them to meet the Pentagon standards. Security weaknesses can also be introduced inadvertently by changes in the complex programs that control computers, which was the way Morris's program entered computers in the Arpanet. These security weaknesses can also be secretly left in by programmers for their convenience. One of the most difficult aspects of maintaining adequate computer security comes in updating programs that might be running at thousands of places around the world once flaws are found. Even after corrective instructions are distributed, many computer sites often do not close the loopholes, because the right administrator did not receive the new instructions or realize their importance. _______________________________________________________________________________ Computer Virus Eradication Act of 1988 December 5, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following is a copy of HR-5061, a new bill being introduced in the House by Wally Herger (R-CA) and Robert Carr (D-Mich.). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 100th Congress 2D Session H.R. 5061 To amend title 18, United States Code, to provide penalties for persons interfering with the operations of computers through the use of programs containing hidden commands that can cause harm, and for other purposes. IN THE HOUSE OF REPRESENTATIVES July 14, 1988 Mr. Herger (for himself and Mr. Carr) introduced the following bill; which was referred to the Committee on the Judiciary A BILL To ammend title 18, United States Code, to provide penalties for persons interfering with the operations of computers through the use of programs containing hidden commands that can cause harm, and for other purposes. - - - Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the "Computer Virus Eradication Act of 1988". SECTION 2. TITLE 18 AMENDMENT. (A) IN GENERAL.- Chapter 65 (relating to malicious mischief) of title 18, United States Code, is amended by adding at the end the following: S 1368. Disseminating computer viruses and other harmful computer programs (a) Whoever knowingly -- (1) inserts into a program for a computer information or commands, knowing or having reason to believe that such information or commands will cause loss to users of a computer on which such program is run or to those who rely on information processed on such computer; and (2) provides such a program to others in circumstances in which those others do not know of the insertion or its effects; or attempts to do so, shall if any such conduct affects interstate or foreign commerce, be fined under this title or imprisoned not more than 10 years, or both. (b) Whoever suffers loss by reason of a violation of subsection (a) may, in a civil action against the violator, obtain appropriate relief. In a civil action under this section, the court may award to the prevailing party a reasonable attorney's fee and other litigation expenses. (B) CLERICAL AMENDMENT.- The table of sections at the begining of chapter 65 of title 18, United States Code, is amended by adding at the end the following: S 1368. Disseminating computer viruses and other harmful computer programs. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The above text was typed in by hand from a printed copy of HR5 061. There is a possibility that there may be typographical errors which could affect the nature of the bill. For an official copy of the bill, please contact: Mr. Doug Riggs 1108 Longworth Bldg Washington D.C. 20515 Information Presented by Don Alvarez of the MIT Center For Space Research _______________________________________________________________________________ Virus Conference In Arlington, Virginia December 5, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Entitled "Preventing and Containing Computer Virus Attacks", it takes place January 30-31, in Arlington, VA. Speakers include Representative Wally Herger (R-CA), a special agent from the FBI, John Landry (ADAPSO virus committee chairman), Patricia Sission from NASA, as well as a collection of attorneys and business folk. The conference is chaired by Dave Douglass, no information provided. It supposedly costs $695. The address provided is: United Communications Group 4550 Montgomery Avenue Suite 700N Bethesda, MD 20814-3382 Information Provided By Gregg Tehennepe _______________________________________________________________________________ New York Times Reviews Novel About Computer Sabotage December 7, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Sunday, December 4, 1988 issue of the New York Times Book Review (their Christmas Books issue) prominently reviews a new novel, 'Trapdoor,' by Bernard J. O'Keefe. The premise (from the review by Newgate Callender, NYT's crime fiction reviewer): "A brilliant American woman of Lebanese descent has developed the computer code that controls the operation of all our nuclear devices. Turned down for the job she has sought, convinced male chauvinism is the reason, she is ripe to be conned by a Lebanese activist. At his suggestion she inserts a virus into the computer system that in a short time will render the entire American nuclear arsenal useless. ... The Lebanese President ... demands that Israel withdraw from the West Bank, or else he will tell the Russians that the United States will lie helpless for a week or so." Callender's review begins with the lead sentence, "November 2, 1988, was the day computers in American went mad, thanks to the 'virus' program inserted by the now-famous, fun-loving Robert T. Morris, Jr." Some background on the author, also from the review: "Bernard J. O'Keefe (is) chairman of the high-tech company EG&G and of an international task force on nuclear terrorism ... (and is) the author of a nonfiction book called 'Nuclear Hostages.' O'Keefe says, "I wrote this parable to point out the complexity of modern technology and to demonstrate how one error, one misjudgment, or one act of sabotage could lead to actions that would annihilate civilization."" Callender also says "...the execution is less brilliant than the idea. The book has the usual flashbacks, the usual stereotyped characters, the usual stiff dialogue." Although the reviewer doesn't say so, the premise of this novel is quite similar to a 1985 French thriller, published in the U.S. as 'Softwar.' That novel was also based on the idea that a nation's arsenal could be completely disabled from a single point of sabotage, although in 'Softwar' it was the Soviet Union on the receiving end. Popular reviewers of both books apparently find nothing implausible in the premise. _______________________________________________________________________________ Hacker Enters U.S. Lab's Computers December 10, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Thomas H. Maugh II (Los Angeles Times Service) A computer hacker has entered computers at the government's Lawrence Livermore Laboratory in the San Francisco Bay area eight times since last Saturday, but has not caused any damage and has not been able to enter computers that contain classified information, Livermore officials said Friday. [Do they ever admit to anyone gaining access to classified data? -KL] Nuclear weapons and the Star Wars defense system are designed at Livermore, but information about those projects is kept in supercomputers that are physically and electronically separate from other computers at the laboratory. The hacker, whose identitiy remains unknown, entered the non-classified computer system at Livermore through Internet, a nationwide computer network that was shut down at the beginning of November by a computer virus. Chuck Cole, Livermore's chief of security, said the two incidents apparently are unrelated. The hacker entered the computers through an operating system and then through a conventional telephone line, he gave himself "super-user" status, providing access to virtually all functions of the non-classified computer systems. Officials quickly limited the super-user access, although they left some computers vulnerable to entry in the hope of catching the intruder. "There has been no maliciousness so far," Cole said. "He could have destroyed data, but he didn't. He just looks through data files, operating records, and password files...It seems to be someone doing a joy-riding thing." _______________________________________________________________________________ Shattering Revelations December 11, 1988 ~~~~~~~~~~~~~~~~~~~~~~ Taken from the RISKS Digest (Edited for this presentation) [Shatter is a hacker based in England, he is currently accused of breaking into computers at Massachusetts Institute of Technology. -KL] (In this article, "IT" seems to refer to the computer community as a whole -KL) Some of you may have already heard of me via articles in the Wall Street Journal, New York Times, etc, but for those of you who do not have access to copies of these newspapers I am a hacker of over 10 years activity who is based near Nottingham, England [Rumored to be a false statement]. My specialities are the various packet switched networks around the world such as PSS, Telepac, Transpac, etc with various forays into UNIX, NOS/VE VMS, VM/SP, CMS, etc. I feel that as a hacker with so much activity and expirience I am qualified to make the following points on behalf of the whole hacking community. Hackers are not the vandals and common criminals you all think we are in fact most of the "TRUE" hackers around have a genuine respect and love for all forms of computers and the data that they contain. We are as a community very responsible and dedicated to the whole idea of IT, but we also have a strong dislike to the abuse of IT that is perpetrated by various governments and organizations either directly or indirectly. There is of course a small minority of so called hackers who do cause trouble and crash systems or steal money, but these people on the whole are dealt with by other hackers in a way that most of you could not even think of and most never repeat their "crimes" again. The term "HACKER" is still one to be very proud of and I am sure that in days past, anyone with a computer was called a hacker and they were very proud of the fact that someone felt that you had a great technical expertise that warrented the use of the term. However, all of the accusers out there now suffer from the standard problem that nearly all people involved within IT have and that is non-communication. You never pass on the information that you pick up and teach to others within IT [American Government organizations and Educational Institutes are among the greatest offenders] and this allows the hacking community [who do communicate] to be at least one step ahead of the system administrators when it comes to finding security problems and finding the cause and solution for the problem. A case in point is the recent Arpanet Worm and the FTP bug. Both these problems have been known for many months if not years but, when talking to various system administrators recently, not one of them had been informed about them and this left their systems wide open even though they had done all they could to secure them with the information they had. An interesting piece of information is that hackers in England knew about Morris's Worm at least 12 hours before it became public knowledge and although England was not able to be infected due to the hardware in use, we were able to inform the relevent people and patrol Internet to Janet gateways to look for any occurance of the Worm and therefore we performed a valuble service to the computing community in England -- although we did not get any thanks or acknowledgement for this service. Hackers should be nurtured and helped to perform what they consider a hobby. Some people may do crosswords for intelectual challenge -- I study computers and learn about how things interact together to function correctly (or incorrectly as the case may be). The use of a group of hackers can perform a valuable service and find problems that most of you could not even start to think of or would even have the inclination to look for. So please don't treat us like lepers and paupers. Find yourself a "TAME" hacker and show him the respect he deserves. He will perform a valuble service for you. Above all COMMUNICATE with each other don't keep information to yourselves. Bst Rgrds Shatter _______________________________________________________________________________ IBM Sells Rolm To Siemens AG December 14, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ International Business Machines Corp. (IBM) announced on Tuesday that it was selling its Rolm telephone equipment subsidiary to West Germany's Siemens AG. Rolm has lost several hundred million dollars since IBM bought it in 1984 for $1.5 billion. Rolm was the first, or one of the first companies to market digital PBX systems. As most telecom hobbyists already know, the PBX market has been very soft for years. It has suffered from little or no growth and very bitter price competition. Siemens, a leading PBX supplier in Europe wants to bolster its sales in the United States, and believes it can do so by aquiring Rolm's sales and service operations. Quite obviously, it will also gain access to some of the lucrative IBM customers in Europe. Rolm was an early leader in digital PBX's, but they were surpassed in 1984 by AT&T and Northern Telecom Ltd. of Canada. Part of the strategy behind IBM's purchase of Rolm was IBM's belief that small personal computers would be linked through digital PBX's. Although this has happened, most businesses seem to prefer ethernet arrangements; something neither IBM or Rolm had given much thought to. IBM was certain the late 1980's would see office computers everywhere hooked up through PBX's. IBM made a mistake, and at a recent press conference they admitted it and announced that Rolm was going bye-bye, as part of the corporate restructuring which has seen IBM divest itself of numerous non-computer related businesses in the past several months. From its beginning until 1984, Rolm could not run itself very well; now IBM has washed its corporate hands. Time will tell how much luck the Europeans have with it. Information Contributed by Patrick Townson _______________________________________________________________________________ Virus Invades The Soviet Union December 19, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >From The San Francisco Chronicle (P. A16) (UPI) - The Soviet Union announced on Decemeber 18, 1988 that that so-called computer viruses have invaded systems in at least five government-run institutions since August, but Soviet scientists say they have developed a way to detect known viruses and prevent serious damage. In August 1988, a virus infected 80 computers at the Soviet Academy of Sciences before it was brought under control 18 hours later. It was traced to a group of Soviet and foreign schoolchildren attending the Institute's summer computer studies program, apparently resulting from the copying of game programs. Sergei Abramov of the Soviet Academy of Sciences claims they have developed a protective system, PC-shield, that protects Soviet computers against known virus strains. It has been tested on IBM computers in the Soviet Union. "This protective system has no counterpart in the world," he said (although the details remain a state secret). _______________________________________________________________________________ Phrack World News Quicknotes Issue XXII ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Rumor has it that the infamous John Draper aka Captain Crunch is currently running loose on the UUCP network. Recently, it has been said that he has opened up some sort of information gateway to Russia, for reasons unknown. ------------------------------------------------------------------------------- 2. Information Available For A Price ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A company called Credit Checker and Nationwide SS says that anyone can; o Take a lot of risk out of doing business. o Check the credit of anyone, anywhere in the United States o Pull Automobile Drivers License information from 49 states o Trace people by their Social Security Number By "Using ANY computer with a modem!" To subscribe to this unique 24-hour on-line network call 1-800-255-6643. Can your next door neighbor really afford that new BMW ? ------------------------------------------------------------------------------- 3. Reagan Signs Hearing-Aid Compatibility Bill ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There is new legislation recently passed which requires all new phones to be compatible with hearing aids by next August. The law requires a small device to be included in new phones to eliminate the loud squeal that wearers of hearing aids with telecoils pick up when using certain phones. Importers are not exempted from the law. Cellular phones and those manufactured for export are exempt. _______________________________________________________________________________ =========================================================================