Subject: RISKS DIGEST 9.77 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 21 March 1990 Volume 9 : Issue 77 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: [NO RISKS NEXT WEEK. ALSO, A SOLUTION TO SENDMAIL PROBLEMS IN SIGHT.] Stranded Satellite (Steve Bellovin) Re: London Underground wrong-way train in rush-hour (Richard A. Schumacher) Internet Intruder (John Markoff via PGN (excerpted)) Internet Intruder Warning (J. Paul Holbrook) Risks of reporting breakins (Randal Schwartz) Re: Privacy in Printout (Tim Wood, Henry Spencer) Computer-based phones threaten privacy (again!) ("34AEJ7D") The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]get risks-i.j . Vol summaries now in risks-i.0 (j=0) ---------------------------------------------------------------------- Date: Tue, 20 Mar 90 13:34:34 EST From: smb@ulysses.att.com Subject: Stranded Satellite An attempt to launch the $150M Intelsat 6 communications satellite from a Titan 3 rocket failed recently because of a wiring error in the booster. The problem was compounded by a human communications failure between the electricians and the programmers. The rocket was wired in a two-satellite configuration. This was erroneous; only one satellite was aboard that rocket. The command to separate the satellite from the booster rocket was generated by a computer; however, when the computer people said that they would launch the ``first'' payload, they meant the top one, while the the wiring people understood ``first'' to mean the bottom payload compartment -- which wasn't used. And -- if I attempt to translate the newspaperese back into technical English -- it appears that the separation signal had to travel through the satellite to reach the separation device; given the faulty wiring, it didn't pass through. [Subsequent firing of liquid-fuled rocket thrusters has gotten the satellite into a higher orbit, where it may be safe (but still not usable) for a few extra months. PGN] ------------------------------ Date: 21 Mar 90 00:58:01 GMT From: schumach%convex@uunet.UU.NET (Richard A. Schumacher) Subject: Re: London Underground wrong-way train in rush-hour (RISKS-9.76) The article seems to suggest that train drivers on the Underground have control over the switchwork (!). Can this possibly be true? ------------------------------ Date: 21 Mar 90 10:30:41 From: John Markoff via PGN (excerpted) Subject: Internet Intruders SELF-PROCLAIMED `HACKER' SENDS MESSAGE TO CRITICS By JOHN MARKOFF, c.1990 N.Y. Times News Service A man identifying himself as the intruder who illegally penetrated part of a nationwide computer linkup said Tuesday that he had done so to taunt computer security specialists who have denounced activities like his. His assertion came in a telephone call to The New York Times on Tuesday afternoon. The man identified himself only as an Australian named Dave, and his account could not be confirmed. But he offered a multitude of details about various electronic break-ins in recent months that were corroborated by several targets of the intruder. He said he was calling from outside the United States, but that could not be verified. Federal investigators have said that in recent months the intruder has illegally entered computers at dozens of institutions in a nationwide network, the Internet. Once inside the computers, they said, the intruder stole lists of the passwords that allow users to enter the system and then erased files to conceal himself. [...] Investigators in the new Internet case said the federal authorities in Chicago were close to finding the intruder and several associates. The U.S. attorney's office in Chicago refused to confirm that assertion. The investigators said that in some cases the intruder might have used a program that scanned the network for computers that were vulnerable. In his telephone call to The Times on Tuesday, the man said he had broad access to U.S. computer systems because of security flaws in those machines. As a self-proclaimed computer hacker, he said, he decided to break in to the computer security experts' systems as a challenge. Among the targets of the recent attacks were Clifford Stoll, a computer system manager at the Smithsonian Astronomical Observatory at Harvard University, and Eugene Spafford, a computer scientist who specializes in computer security issues at Purdue University. The caller said he was upset by Stoll's portrayal of intruders in a new book, ``The Cuckoo's Egg.'' ``I was angry at his description of a lot of people,'' the caller said. ``He was going on about how he hates all hackers, and he gave pretty much of a one-sided view of who hackers are.'' Several days ago the intruder illegally entered a computer Stoll manages at Harvard University and changed a standard welcome message to read: ``Have Cliff read his mail. The cuckoo has egg on his face. Anonymous.'' The caller explained in detail his techniques for illegally entering computer systems. He gave information about Stoll's and Spafford's computer systems that matched details they were familiar with. And he described a break-in at an external computer that links different networks at Digital Equipment Corp. A spokeswoman for the company confirmed that a machine had been entered in the manner the caller described. But the caller was not able to penetrate more secure Digital computers, she said. The caller said he had intended to tease the security experts but not to damage the systems he entered. ``It used to be the security guys chase the hackers,'' he said. ``Now it's the hackers chase the security people.'' Several managers of computer systems that were entered said that no significant harm had been done but that the invader had wasted the time of system administrators, who were forced to drop their normal duties to deal with the breaches in security. Ordinary users were also inconvenienced, the managers said, because their computers had to be temporarily removed from the system for security reasons. Investigators familiar with the break-ins said the intruder had entered systems by using several well-known security flaws that have been widely distributed in computerized mailing lists circulated among systems managers. Stoll, who from 1986 to 1988 tracked a group of West Germans breaking into U.S. corporate, university and nonclassified military computers, said the intruders had not proved any point. ``It's sad that people have these gunslinger ethics,'' he said. ``It shows how easy it is to break into even a modestly secure system.'' Spafford, who has also written , but added that nothing significant had been compromised. [...] As a result of the break-ins, the Smithsonian Astronomical disconnected its computers from the Internet, a network that connects severs around the world. Among the institutions believed to have been penetrated by the intruder are the Los Alamos National Laboratory, Harvard, Digital Equipment, Livermore Laboratories, Boston University and the University of Texas. Tuesday, the caller asserted that he had successfully entered dozens of different computers by copying the password files to his machine and then running a special program to decode the files. That program was originally written as a computer security experiment by a California-based computer scientist and then distributed to other scientists. [... reference to the following CERT message...] Asked Tuesday whether he would continue his illegal activities, the caller said he might lay low for a while. ``It's getting a bit hot,'' he said, ``and we went a bit berserk in the past week.'' ------------------------------ Date: Mon, 19 Mar 90 15:42:52 EST From: "J. Paul Holbrook" Subject: Internet Intruder Warning CA-90:02 CERT Advisory March 19, 1990 Internet Intruder Warning There have been a number of media reports stemming from a March 19 New York Times article entitled 'Computer System Intruder Plucks Passwords and Avoids Detection.' The article referred to a program that attempts to get into computers around the Internet. At this point, the Computer Emergency Response Team Coordination Center (CERT/CC) does not have hard evidence that there is such a program. What we have seen are several persistent attempts on systems using known security vulnerabilities. All of these vulnerabilities have been previously reported. Some national news agencies have referred to a 'virus' on the Internet; the information we have now indicates that this is NOT true. What we have seen and can confirm is an intruder making persistent attempts to get into Internet systems. It is possible that a program may be discovered. However, all the techniques used in these attempts have also been used, in the past, by intruders probing systems manually. As of the morning of March 19, we know of several systems that have been broken into and several dozen more attempts made on Thursday and Friday, March 15 and 16. Systems administrators should be aware that many systems around the Internet may have these vulnerabilities, and intruders know how to exploit them. To avoid security breaches in the future, we recommend that all system administrators check for the kinds of problems noted in this message. The rest of this advisory describes problems with system configurations that we have seen intruders using. In particular, the intruders attempted to exploit problems in Berkeley BSD derived UNIX systems and have attacked DEC VMS systems. In the advisory below, points 1 through 12 deal with Unix, points 13 and 14 deal with the VMS attacks. If you have questions about a particular problem, please get in touch with your vendor. The CERT makes copies of past advisories available via anonymous FTP (see the end of this message). Administrators may wish to review these as well. We've had reports of intruders attempting to exploit the following areas: 1) Use TFTP (Trivial File Transfer Protocol) to steal password files. To test your system for this vulnerability, connect to your system using TFTP and try 'get /etc/motd'. If you can do this, anyone else can get your password file as well. To avoid this problem, disable tftpd. In conjunction with this, encourage your users to choose passwords that are difficult to guess (e.g. words that are not contained in any dictionary of words of any language; no proper nouns, including names of "famous" real or imaginary characters; no acronyms that are common to computer professionals; no simple variations of first or last names, etc.) Furthermore, inform your users not to leave any clear text username/password information in files on any system. If an intruder can get a password file, he/she will usually take it to another machine and run password guessing programs on it. These programs involve large dictionary searches and run quickly even on slow machines. The experience of many sites is that most systems that do not put any controls on the types of passwords used probably have at least one password that can be guessed. 2) Exploit accounts without passwords or known passwords (accounts with vendor supplied default passwords are favorites). Also uses finger to get account names and then tries simple passwords. Scan your password file for extra UID 0 accounts, accounts with no password, or new entries in the password file. Always change vendor supplied default passwords when you install new system software. 3) Exploit holes in sendmail. Make sure you are running the latest sendmail from your vendor. BSD 5.61 fixes all known holes that the intruder is using. 4) Exploit bugs in old versions of FTP; exploit mis-configured anonymous FTP Make sure you are running the most recent version of FTP which is the Berkeley version 4.163 of Nov. 8 1988. Check with your vendor for information on configuration upgrades. Also check your anonymous FTP configuration. It is important to follow the instructions provided with the operating system to properly configure the files available through anonymous ftp (e.g., file permissions, ownership, group, etc.). Note especially that you should not use your system's standard password file as the password file for FTP. 5) Exploit the fingerd hole used by the Morris Internet worm. Make sure you're running a recent version of finger. Numerous Berkeley BSD derived versions of UNIX were vulnerable. Some other things to check for: 6) Check user's .rhosts files and the /etc/hosts.equiv files for systems outside your domain. Make sure all hosts in these files are authorized and that the files are not world-writable. 7) Examine all the files that are run by cron and at. We've seen intruders leave back doors in files run from cron or submitted to at. These techniques can let the intruder back on the system even after you've kicked him/her off. Also, verify that all files/programs referenced (directly or indirectly) by the cron and at jobs, and the job files themselves, are not world-writable. 8) If your machine supports uucp, check the L.cmds file to see if they've added extra commands and that it is owned by root (not by uucp!) and world-readable. Also, the L.sys file should not be world-readable or world-writable. 9) Examine the /usr/lib/aliases (mail alias) file for unauthorized entries. Some alias files include an alias named 'uudecode'; if this alias exists on your system, and you are not explicitly using it, then it should be removed. 10) Look for hidden files (files that start with a period and are normally not shown by ls) with odd names and/or setuid capabilities, as these can be used to "hide" information or privileged (setuid root) programs, including /bin/sh. Names such as '.. ' (dot dot space space), '...', and .xx have been used, as have ordinary looking names such as '.mail'. Places to look include especially /tmp, /usr/tmp, and hidden directories (frequently within users' home directories). 11) Check the integrity of critical system programs such as su, login, and telnet. Use a known, good copy of the program, such as the original distribution media and compare it with the program you are running. 12) Older versions of systems often have security vulnerabilities that are well known to intruders. One of the best defenses against problems is to upgrade to the latest version of your vendor's system. VMS SYSTEM ATTACKS: 13) The intruder exploits system default passwords that have not been changed since installation. Make sure to change all default passwords when the software is installed. The intruder also guesses simple user passwords. See point 1 above for suggestions on choosing good passwords. 14) If the intruder gets into a system, often the programs loginout.exe and show.exe are modified. Check these programs against the files found in your distribution media. If you believe that your system has been compromised, contact CERT via telephone or e-mail. J. Paul Holbrook, Computer Emergency Response Team (CERT), Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.sei.cmu.edu Telephone: 412-268-7090 24-hour hotline: CERT personnel answer 7:30a.m.-6:00p.m. EST, on call for emergencies other hours. Past advisories and other information are available for anonymous ftp from cert.sei.cmu.edu (128.237.253.5). ------------------------------ Date: Tue, 20 Mar 90 09:15:32 PST From: Randal Schwartz Subject: Risks of reporting breakins "Who *was* that bearded man?" Just Peter Neumann, the RISKS moderator. He was being interviewed on CNN last night about the recent Internet breakins. Now for the RISKS element: The reporter, while talking about "hacker-this" and "virus-that", used screen shots of a terminal. The text was obviously from some BSD-like system, because I recognized a listing of /etc. A moment later, for at least two seconds on the screen, I got a clear picture of /etc/passwd! And a few moments later, an entire login sequence (with hostname, username, and password)! (I wasn't taping it... sigh. :-) When you let the press into your cube, be sure you aren't doing something wonderful on your screen. Does this qualify as an "out-of-band" transmission? :-) Randal L. Schwartz, Stonehenge Consulting Services Beaverton, Oregon, USA (503)777-0095 [Good point, although it occurred at least once before on a filmed episode of a lady hacker being shown carrying out a breakin on camera. PGN] ------------------------------ Date: Tue, 20 Mar 90 18:00:44 PST From: tim@sybase.com (Tim Wood) Subject: Re: Privacy in Printout (RISKS-9.76) It seems to me that the crux of this very disturbing story is whether or not the defendant had a reasonable expectation of privacy in using the Police Dept.'s TDD. That expectation is governed by the physical surroundings, assuming there is no electronic monitoring of the telephone or TDD call. Are arrestees' telephone/TDD conversations that take place in the sheriff's office understood to be off-limits to the police? A telephone caller in an occupied room would risk at least his side of the conversation being overheard; a TDD caller would risk a department employee looking over his shoulder to read the printed dialogue. The occupied-room situation seems to offer no expectation of privacy for either type of call, less for the TDD than for phone. If, however, the defendant had a reasonable expectation of privacy, then it would seem to be basic discrimination against deaf people to use physical evidence of a private conversation (the printed text itself) to prove a more serious charge, since no such physical evidence would exist for an ordinary phone conversation. The printout (paper + content) may be police property, but there are many cases where certain police property or knowledge is not admitted as evidence. Note that the US Supreme Court recently ruled that users of cordless telephones have no reasonable expectation of privacy. Thus if the conversation took place over such a phone, the conversation, whether spoken or TDD, seemingly could have been recorded and used as evidence. -TW Sybase, Inc. / 6475 Christie Ave. / Emeryville, CA / 94608 415-596-3500 ------------------------------ Date: Tue, 20 Mar 90 11:48:14 EST From: henry@zoo.toronto.edu Subject: Re: Privacy in Printout (RISKS-9.76) A somewhat similar question has been settled and may perhaps provide some guidance: who owns a (physical, not electronic) letter? The issue comes up in connection with publication of "collected letters of J. Doe" books and the like. The way this has generally been resolved is that the addressee owns the physical copy of the letter, but the sender (or his heir) owns the copyright on the contents. Henry Spencer at U of Toronto Zoology ------------------------------ Date: Mon, 19 Mar 90 15:38:05 EST From: 34AEJ7D@CMUVM.BITNET Subject: Computer-based phones threaten privacy (again!) Several universities with computer-based phone systems here in MI have announced that they have in place, or intend to have in place, call tracking systems which will provide printouts for each employee's phone of ALL LOCAL CALLS (as well as long distance) including listing the number called, date and time of the call, and the duration thereof. The privacy implications of all this, and the attendant threat ald capacity for abuse, are obvious. ------------------------------ End of RISKS-FORUM Digest 9.77 ************************