Date: Thu, 24 Nov 1994 13:40:09 +0000 From: Brian.Randell@newcastle.ac.uk (Brian Randell) Subject: Secret British Telecom Files Hacked [scanned, not checked for errors] The following articles about a major breach of British Telecom security are quoted, in their entirety, without permission, from The Independent (for 24 Nov.), one of the main national newspapers here in the UK. Between them, they fill much of the news column space on the front page, and on all of of pages two and three. As far as I know (from the way the story has been reported on radio by the BBC) the Independent is the only paper that has this story. The articles are ilustrated by photgraphs of the reporter Steve Fleming, the MI5 and MI6 buildings in London, the Government Bunker near Hawthorn, Wiltshire, and one (censored) example of an item that had been obtained from the BT files. Cheers Brian Randell ========== REVEALED: HOW HACKER PENETRATED THE HEART OF BRITISH INTELLIGENCE BY TIM KELSEY Some of the country's most sensitive intelligence networks have been breached by a computer hacker from British Telecom's main database in one of the most serious breaches of national security in recent years. Telephone numbers and addresses for MI6, MI5, many secret Ministry of Defence installations and other very sensitive information were copied from the computer by the hacker without any special technical expertise. The material was then sent out on to the Internet, a global network of computers, to which any one of 35 million users would potentially have access. The thousands of pages of highly confidential BT records were sent across the Internet to a young Scottish journalist, Steve Fleming, in July. Mr Fleming does not know the identity of his informant. The hacker was also able to retrieve, undetected by BT records of the top-secret government communications centre, GCHQ in Cheltenham. Other information included home addresses of senior military personnel, details of phone installations for the secret US communications station at Menwith Hill in North Yorkshire, information about the bunker in Wiltshire where the Government would go in the event of a nuclear war; and telephone installations in Downing Street and Buckingham Palace. The data gives the location of a number of intelligence service buildings in London. Some of these are clumsily disguised on BT records. One MI5 location is described as "shoe shops" and another as "textile warehouseman". Various MI6 locations are also identified. Its training establishment - the school for spies - sits next to a pub in a nondescript building on a busy street in south London. The Independent has been able to verify the authenticity of the information which runs to hundreds of thousands of words and numbers and appears as internal BT records taken straight off the computer. The hacker would not have been able to alter the records, simply read them. It is thought he was able to access the material with astonishing ease. Secure passwords giving access to the system were left lying around BT computer offices. Mr Fleming verified that this was possible by working on a short-term contract for BT, through an employment agency, and gaining access to the computer. One of Britain's leading computer security experts, Ian James, who was for 10 years a senior officer in the Fraud Squad and now gives advice to some of Britain's biggest companies, said last night: "If you are telling me that that computer has been hacked into, it is the most serious breach of security I have ever heard of. There is no way that sort of information should get out." No computer that contains such sensitive information has ever been hacked in the UK on such a scale before, according to Mr James. Tommy Helsby, managing director of Kroll Associates, an international investigations agency with expertise in computer security, said: "It really is very difficult to believe. I am surprised most of all that the security services would not have been more prudent with their information." It is not known if the BT hacker sent the information he collected to anybody other than Mr Fleming. He stopped communicating with Mr Fleming in August and it is not known if he remains active. It is also apparent that some of the numbers billed to the intelligence services are, in fact, operated by apparently private businesses. Two numbers chosen at random were answered with company names. It also emerged that MI5 phone bills are being paid not by the Home Office but by the Ministry of Defence. Other information taken from the computer includes the location of missile bases and military command and control centres in the UK, the private line numbers of John and Norma Major at Downing Street and private lines for Buckingham Palace and Kensington Palace. It would be extremely difficult to tap any of the unlisted lines identified in the documents. However, telecommunications specialists have confirmed that it is possible, if the identity of a telephone exchange is known, to eavesdrop undetected on a telephone line by hacking into BT's fault detection system. Most of the telephone numbers are classified and unlisted even as ex-directory, in BT records. The hacker systematically exploited lax security precautions on the BT system over several weeks to gather a wide range of information. It is understood that he obtained access to the computer while working as a temporary employee with BT. He was given passwords by permanent members of staff, and discovered that these passwords gave them access to the full range of information on the computer. The computer database, the Customer Services System, was designed by the American company Cincinnati Bell. It is supposed to contain internal safeguards against unlawful hacking. BT has previously maintained that the computer is carefully protected from this kind of abuse, and that only authorised personnel are given access to sensitive information. ---------------- HACKER BLOWS SPY SERVICES' COVER REPORTS: TIM KELSEY Telephone directories for MI5, MI6 and the Government's top-secret eavesdropping centre, GCHQ at Cheltenham, are among the most sensitive numbers disclosed in the huge amount of material taken by the hacker from the British Telecom computer. The hacker also found information on secret United States military listening posts in the United Kingdom. MI5's telephone network has its centre on the 17th floor of Euston Tower in central London. In the BT documents, this is identified as the base of MI5's "communications manager". The billing lists dozens of lines run from the tower, and the network extends across the country. All the telephone bills charged to MI5, which is attached to the Home Office and for which the Home Secretary is answerable to Parliament are paid by the Ministry of Defence. Despite the fact that MI5 has moved to new headquarters at Thames House, some bills are still charged through its old headquarters at 140 Gower Street in Bloomsbury - within walking distance of the tower. Many of the numbers listed appear to belong to external companies. The lndependent called one number at random, which was answered as a private business. Many others are believed to belong to similar "front" companies. Earlier this year, MI5 ran a free 0800 number from Euston Tower for the convenience of operatives engaged in "watching" targets around the UK and forced to make calls from payphones. All the numbers have a special designation and are not listed in any telephone directories. Apart from giving information about active telephone numbers, the bills also detail the kinds of telecommunications equipment and the exchanges from which the telephones are run. This would enable experienced hackers to access the line and listen to conversations. The telephone bills reveal the location of a number of security service buildings in London which had not previously been identified. Some of the numbers are clumsily disguised: one central London number is described as belonging to a shoe shop, but the bill is paid by the Ministry of Defence for MI5. Another is described as belonging to "textile warehouseman". It is not just the telecommunications network of MI5 that has been compromised. Confidential details concerning both the Secret Intelligence Service, or MI6, and GCHQ have also been taken from the BT computer. MI6 communications centres-and there are dozens in central London - are listed as Government Communications Bureaux in the records. Unlike MI5, it appears that MI6 has its own telephone budget, and it pays its own bills. There are many numbers identified, and addresses supplied. Some go into the new MI6 headquarters building at 85 Albert Embankment, but many do not. The records appear to identify MI6 locations outside this building. MI6 is also paying for a number of telephones located in a busy street in south London which has been identified as the spy training centre. What is thought to have been MI6's former City of London office is located in an office block in the Square Mile. Some of the telephone numbers - like those listed under MI5 - appear to be used by private companies. The information taken off the BT computer also compromises GCHQ, Britain's communications headquarters. It gives computer access numbers as well as classified telephone numbers within the organisation It ;also provides the location of key facilities and identifies exchanges used. BT supplies equipment to the US Department of Defense listening station at Menwith Hill on the North Yorkshire moors, which is the largest American communications base in Europe. There are numbers for the site's computer rooms, and even for voicemail messages, which would enable hackers to listen to messages left for staff. The British Telecom computer into which the hacker, and then Mr Fleming obtained access, is called CSS, the Customer Services System. This computer contains all information on every BT customer - government, business and residential. This covers installation details, faults, credit arrangements and itemised bills. It also gives addresses. The computer, which is situated in central London, was designed by Cincinnati Bell, the American telecommunications company. The system handbook states that there are security systems designed to prevent unauthorised access to forbidden areas. BT literature claims that access to CSS is strictly limited with information released to specific vetted users at specific terminals. This system can only work, of course, if passwords are not shared with temporary members of staff. Finding information on the CSS, once on-line, is easy. Simple commands give access to the national system. If one commanded a search on the word "government", among the items retrieved by the system would be "government communications bureau", the BT billing name for MI6. ------------------ MISSILE AND RADAR SITES EXPOSES The locations of secret missile and radar stations and military communications centres are detailed on the British Telecom computer - and are no more difficult to find than someone's home telephone number. BT sought to disguise the identity of some of Britain's most secret military installations but even so the hacker, who penetrated the central computer database, was able to acquire the home addresses of senior officers, all of whom could be terrorist targets. The BT information describes the location of a variety of sensitive sites: Nato fuel depots, remote communications posts in the Highlands of Scotland, missile bases and tactical air control centres. It also details the location of classified signals operations throughout Britain. Some of the information in the records is historical. Several numbers no longer function. There are some operational numbers for Operation Granby, the code name for the British campaign in the Gulf. The data also show how the Ministry of Defence pays telephone bills for a number of private contractors, including the Royal Ordnance. In one case the ministry appears to pay for telephones at a Royal Ordnance factory. Some of the most sensitive numbers are given misleading identities: one unit's telephone number is described as belonging to "glaziers" and an RAI; communications base is categorised as a "club and association". However, the hacker was able, without any difficulty, to identify the actual owner of the telephone numbers. These numbers are not just voice lines - many provide access to military computers. The documents also identify which exchanges the military uses to route its calls. This information would enable hackers to eavesdrop on calls undetected. The listings also give details of secure telephone exchanges in the field, which are located only by their Ordnance Survey grid reference co-ordinates. Some of the numbers give access to nuclear submarines in port in Scotland, and others give access to frigates at sea. There are also numbers for nuclear weapons storage sites. The documents not only compromise military installations, they also reveal the home addresses and ex-directory telephone numbers of senior military personnel. All are potential terrorist targets. The Ministry of Defence may have to relocate many of its senior officers. It is possible that much more information has been obtained from the BT computer than the Independent knows. ---------------- HOW I HACKED INTO SECURITY FILES STEVE FLEMING describes how he found top secret communications information in the BT computer. As an amateur computer enthusiast, I have spent several years involved on the Internet - the gigantic worldwide network of computers which all talk to each other. Each computer on the Net has its own mail box to which messages can be sent. Six months ago, I started to investigate how difficult it would be to gain access to one of Britain's largest and most sensitive computers. There were rumours circulating on the Internet that someone had gained entry to the British Telecom main computer or that they were trying to do so. I sent a general message over the Net to see if anybody had been successful. There were dozens of replies: most asking for more information; most time-wasting. Sometime in July, I received an anonymous message on the computer. It was a document. There was nothing to identify who had sent it or why. At first glance it looked like an invoice: a list of numbers, product details, and prices. It was not. It was a British Telecom record giving unlisted private telephone numbers inside 10 Downing Street. Was this a real document? I did not know where it had come from; nor did I know whether I was breaking the law by having seen it. But I was curious, while sceptical of its authenticity and decided to check it. So, at around ll pm one night, I called one of the numbers. A woman answered. "Hello," she said. I hesitated and then replied: "Hello. May I speak to John, please?" She then asked me who I was and I hung up. About four days later I received another anonymous message on my screen which contained another document. It had the same format as the first - more BT internal data - but this time it gave details of MI6 installations. After that I tried to find out who my source was. I approached two people I had been told were computer hackers who took a particular interest in the telephone network. They gave me 10 numbers that they said were top secret. They did not tell me why. I decided to send another general message on to the Internet, with the numbers, in the hope this might provoke the source to reveal himself. Shortly after that I received another message - there was no attached document. This time, the source explained how it was possible to break into the BT computer. He told an extraordinary story about the way in which temporary staff employed by BT were given easy access to the computer. He said that passwords assigned to vetted full-time members of the staff were pinned to noticeboards and left in notebooks beside the terminals so that they could be used by temps. He said that BT did not bother to create shortterm passwords and simply allowed its temps to share fulltime access privileges. He went on, Temps not only obtained access to the computer on which the records of every client BT has - government, business and residential - are kept, but there were no restrictions once they were inside. A temp was able to access any kind of data: even the telephone numbers of the secret services. I found this hard to believe. But for the time being did nothing. I was becoming increasingly worried that I was being set up. Was I involved in some real threat to the national security? Was I being used? Two or three days later, I received more documents on my computer. These contained a huge amount of information that ranged across the secret services to GCHQ and the Ministry of Defence. That was the last I heard from this source. I still had no idea why he had chosen to send the material to me. I also doubted that the material was authentic. How could it be? How could somebody obtain such access to the British Telecom computer? How could they do it without being detected? With some qualms, I decided to try and verify the documents. I thought the best way of doing this would be, as the source had suggested, to go into BT as a temp and see if it was possible to obtain access to the computer. I applied to an employment agency in the late summer for a job involving computers at British Telecom; 48 hours later I was offered a temporary position. To my amazement I found when I first walked into the BT offices that, as the source had described, passwords openly distributed and a remarkable lack of supervision. I was able to gain access to the computer without provoking suspicion, and to view some of the same information I had received over the Internet. I left BT after three days without accepting any payment. I decided to approach the authorities and entered into a dialogue with a Special Branch officer and other security service personnel who were made aware of the role I had played. ------------------- TERRORISTS COULD LISTEN IN TO MAJOR THE THREAT What use are these telephone numbers? If a foreign power or a terrorist had access to this information, what could they do with it? Telecommunications experts have ruled out the possibility that physical phone taps could be attached to most of the lines and conversations overheard or disrupted. Many of the lines - and most of them are secure - will be cased in tubing which could not be broken without setting off alarms. Experts have also said that there is no equipment yet invented which can listen to telephone calls without having physical access to the line. It is possible to monitor mobile telephone calls by "scanning" electronically for them. It is not possible to do this with hard-wired telephone lines. However, there is a way in which conversations can be overheard, and this method which is already popular in the United States, has no defence in the British Telecom system Telecommunication security specialists consulted by the Independent, who do not wish to be identified, have successfully tested this method on British telephone lines. This is illegal but it is also undetectable. This system allows an individual to sit by his telephone at home and overhear conversations on any line in the country providing he knows to which exchange the telephone line is connected. He can then, by locating what is called the remote observation unit, and scanning for a simple code hack into the system British Telecom engineers use to test faults on lines. This allows the hacker to interrupt calls, to listen to them undetected, and to disrupt them. Theoretically, if somebody with this know-how and a private line number for the Prime Minister, would be able to listen into conversations. One of the experts said: 'It could take as long as 24 hours to scan for the code and then a matter of minutes to hook onto the call." The implications of this leak could be wide-ranging. It is not known how much the hacker retrieved from the computer. He may have copied much more information than he sent to Mr Fleming. If BT takes seriously the prospect of hackers listening into telephone calls then all the unlisted confidential numbers for M15, M16, the Ministry of Defence, GCHQ and several Government departments will have to be changed. The cost would he substantial. More serious, however is the fact that the material gives the location of secret service buildings and other sensitive addresses. It is not known if the hacker who communicated with Mr Fleming sent his information to anybody else. It is suspected that the hacker "parked" the information at a number of sites on computers around the world. It is impossible to estimate the potential costs of relocating personnel to take account of the possible security risk posed by this leak. --------------- EMERGENCY TELEPHONE NETWORK IN PLACE FOR WAR COMPUTER'S DATABANKS SHOW HOW THE NATION WOULD BE GOVERNED IN A CRISIS Data contained on the BT computer paints a detailed picture of the way in which Britain would be governed and defended in time of war. The existence of the Defence Communications Network, which is the wartime alternative to the BT telephone network, is a closely guarded secret and has never before been exposed in so much detail. In February the Government redesigned the telecommunications system for the emergency network. The computer shows where government departments would be relocated during a war and where the key communications centre for both military and civil defence would be located. At its heart is a huge underground bunker, maintained by the Department of the Environment, beneath a field near Hawthorn in Wiltshire. The BT data shows the location of special exchanges to deal with emergency telephone communications. Knowing their location, an enemy might be able to disable them. The bunker, which is codenamed Burlington, is about 100 acres in size and extends around 12Oft below ground. It is designed to be the seat of central government and can house 55,000 people. The Defence Communications Network is controlled from the bunker. The BT records show that there are three access points for telephone calls from the national network - if one site is bombed, opportunities remain to keep open the network. However, the BT records provide enough information to identify all three sites. The records also reveal the complicated structure of the secret national network. Many otherwise innocent buildings have been earmarked as communications posts: the basement in a west country town hall would be taken over by the Home Office as a regional civil defence headquarters. The Navy would set up communications operations in a commercial radio station in Cornwall. A secondary school in Scotland would become a police station. There is a special telephone line linking the Isles of Scilly to the mainland which would be used to maintain government communications. All the locations chosen as civil defence centres are already - and they may not be aware of it - on the system. But it only becomes active in an emergency. If that should happen, BT has the ability to cut all other telephone communications in the UK to relieve pressure on the system and to preserve battery power. Civilians and businesses would find they were not able to make calls. The system has been upgraded. It was until this year a system reliant on old manual switchboards with calls routed by operators. It has now been set up as a more efficient and faster digital network. The BT records also identify the engineer responsible for maintenance of the network. ------------- NO 10 AND PALACE MAY HAVE TO ALTER NUMBERS THE EFFECTS Downing Street and Buckingham Palace may have to alter all their telephone numbers because the hacker retrieved from the computer full details of numbers, addresses and details of all equipment supplied. This, in Downing Street's case appears to include external security apparatus. The hacker also accessed numbers belonging to government departments including the Department of the Environment and the Home Office. Prison telephone numbers and information relating to a Prison Service computer system went out on the Internet. What BT describes in its records as the "Prime Minister's Installation" at 10 Downing Street gives the name of the exchange through which the numbers are routed and information on telecommunications equipment used within the building. There are numbers which would give access to the Cabinet Office and other government offices. Among the several numbers listed are two in the "above-the-shop" flat in which John and Norma Major live at Downing Street. Some of the telephones have lights which are activated to show the caller is using a privacy set - which scrambles conversations to make them more secure. There is also a facility on Downing Street numbers for monitoring whether the line is tapped. The rest of the equipment is openly available in the high street. The records also give extensive detail on ex-directory direct line numbers for Buckingham Palace, which are thought to include numbers for the apartments of members of the Royal Family. They also give numbers for Kensington Palace, the residence of the Princess of Wales. The palace switchboard is also directly linked by special lines to Clarence House - the Queen Mother's home - and a nearby Ministry of Defence building. The total quarterly cost of the equipment the Palace rents from BT is (pound sterling) 14,000. There are a variety of ex-directory numbers for the Department of Environment, including various computer access lines. The Home Office Prison Service communications network may have been extensively compromised. Dozens of unlisted telephone numbers, some of them inside prisons and giving access to prison service computers have been leaked. Because they also contain details of local exchanges, it would be possible to overhear, or even disable, particular lines. It also gives details of ex-directory payphone numbers which can located to specific wings inside prisons and are supposed to be used by inmates only for outgoing calls. ----------- CONFIDENTIAL CUSTOMER DATA REVEALED THE FILES The hacker not only probed information which might compromise the secret services or the defence establishment, he also wanted to show how easy it was to acquire commercially sensitive information from BT. As a token of this, the information released on to the Internet located a series of numbers for the Bank of England, giving access to one of its main computers. It also contained the computer access number for an emergency computer operated by a high street bank. Experienced hackers may be able to find their way into the system if they know the telephone number that gives access to it. There is also a great deal of confidential commercial and personal information available, including whether the telephone number is ex-directory or unlisted. The database gives a variety of personal details: name, address, private ex-directory telephone number, and occupation. The leaked documents contain a large amount of personal information including credit details on customers. It is not known whether BT sells this information to other organisations, or whether it discloses its own credit assessments. The bills record details of every conversation a client has with British Telecom customer services. The staff member may then record their own comments, which will remain on the client's record for as long as they are a customer with BT and may affect their future credit rating. Customers are not made aware of this. One customer acquired an ex-directory number which was to be paid for by a charity. The charity had difficulty paying but promised to do so. The BT customer services official noted for the benefit of future operators: "Please - no more concessions . . ." The line was then apparently cut off. The customer had no right of appeal. Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK EMAIL = Brian.Randell@newcastle.ac.uk PHONE = +44 91 222 7923 FAX = +44 91 222 8232