💾 Archived View for gemini.spam.works › mirrors › textfiles › news › hcknews.hac captured on 2020-10-31 at 16:32:59.

View Raw

More Information

-=-=-=-=-=-=-

         
CGA SOFTWARE PRODUCTS GROUP ON COMPUTER CRIME 
 
    INTERNAL COMPUTER CRIME PROVES GREATER THREAT THAN 'HACKERS'
    NEW YORK, July 17 /PRNewswire/ -- For every outsider who accesses 
Pentagon telephone numbers or makes fraudulent credit card purchases, 
like the seven New Jersey teenagers arrested recently, it is
estimated that far greater numbers of disgruntled or dishonest
employees damage their employers' computer systems internally every 
day.
    "Teenage 'hackers' are just the tip of the computer crime 
iceberg," says Carol Molloy, a computer security specialist with CGA
Software Products Group, Holmdel, N.J.  "These computer crimes get
the spotlight because the perpetrators get caught and the victims are 
willing to prosecute."
    More insidious data fraud and malicious damage occurs inside
corporations than any hacker ever committed, Molloy continues.
"Employees have far greater access to sensitive information, and many 
times are so well acquainted with procedures and security features
that they leave no trail at all," she adds.  "Unhappy employees can 
leave a programming 'time bomb' in a computer that causes trouble 
long after they are fired or leave for another job."
    Carelessness, rather than malice, often causes even more
problems, according to Molloy.  "Many computer security systems are 
based on passwords, and people can be very lax about protecting 
them."
    Employee computer crimes, however, receive far less attention 
than outside break-ins, Molloy says, because victimized organizations 
are unwilling to publicize the matter through arrest and prosecution. 
"Revealing damage from internal sources doesn't do much for a 
company's image," she says. 
    "Customers, corporations feel, will start to wonder about just
how secure relevant information may be and may decide to go 
elsewhere.  Also, insurance premiums often go up afte2 a theft is 
revealed."
    The question facing data processing and information managers is 
not whether a security system should be installed, but how to go
about it, says Molloy.  "Many organizations believe that security is
solely the concern of the managers," she says.  "They don't realize 
that implementing security requires extensive internal support."
    Security systems also demand ongoing maintenance, she says. 
"Just installing the system doesn't mean data is secure from then 
on," she points out.

UPI Dmestic News Wire
Wednesday July 17, 1985
 
      More may be charged in ``hacker'' ring, prosecutor says 
	   NEW BRUNSWICK, N.J. (UPI) _ More people may be charged with using 
home computers to make free long-distance calls and reportedly try to 
break into Pentagon computers, a prosecutor said Wednesday. 
	   Meanwhile, the executive director of the state chapter of the 
American Civil Liberties Union charged the Middlesex County Prosecutor's
Office with ``trampling'' on the rights of one of the seven youths
charged in the scheme Tuesday.
	   The youths used their computers and electronic ``bulletin boards''
to exchange information on computer codes, including some that would
cause communications satellites to ``change position'' and possibly 
interrupt intercontinental communications, Middlesex County Prosecutor
Alan Rockoff said.
	   ``Though it may sound like a copycat of (the movie) `WarGames,' 
things like this are happening in our society,'' Rockoff said, accusing 
the youths of obtaining thousands and ``possibly millions'' of dollars
in telephone and informational services.
	   A spokesman for American Telephone & Telegraph Co. said there was 
no indication that any of its satellites had been moved, or that even an
attempt to move them was made.
	   Assistant Prosecutor Frank Graves said investigators still had
``six more computers and 9 million floppy discs'' to look through.
	   ``We had 300 names in one computer and we charged seven,'' Graves 
said. ``We have no idea what's in the other computers and won't know for
a while.''
	   The youths, whose names were withheld because of their ages, are
charged with juvenile delinquency by reason of conspiracy to commit 
theft.
	   South Plainfield police detective George Green said four of the 
defendants operated electronic bulletin boards, which are used for the
exchange of legitimate information by hundreds of people. 
	   The youths also had a special code that provided illegal access to
restricted information, Green said, and only those who used these parts 
of the bulletin boards were arrested. 
	   Rockoff said the investigation began in April when postal officials 
informed the South Plainfield police that someone using a post office 
box under a fictitious name apparently had been using a computer to gain
illegal access to the computer of a Connecticut credit company. 
	   Rockoff turned over the results of the investigation to the Secret
Service since the bulletin boards contained telephone numbers in a
military defense communications system in the Defense Department, The 
New York Times reported Wednedsay.
	   Plainfield patrolman Michael Grennier, a computer expert, said the
youths also were able to break into an American Telephone & Telegraph 
computer after obtaining a manual from a AT&T trash bin.
	   The investigation led to a South Plainfield youth, whose computer 
was seized in June. After Grennier and Green spent about 100 hours
looking through his computer, the other six were arrested Friday _ in 
Hillsdale, Westwood, Warren Township, Martinsville, Dover and Edison. 
	   But Jeffrey Fogel of the ACLU office in Newark said the Dover 
youth, whom he declined to identify, was unfairly singled out.
	   ``He has an electronic bulletin board and arresting him and seizing 
his computer amounts to seizing a printing press,'' Fogel said. ``It
would be like if someone put a stolen credit card number in a newspaper 
classified. Would you close down the newspaper?'' 

NEW HACKER CASE RAISES FEARS: 
  Computer hackers "have the capability of doing a great deal of
damage," says Rep. William J. Hughes, D-N.J., commenting on the 
case of 7 N.J. youths charged with breaking into Pentagon computers 
and stealing satellite codes. Hughes is sponsoring federal computer 
crime bills to help fight the problem. (USA TODAY, July 18, P.1A) 

KAYPRO WINS PC COMPARISON:
  The Kaypro IIx personal computer is the best machine for home use 
costing less than $1,500, says Consumer Reports. It beat the Apple
IIe Professional and the discontinued TRS-80 Model 4P. Kaypro was 
picked for its disk capacity (800 kilobytes) and the large amount 
of software that comes with it. (Consumer Reports, August, P.467) 

COMPUTER CALLS ABSENT STUDENTS: 
  Kettering, Ohio, school officials are using a Texas Instruments 
computer to call the homes of absent students as part of the
state's Missing Children Act. System makes 75 calls an hour.
Computer voice tells parents their child is absent and asks for a 
response, which is recorded like an answering machine. (USA TODAY,
P.5B) 

From
PR NEWSWIRE
Thursday  July 18, 1985

DOWTY ELECTRONICS SAFEGUARDS U.K. DEFENSE SECRETS 
 
            UK "SHOULD BE SAFE" FROM DATABASE BURGLARS
    NEWBURY, England, July 18 /PRNewswire/ -- British Ministry of 
Defence secrets need never be at risk from home computer "hackers" -- 
microchip technology's equivalent of cat burglars -- an electronics 
expert claimed today. 
    Following disclosures of teenage hackers breaking into military 
information banks at the Pentagon -- the U.S Defense Department 
headquarters -- Bruce Brain, general manager and director of Dowty
Electronics' Information Technology Division, said:  "It need never 
happen here." 
    The U.K. faced similar problems to America, said Brain. "But the
introduction of Dowty's 'Horatius' dialback data security system -- 
an anti-hacker box -- means that no-one would be able to break into 
sensitive or confidential databases, even with the knowledge of 
ex-directory phone numbers. 
    "Horatius allows only authorized users to access a computer 
system, and they must also call from a pre-cleared phone number 
within an agreed time-frame," he explained. 
    Horatius -- designed and manufactured in the U.K. -- is selling 
well, says Dowty, which is currently negotiating to introduce the 
system to the U.S.A through its New Jersey-based subsidiary, Dowty
RFL Inc.
         PAPER FINDS 2 HACKER BOARDS:
  2 electronic bulletin boards have been found to contain access
codes for computers at military, research facilities. The boards,
"Fatland" and "Dark Side of the Moon," - both based in Virginia
-held access numbers for the Naval Ship R&D Center, NASA's Ames
Research Center. No arrests reported. (Online Today)

NEW JERSEY HACKER CASE MAY BE A TEST
OF SYSOPS' FREE SPEECH PROTECTION

     The attorney for one of seven New Jersey teenagers charged
with conspiring to use their computers to exchange stolen credit card numbers
and make free long-distance calls says he will argue that his client is
protected by the constitutional guarantee of free speech.
     Jeffrey E. Fogel, executive director of the New Jersey chapter of
the American Civil Liberties Union, told BULLETIN BOARD SYSTEMS that he an
associate will defend a teenager who operated the Private Sector BBS.
     "We are relying on his representation that all he did was run
a bulletin board, that he didn't make a calls or use stolen credit card
numbers," Fogel said. If that is true, he added, "I don't think there is
any liability."
     The defendants, all under 18, were charged July 16 with juvenile
delinquency based on an underlying charge of conspiracy to commit theft.
Police confiscated the computers and software of some of the defendants.
     Middlesex County Prosecutor Alan A. Rockoff told reporters
that the individuals exchanged information that would allow them to access
commercial computers without authorization and that some of them had codes that
could cause communications satellites to ''change position.''
However, spokesmen for AT&T and other carriers said their
systems are secure and denied that any satellites had been moved.
     Rockoff said the investigation began in April when postal
officials informed police that someone using a post office box
under a fictitious name apparently had been using a computer
to gain illegal access to the computer of a Connecticut credit
company.
     Fogel said he believes that the prosecution will have to show that
his client actually used the credit card numbers or telephone access codes
to prove his case. Allowing the information to be posted on his client's
bulletin board, he said, is not a criminal act.
     "There's nothing illegal about those messages being there," he said.
     "Let's say you find an AT&T calling card on the street and you put an
ad (listing the number) in the New York Times. I'm confident that the
New York Times is not liable.
     "Bulletin boards are the same as a free press," Fogel said. "They are
like electronic magazines in which the users can publish what they choose."
     Fogel drew an analogy to two well-known free press cases: the
publication of plans for a hydrogen bomb in Progressive magazine and
publication of the Pentagon Papers by the Times.
     "What really gets me upset in this case is they seized the
'printing press.' I don't think they had the right to seize his
computer, Fogel said.
     The concept of First Amendment protection for bulletin board
operators has yet to be tested in court. Last year Los Angeles
sysop Tom Tcimpidis was charged with telephone fraud when Pacific Bell
investigators found a calling card number posted on his BBS. But the charges
were dropped in February before the case came to trial.
     Rockoff said his case is the first major prosecution under
recent New Jersey law that makes it a crime to obtain data
from a computer without authorization.


COMPUTER LAWS VARY FOR STATES:
  Computer break-ins catches states with varying laws. Example:
Tapping into computer is felony in California, but no N.Y. law
rules "hacker" abuse, except federal statutes on interstate
information theft. UCLA student who tapped N.Y. college system
faces prison for "malicious computer entry" under Calif. law.
(Gannett News Service)

L.A. Times, Tuesday, September 3, 1985  San Diego Section (Editorials)
----------------------------------------------------------------------
``Garbage In, Garbage Out''

     Many people have worried for years about what will happen when government
finds a big computer that can catalogue everything about everybody, every scrap
of information - true or false - would then be available at a push of a button.
That day is not here yet, but experience with the FBI's National Crime Inform-
ation Center, the nation's centralized computer data-base, indicates that such
fears for the future are not groundless.
     A continuing series of FBI audits of the data base has found that it sends
12,000 false or inaccurate reports on individual suspects every day to law-
enforcement agencies around the country.  It's not really the FBI's fault.  The
erroneous information that the computer spews out was put in by state and local
law enforcers in the first place.  There appears to be not much quality control
in crime information, and, as one of the oldest lines in computerdom assers,
``Garbage in, garbage out.''
     But the information in that computer is more than accounting data or the 
marketing forecasts of strategic planners.  This is vital personal information
that affects people's lives.  There have been cases, and not just a few of them
in which the wrong person has been arrested and jailed because of bad informa-
tion from a computer.  Police officers are more likely to take the word of the
FBI's computer than of a person who claims it's all a mistake.
     About 62,000 criminal-justice agencies throughout the country seek infor-
mation from the FBI's crime computer nearly 500,000 times a day.  The FBI says
that a 2.4% error ratio isn't so bad when you consider that the system results
in the apprehension of more than 70,000 wanted felons a year.  Tell that to 
people that have erroneous information about them sent to the local cops.
     And the police are not the only ones who get this information.  A growing
number of employers, such as day-care centers and schools, also use the FBI
crime computer to run background checks on prospective employees.  There is a
legitimate social need to do that, but, if the information is wrong, a person's
livelihood, carreer, and reputation may be irrepairably damaged.
     As with many ills, it is easier to describe the problem than to fix it.
But it's clear that the accuracy of the information maintained by the FBI needs
more scrutiny.
     Rep.Charles E. Schumer (D-N.Y.) has proposed giving the states more money
to beef up their record-keeping.  That would help.  But no ammount of
effort and attention can ever eliminate all errors from a human system.  People
have always made mistakes, and always will make mistakes.  The trouble is that
the computer makes it possible to give those mistakes nationwide distribution.
     Still, things can be improved, and it is vital to the FBI and to all law
enforcement that they be improved.  The future of the National Information 
Center depends on reducing the error rate so that both the police and the 
public are confident that information obtained from the computer is correct.
-------------------------------------------------------------------------------
Dutifully typed by Henry Spire, C.I.A.
-------------------------------------------------------------------------------

              LAWYERS' MICRO USERS GROUP NEWSLETTER
                         September, 1985

COMPUTER SECURITY -- DIGITAL PATHWAY'S SECURENET FAMILY OF PRODUCTS

Computer security is on everyone's mind these days. Recently, hackers had
at it on several BBS's in the Chicago area.  And we read almost daily about
Hacker attacks on governmental and or financial institution computers.
Digital Pathways Inc. at 1060 East Meadow Circle, Palo Alto, California
94303 (415) 493-5544, through it's Defender II family of products provides a
unified approach to preventing unauthorized dial-in access to computers. One
of these units is installed between your computer and the telephone line.
There is a dial-in/call back feature, so when someone dials up your
computer, this device calls the proper telephone number of the caller back.
A synthesized voice answers each call-in and requests the caller's ID.  The
ID is entered via Touch Tone.  If the ID is valid, the system looks up the
parameters of the user and arranges for a call-back.  Prices start at $3,600
at quantity one.  Although not inexpensive for a small BBS operation,
obviously a law firm using a computer for client contact and/or for lawyers
to call in from remote locations should seriously consider this kind of
investment.

THE HACKERS - FROM CURIOUS TO CRIMINAL

The original computer hackers who broke into databases and networks were
careful to leave no traces of their entry and not to disturb the data.  This
soon changed as less sophisticated and more malicious computer hackers came
on the scene.

The malicious Hacker horror stories have filled newspapers and magazines for
over a year.  Often the less responsible computer "Hackers" prowl the
electronic alleyways at night, when many firms leave their computer systems
on and attached to phone lines to transmit large blocks of data when the
phone rates are cheaper.  With nobody in the office, penetration of data
bases which lack proper security is often only a matter of time and
patience.

Some Hackers have been amazed to discover that firms which have installed
password protection schemes to prevent unauthorized access have failed to
change the original password which came with the system - "PASSWORD."  What
can happen if your system is easy to penetrate?  While not all Hackers are
data thiefs or vandals, some few malicious modem miscreants have been known
to penetrate a computer system and not only steal but also scramble the
data.

Imagine switching on your terminal one morning only to discover 300 pages
of text had been transformed into a series of seemingly random numbers?

As is often the case, the best sense of Hacking and Hacker morality comes
from the literature of that subculture itself.  Here are excerpts from three
articles in a recent issue (Number 91!) of the original newsletter for
Hackers and "Phone Phreaks" called, appropriately "TAP: The Hobbyist's
Newsletter for the Communications Revolution."

                            Dunn and Bradstreet:
                    Do they know something that we don't

                          by BIOC Agent 003 & Tuc

In issue #90, we explained how to use the Dunn and Bradstreet system (which
is now known as Dunsprint).  A week after the issue was mailed a phellow
phreak found out that a copy of the issue had fallen into the hands of our
"friends" at D & B.  To say the least, they weren't exactly thrilled about
it.  In fact, they did not even believe that they had a security problem!
Well, that just goes to prove that if you are good (or they are incredibly
stupid, whichever the case may be) no will know that you are there!

In a big effort to defeat hackers, they called in an outside service to
spruce up their "security."  Fortunately for us, we were able to find out
about the new system!  This was really not a problem,, though.  First,
they had the new dial-ups posted when you logged on. Secondly, they have a
nice little place on Telenet!  (Where we do most of our "work"--[deleted])

                  Sorry D & B ....Good news travels fast!

                A lesson in Phreaking and Hacking Morality:
                               by Big Brother

I find it truly discouraging when people, intelligent people seeking
intellectual challenges, must revert to becomming common criminals.  The
fine arts of hacking and boxing have all but died out. Though you
newcomers, you who have appeqred on the scene in the last year or two, may
not realize it, we had it much better.  People didn't recognize our
potential for destruction and damage because we never flaunted it, nor did
we exercise it.

For hacking, it was the intellectual challenge which drove us to do it.  The
thrill of bypassing breaking through someone's computer security was
tremendous.  It wasn't a case of getting a password from a friend, logging
on, and destroying and entire database.  We broke in for the challenge of
getting in and snooping around WITHOUT detection.  We loved the potential
for destruction that we gave ourselves but never used.

Today, after so much publicity, the fun has turned to true criminality.
Publicity we have received is abhorring.  From WarGames to the headlined
October Raids, to the 414's, the Inner Circle, Fargo 4A, and the recent NASA
breakins--not to mention all the local incidents that never made the big
newspapers, like breakins at school computers or newspaper computers.  TRW
credit information services claims hackers used the three stolen accounts to
aid them in abusing stolen credit cards.  The thrill of entering and looking
around has shifted to criminal practicality--how can I make my bank account
fatter--how may I use this stolen credit card to its fullest--how could I
take revenge upon my enemies.




                   by Cheshire Catalyst, Managing Editor

The corporate types should realize that if a teenaged hacker is getting into
their system, an industrial spy could have logged in regularly for the past
3 years.  While I may not particularly care for a TRW or [Citibank] having
"Confidential information" about me, I especially don't like the idea of
unauthorized people spreading the data around.

There are no quick answers, because computer security is not just a matter
of hardware, software, locks, and walls.  Security is a people problem.
When you put in locks, you watch the people you give the keys to (notice an
analogy to encryption here).  If these people FEEL they're being watched,
they may get "disgruntled".  Needless to say, a disgruntled employee is
worse than almost anything else you could be combating.

Any of our corporate subscribers who would like to wake up their management
to the vulnerabilities of computer systems should be made aware that I am
available for lectures and consulting.  Just drop me a line at the TAP
maildrop, or via MCI Mail (username: TAP), or telex number 650-119-5732.



SUGGESTED PRACTICES TO FOLLOW FOR COMPUTER SECURITY

In light of the importance of a password, the following practices should be
followed by every user of a multiuser computer system.

1. DON'T USE A LOGICAL PASSWORD THAT IS EASY TO FIGURE OUT. Someone intent
on impersonating you will try the easy password guesses first. For example,
I would never use a password consisting of any part of my name or a close
family member's name, my address, my auto license, etc. This information is
too easy to obtain and if an imposter has targeted you as his "doorway" to
the system, he or she can probably get this information. Use a password that
is either a combination of letters and numbers that are only meaningful to
you (for example, your phone number converted to the first letter assigned
to each number on the telephone. Please do not use this method now that it
has been published).

2. CHANGE YOUR PASSWORD OFTEN. If your password remains the same for a long
period of time, the odds that a persistent imposter will hit hit upon it are
greatly decreased. Again, don't get lazy and change your password to one
that violates the first consideration.

3. NEVER GIVE YOUR PASSWORD TO ANOTHER USER OR ENTER IT INTO A SYSTEM IF YOU
ARE UNCERTAIN AS TO THE REASON FOR THE REQUEST.  Otherwise, you may have
given someone else the irrevocable authority to act on your behalf.
Furthermore, because of the nature of computer systems, you cannot prove
that your "agent" was not you. You are initially responsible for everything
that that person does while acting as you. There are several methods used by
imposters or hackers to acquire a valid user's password directly from the
user.  One method is to use a system's communication's mode to send a
message to another user. This method causes some form of message to appear
on the user's screen indicating that something technically meaningless has
occurred and the user should reenter the password. The hacker then watches
what the user types. Another method involves setting up a program which
follows the same technique as above, but the program then stores the
password in a file and the hacker will check for a password later. A
recently used method is to set up a system to collect passwords. This
recently happened in the Chicago area when a bulletin board was set up by
hackers. It gave the appearance of legitimacy, but was later used by the
hackers to access other system because their users had the same password on
several systems. Which leads to the last rule of password usage.

4. NEVER USE THE SAME PASSWORD ON DIFFERENT COMPUTERS. Using the key analogy
above, if all of the locks on your personal possessions have the same key,
you wouldn't entrust that key to anyone. Why use the same password on
several systems? If you do, you run the risk that someone will get your
password and then use that information to access all of the systems you
access. You will soon be unwelcome on several systems (if not a suspect in a
computer crime case).

VIRGINIA LAW HELPS SYSOP GET REVENGE
 
        A Virginia sysop used a new state computer crime law to help prosecute
a teenage hacker who invaded and vandalized his bulletin board. 
        Allen Knapp runs Washington Networks from his home in Vienna, VA, and 
charges $10 for a system password. Last January, Knapp's board got a call from
a 14-year-old Montgomery County, MD, youth who used the handle Phineas Phreak.
        According to Knapp, Phineas discovered Knapp's own password and 
obtained access to the system files and operating program. The caller erased
part of the board's stored files and transferred others to his own computer.
The youth then called Knapp's answering machine and made several demands for
the return of the files.
        However the answering machine tape allowed the Chesapeake & Potomac 
Telephone Co. to trace the call.
        The boy was charged with a misdemeanor under a section of Vigninia's
computer crime law that is designed to discourage erasing or altering computer
data. He was allowed to plead "not innocent" and was sentenced last month 
to one year probation and ordered to pay Knapp $300 for the damages.
        Knapp estimated that the files the boy erased or stole represented
about 180 hours of work.



MENSA BBS SEEKS SMART CALLERS 
 
        Most sysops check out applicants by verifying their names and 
telephone numbers. But on the MENSA BBS in Palm Beach, FL, callers face a 
much tougher screening. 
        All registered users must pass members of Mensa, Intertel or the
Triple Nine Society to receive full system access.
        Mensa is an international society in which the sole requirement for 
membership is a score at or above the 98th percentile on any of a number of 
standard IQ tests. Qualification for membership may be determined by tests
administered by Mensa or by submission of properly certified prior evidence 
to American Mensa,Ltd., 1701 West 3rd Street, Brooklyn, NY 11223. 
        INTERTEL, Inc., PO BOX 15580, Lakewood, Co., 80215, is a similar
organization that requires members to score in the 99 percentile or above on
IQ tests. The Triple Nine Society, 463 Beacon St., Boston, MA, 02115, sets
its standards even higher: the 99.9 percentile. 
        "Please do not harass us if you do not qualify for access," say 
Molly and "Pops," the boards sysops.
        The system does invite amateur radio operators to also call in (use 
your call sign to log in) and anyone who sends $100 to Connelly Corporation,
Box 1164, Palm Beach FL 33480 also can join.
        Members are invited to swap software and generally get to know each 
other through the public message section. 
        The board also serves as a convenient advertising medium for Pops'
classic cars. Among the bargains listed are a 1959 Corvette Roadster for
$19,500; a 1962 Corvette Coupe, for $14,500 or a 1963 Corvette convertible. 
        The BBS, a modified RBBS-PC, is open 24 hours at 300, 1200 or 2400
baUd. The number is 305-842-1861. You also can catch Molly on The Source, 
ST7783.