RISKS-LIST: RISKS-FORUM Digest Tuesday 7 March 1989 Volume 8 : Issue 36 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Malicious Hacking (Gene Spafford) News from the KGB/Wily Hackers (Klaus Brunnstein) The fight to purify the word "hacker" is lost (Steve Bellovin, Brad Templeton) Dangers of Spy programs (John ffitch) Re: reach out and spy on someone (Vandenberg) Social effects of viruses (Don Alvarez) Previous message to RISKS misunderstood (John Sinteur) [Power failure problems] The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: 7 Mar 89 19:45:38 GMT From: spaf@cs.purdue.edu (Gene Spafford) Subject: Malicious Hacking I've recently been in contact with someone doing a study for DOE on malicious hacking. In particular, the following 3 topics have been specifically targetted for attention: 1) Have there been any documented cases of loss of life, threat to life, massive economic loss, or other disastrous circumstances caused by someone breaking into or hacking on a system? This is *not* concerned with system failures or poor design, but rather with acts of specific intent. 2) Have there been any documented (or strongly suspected) cases of hacking/cracking/etc. for purposes of corporate espionage or sabotage, or for service to a foreign government? The recent West German arrests are one case...are there others? 3) Has anyone (other than Sherry Turkle) done any work on the psychological profile of someone likely to break into systems, be a compulsive hacker/cracker, etc? If so, do you have references? If you have any material on the above, I'd appreciate hearing about it. I'd like to see if for my class on ethics & responsibility, and my contact would like it for his report. I'm sure that anyone contributing to the report will get a copy, assuming that the final report is unclassified. Thanks in advance. Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf ------------------------------ Date: 07 Mar 89 18:52 GMT+0100 From: Klaus Brunnstein Subject: News from the KGB/Wily Hackers Now, 5 days after the `sensational' disclosure of the German (NDR) Panorama TV team, the dust of speculations begins to rise and the facts become slowly visible; moreover, some questions which could not be answered (e.g. in Clifford Stoll's CACM paper) may now be answered. Though not all facts are known publicly, the following facts seem rather clear (most of the material has been published; I learned some facts when I analysed, for another Panorama story, some of the lists which had been sold to KGB, according to the journalists): - In 1986, some hackers from W.Berlin and Hannover discussed, in `hacker parties' with alcohol and drugs, how to solve some personal financial problems; at that time, first intrusions of scientific computers (probably CERN/Geneva as `hacker training camp) and CCC's spectacular Btx-intrusion gave many hackers (assisted by newsmedia) the *puerile impression* that they could intrude *into every computer system*; I remember contemporary discussions on 1986/87 Chaos Computer Conferences about possibilities, when one leading CCC member warned that such hacks might also attract espionage (Steffen Wernery recently told that German counter-espionage had tried several times to hire him and other CCC members as advisors - unsuccessfully). - A `kernel group' of 5 hackers who worked together, in some way, in the `KGB case' are (according to Der SPIEGEL, who published the following names in its Monday, March 6 edition): ->Markus Hess, 27, from Hannover, Clifford Stoll's `Wily Hacker': after having ended (unfinished) his studies in Mathematics, he works as programmer, and tries to get an Informatics diploma at the University of Hagen (FRG); he is said to have good knowledge of VMS and UNIX (see Cliffs paper: it seems to give a good personal profile!). ->Karl Koch, 23, from Hannover, who works as programmer; due to his luxurious lifestyle and his drug addiction, his permanent financial problems have probably catalysed the desire to sell `hacker knowledge' to interested institutions. ->Hans Huebner, alias `Pengo', from Berlin, who after having received his Informatics diploma from Technical University of W.Berlin, founded a small computer house; the SPIEGEL writes that he needed money for investment in his small enterprise; though he doesnot belong to Chaos Computer Club (as he told me during last Chaos Computer Conference, December 1988), he holds close contacts to the national hacker scenes (Hamburg: Chaos Computer Club; Munich: Bavarian Hacker Post; Cologne: Computer Artists Cologne, and other smaller groups), and he was the person to speak about UUCP as a future communications medium (cf. my CCC'88 report in Risk Forum 89/01). ->Dirk Brezinski, from W.Berlin, programmer and sometimes `troubleshooter' for Siemens BS-2000 systems (the operating system of Siemens mainframe computers), who earned, when working for Siemens or a customer (BfA, a national insurance for employees) 20,000 DM (about 10,800 $) a month; he is regarded (by an intelligence officer) as `some kind of a genious'. ->Peter Carl, from W.Berlin, a former croupier, who `always had enough cocaine'. (No information about his computer knowledge/experience available). After successfully stimulating KGB's interest, the group (mainly Hess and Koch) committed their well-documented hacks (-->Clifford Stoll: `Stalking the Wily Hacker', CACM May 1988). SPIEGEL writes that the group *sold 5 diskettes full of passwords*, from May to December 1986, to KGB officers which they met in East Berlin; when Bremen University computer center, their favorite host for transatlantic hacks, asked (Dec.86) the police to uncover the reasons for their high telephone bills, they stopped the action. This statement of Der SPIEGEL is probably wrong: as Cliff describes, the `Wily Hacker' successfully worked until early 1988, when the path from his PC/telephone was disclosed by TYMNET/German Post authorities (the German public prosecutors didnot find enough evidence for a trial, when examining Hess' apartment; moreover, they had acquired the material in illegal actions, so the existing evidence couldnot be used and finally had to be scratched!). In Hess' apartment, public prosecutors found (on March 3, 1989) password lists from other hacks. On Monday, March 6, 1989, the Panorama team (who had disclosed the NASA hack and basically the KGB connection) asked me to examine some of the password lists; the material which I saw (for 30 minutes) consisted of about 100 photocopied protocols of a hack during the night of July 27 to 28, 1987; it was the famous `NASA hack': From a VAX 750 (with VMS 4.3), which they entered via DATEX-P (the German packed-switched data-exchange network, an X.25 version), where they evidently previously had installed a Trojan horse (UETFORT00.EXE), they tried, via SET HOST ..., to log-into other VAXes in remote institutes. They always used SYSTEM account and the `proper' password (unvisible). [Remark: Unfortunately, DECs installation procedure works only if a SYSTEM account is available; evidently, most system managers do not change the preset default password MANAGER; since Version 4.7, MANAGER is excluded, but on previous VMS versions, this hole probably exists in many systems!] Since the hackers, in more than 40% of the cases, succeeded to login, their first activitities were to SET PRIV=ALL; SET PRIO=9, and then to install (via trans-net copy) the Trojan horse. With the Trojan horse (not displayed under SHow Users), they copied the password lists to their PCs. When looking through the password list, I observed the well-known facts: more than 25% female or male first names, historical persons, countries, cities, or local dishes (in the Universities of Pisa, Pavia and Bologna, INSALATA was/is a favorite password of several people). Only in CASTOR and POLLUX, the password lists contained less than 5% passwords of such nature easy to guess! Apart from many (about 39) unsuccessful logins, many different CERN /GENEVA, NASA systems (CASTOR, POLLUX, Goddard and Ames Space Flight Centers), several US, GB, French, Italian and some German institutes connected in SPANEt were `visited'. The documented session was from July 27, 10 p.m. to July 28, 1 a.m. (I am not sure that I saw all the material available). The media report that other hacks (probably not all committed by Hess and Koch theirselves) were sold to KGB. Among them, Electronic and Computer Industry seem to be of dominant interest for the USSR. If special CAD/CAM programs and Megabit designs (esp. from Thomson/France, from VAX systems) have been stolen, the advantage and value for the USSR cannot be (over)estimated. In FRG, the current discussion is whether the hackers succeeded to get into `kernel areas' or only `peripheral areas'. This discussion is ridiculous since most `peripheral systems' contain developments (methods, products) for future systems, while the `kernel systems' mainly contain existing applications (of past architectures). The well-known hackers (esp.CCC) have been seriously attacked by some media. My best guess is that CCC was itself *a victim* because the group succeeded to informally get much of the information which they needed for some of the hacks, and which they finally sold to KGB. Apart from `Pengo', I dont see close relation between CCC and the KGB/Wily Hackers. Nevertheless, CCC and others, like Cheshire Catalyst in US, have prepared a climate where espionage inevitably sprang-off. Klaus Brunnstein Hamburg/FRG. ------------------------------ Date: Tue, 07 Mar 89 22:13:14 EST From: ulysses!smb@research.att.com Subject: What's a hacker? (The fight to purify the word "hacker" is lost) I'm not sure we want to open this can of worms (again), but... The grammatical world is divided into two camps on such questions, the prescriptivists and the descriptivists. The former know the ``proper'' usage for every word and phrase; the latter tell it like it is. To insist that ``hacker'' still retains its original meaning is to align yourself with the former camp. Face it, that battle is over, and the purists have lost; the word hacker, in many contexts, does now mean a criminal. I've always been a descriptivist; trying to legislate how people talk is a singularly fruitless activity, the activities of certain governments notwithstanding. --Steve BEllovin ------------------------------ Date: Mon Mar 6 22:30:10 1989 From: Brad Templeton Subject: The fight to purify the word "hacker" is lost It is with regret that I have to say that this fight has been lost. "Hacker" and "computer criminal" are now equated in the public mind, to the extent that this use of "hacker" now appears in newspaper headlines. The German Spy breakins confirm this in papers all over the world. Once this has happened, we can't win the battle to get the old meaning back. Who am I to announce the loss of this battle? A frontliner. My custom licence plate is "HACK." I got it back in the early days when it meant wizard. Sigh. Brad Templeton, Looking Glass Software Ltd. -- Waterloo, Ontario 519/884-7473 ------------------------------ Date: Tue, 7 Mar 89 10:02:21 PST From: Peter Scott Subject: False fire alarms A colleague just related a story to me about his apartment building. Recently the water main supplying the sprinklers fractured, some distance away from the building. The fire alarm is triggered by a drop in water pressure in the sprinkler system, on the thesis that a sprinkler has been set off. So the fire department arrived, but couldn't figure out why the alarms wouldn't shut off when no smoke alarms had been triggered, no call buttons had been pushed, no sprinklers were running, and there was nary a wisp of smoke. Peter Scott (pjs@grouch.jpl.nasa.gov) ------------------------------ Date: Tue, 7 Mar 89 18:10:54 GMT From: jpff@maths.bath.ac.uk <@NSS.Cs.Ucl.AC.UK> Subject: Dangers of Spy programs The recent discussion of this reminds me of an incident which happened when I was a research student in Cambridge (way back..) when the computer we had was Titan. A staff member wrote a program (called L/WHO for other ex-Cambridge folk) which told who was logged on, and what they were doing. This was the first multiple access system in the UK, and so this kind of information was of great interest. A friend of mine, Robin Fairbairns, took the program an extended it to give more information, and we all enjoyed using it. One of his enhancements was to show which magnetic tapes a user had loaded. Now the incident. The Titan Operating system scheduled tape jobs separately as tape decks were a scarce resource. In order to improve throughput the scheduler would accelerate starting jobs which used tapes which were already on a drive. Using the L/WHO program a student determined which tapes were in use, and used the information to get their programs run quickly. Of course the operators did not notice the effect, as the tape scheduling was totally automatic, and the cheating program did actually use the tape. That is until the day when the student program inadvertently wrote to block device zero, and as this was a tape (usually it would be scratch disk) the tape was overwritten. The owner of the tape was not amused at all (I will suppress the name as they are still very active). Robin was persuaded to remove the facility of giving tape names. The operators objected of course. The operating system was not good at telling them which tape was where, and they had been relying on L/WHO for some time. The upshot was that the spy program had a "is this user the operator" function added (and also a "is this Robin F" bit). After that I believe it survived until the unfortunate switching off of such a great machine. I will not attempt a moral, except to remark that the program did not use any privileged information. ==John ffitch ------------------------------ Date: 6 Mar 89 03:05:06 CST (Mon) From: vanden@studsys.mu.edu (vandenberg) Subject: Re: reach out and spy on someone Although I'm not a UNIX guru (or even close for that matter) I do know that it is possible to 'monitor' someone else's terminal. With our setup, a 3b5 running SYS5, the defaults are such that anyone can 'see' what's on another terminal and even write to it. As one my guess this can lead to rather vicious games between bored students. {..uunet..uwvax!uwmcsd1..}!marque!studsys!vanden {..uwvax..arpa..}!studsys.mu.edu!vanden vanden%studsys@marque.UUCP ------------------------------ Date: Mon, 6 Mar 89 22:01:24 EST From: Don Alvarez Subject: Social effects of viruses "Guy_Robinson.SBDERX<"@Xerox.COM writes about a Marvel Comics android(?) that gets wiped out by a computer virus and says: >One problem this situation raised was that the Vision's human WIFE was a little >distraught! Could this be a whole new type of RISK to bear in mind? I have a similar story from my own life, in which my roommate came home one night around 11:00pm to find me and my fiancee sitting, clearly very depressed, unhappily in the living room. He asked "what's the matter?" and my fiancee said "Don has a virus, and he just got reinfected, and there's nothing he can do about it." Needless to say my roommate felt this was not a good time to hang around and quickly disappeared. Only much later that night did he hear me on the phone to a friend in California (which was three hours behind us) and piece together that (a) I did not have any conventional social diseases (b) the infection was to my computer (c) the date was november 4th, 1988 (d) the virus was the "internet virus of 1988" and (e) the reason I couldn't do anything about it was that I couldn't get in as root over the modem. Talk about RISKS of computer viruses! - Don ------------------------------ Date: Sat, 4 Mar 89 10:59 N From: Subject: Previous message to risks misunderstood (Power failure problems, RISKS-8.28) I received some flak from my previous employer after a message from me appeared in risks 8.28. Apparently they are even considering legal action ('though I'm not sure about this (yet)). I would like to set something straight... -I never mentioned the company's name in my message. Their view seems to be that this isn't necessary, as everybody knows I worked for them. I feel flattered, but I don't think it's true. I never had a function that exposed me to the public in any way. -They feel the message is degrading the company's image. Well, RISKS is meant as a forum to relate the risks of modern day technology to people professionally interested in those risks. It is not meant as a forum to make fun of companies ('listen what happened to them...'), nor of their employees. Despite this flak (which I consider to be a slight hiccup on their side), I still like the company very much, and I consider having worked with the people a great honour. I wouldn't think of insulting them in any way. They're great professionals, and I learned a lot from them. I also believe my message was received professionally by the Risks Forum, mainly because of the reply in RISKS-8.30 by Jonathan I. Kamens, relating a very similar case that happened to his University. If you feel I did degrade the company's image (and also happen to know the company's name), please send me a message. I would like to know how many people agree with my previous employer's views on this... -John Sinteur (mail to adegroot@hroeur5.bitnet) [RISKS Relevance sticklers may think that is not relevant. However, because of the obvious risks of sending contributions to public BBoards, it seems relevant enough to include. Please respond to John directly, although you may CC: RISKS-REQUEST (i.e., not for inclusion) if you wish. PGN] ------------------------------ End of RISKS-FORUM Digest 8.36 ************************