473 lines
25 KiB
Text
473 lines
25 KiB
Text
==Phrack Inc.==
|
|
|
|
Volume Two, Issue 22, File 12 of 12
|
|
|
|
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
|
|
PWN PWN
|
|
PWN P h r a c k W o r l d N e w s PWN
|
|
PWN ~~~~~~~~~~~ ~~~~~~~~~ ~~~~~~~ PWN
|
|
PWN Issue XXII/Part 4 PWN
|
|
PWN PWN
|
|
PWN Created by Knight Lightning PWN
|
|
PWN PWN
|
|
PWN Written and Edited by PWN
|
|
PWN Knight Lightning and Taran King PWN
|
|
PWN PWN
|
|
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
|
|
|
|
|
|
Networks Of Computers At Risk From Invaders December 3, 1988
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
By John Markoff (New York Times)
|
|
|
|
Basic security flaws similar to the ones that let intruders gain illegal entry
|
|
to military computer networks in recent weeks are far more common than is
|
|
generally believed, system designers and researchers say.
|
|
|
|
And there is widespread concern that computer networks used for everyday
|
|
activities like making airline reservations and controlling the telephone
|
|
system are highly vulnerable to attacks by invaders considerably less skilled
|
|
than the graduate student whose rogue program jammed a nationwide computer
|
|
network last month.
|
|
|
|
For example, the air traffic control system could be crippled if someone
|
|
deliberately put wrong instructions into the network, effectively blinding
|
|
controllers guiding airplanes.
|
|
|
|
The two recent episodes have involved military computers: One at the Mitre
|
|
Corporation, a company with Pentagon contracts, and the other into Arpanet, a
|
|
Defense Department network with links to colleges. But illegal access to
|
|
computer systems can compromise the privacy of millions of people.
|
|
|
|
In 1984, TRW Inc. acknowledged that a password providing access to 90 million
|
|
credit histories in its files had been stolen and posted on a computerized
|
|
bulletin board system. The company said the password may have been used for as
|
|
long as a month.
|
|
|
|
This year an internal memorandum at Pacific Bell disclosed that sophisticated
|
|
invaders had illegally gained access to telephone network switching equipment
|
|
to enter private company computers and monitor telephone conversations.
|
|
|
|
Computer security flaws have also been exploited to destroy data. In March
|
|
1986 a computer burglar gained access by telephone to the office computer of
|
|
Rep. Ed Zschau of California, destroyed files and caused the computer to break
|
|
down. Four days later, staff workers for Rep. John McCain of Arizona, now a
|
|
senator, told the police they had discovered that someone outside their office
|
|
had reached into McCain's computer and destroyed hundreds of letters and
|
|
mailing addresses.
|
|
|
|
In Australia last year, a skilled saboteur attacked dozens of computers by
|
|
destroying an underground communication switch. The attack cut off thousands
|
|
of telephone lines and rendered dozens of computers, including those at the
|
|
country's largest banks, useless for an entire day.
|
|
|
|
Experts say the vulnerability of commercial computers is often compounded by
|
|
fundamental design flaws that are ignored until they are exposed in a glaring
|
|
incident. "Some vulnerabilities exist in every system," said Peter Neumann, a
|
|
computer scientist at SRI International in Menlo Park, California. "In the
|
|
past, the vendors have not really wanted to recognize this."
|
|
|
|
Design flaws are becoming increasingly important because of the rapidly
|
|
changing nature of computer communications. Most computers were once isolated
|
|
from one another. But in the last decade networks expanded dramatically,
|
|
letting computers exchange information and making virtually all large
|
|
commercial systems accessible from remote places. But computer designers
|
|
seeking to shore up security flaws face a troubling paradox: By openly
|
|
discussing the flaws, they potentially make vulnerabilities more known and thus
|
|
open to sabotage.
|
|
|
|
Dr. Fred Cohen, a computer scientist at the University of Cincinnati, said most
|
|
computer networks were dangerously vulnerable. "The basic problem is that we
|
|
haven't been doing networks long enough to know how to implement protection,"
|
|
Cohen said.
|
|
|
|
The recent rogue program was written by Robert Tappan Morris, a 23-year-old
|
|
Cornell University graduate student in computer science, friends of his have
|
|
said. The program appears to have been designed to copy itself harmlessly from
|
|
computer to computer in a Department of Defense network, the Arpanet. Instead
|
|
a design error caused it to replicate madly out of control, ultimately jamming
|
|
more than 6,000 computers in this country's most serious computer virus attack.
|
|
|
|
For the computer industry, the Arpanet incident has revealed how security flaws
|
|
have generally been ignored. Cohen said most networks, in effect, made
|
|
computers vulnerable by placing entry passwords and other secret information
|
|
inside every machine. In addition, most information passing through networks
|
|
is not secretly coded. While such encryption would solve much of the
|
|
vulnerability problem, it would be costly. It would also slow communication
|
|
between computers and generally make networks much less flexible and
|
|
convenient.
|
|
|
|
Encryption of data is the backbone of security in computers used by military
|
|
and intelligence agencies. The Arpanet network, which links computers at
|
|
colleges, corporate research centers and military bases, is not encrypted.
|
|
|
|
The lack of security for such information underscored the fact that until now
|
|
there has been little concern about protecting data.
|
|
|
|
Most commercial systems give the people who run them broad power over all parts
|
|
of the operation. If an illicit user obtains the privileges held by a system
|
|
manager, all information in the system becomes accessible to tampering.
|
|
|
|
The federal government is pushing for a new class of military and intelligence
|
|
computer in which all information would be divided so that access to one area
|
|
did not easily grant access to others, even if security was breached. The goal
|
|
is to have these compartmentalized security systems in place by 1992.
|
|
|
|
On the other hand, one of the most powerful features of modern computers is
|
|
that they permit many users to share information easily; this is lost when
|
|
security is added.
|
|
|
|
In 1985 the Defense Department designed standards for secure computer systems,
|
|
embodied in the Orange Book, a volume that defines criteria for different
|
|
levels of computer security. The National Computer Security Center, a division
|
|
of the National Security Agency, is now charged with determining if government
|
|
computer systems meet these standards.
|
|
|
|
But academic and private computer systems are not required to meet these
|
|
standards, and there is no federal plan to urge them on the private sector. But
|
|
computer manufacturers who want to sell their machines to the government for
|
|
military or intelligence use must now design them to meet the Pentagon
|
|
standards.
|
|
|
|
Security weaknesses can also be introduced inadvertently by changes in the
|
|
complex programs that control computers, which was the way Morris's program
|
|
entered computers in the Arpanet. These security weaknesses can also be
|
|
secretly left in by programmers for their convenience.
|
|
|
|
One of the most difficult aspects of maintaining adequate computer security
|
|
comes in updating programs that might be running at thousands of places around
|
|
the world once flaws are found.
|
|
|
|
Even after corrective instructions are distributed, many computer sites often
|
|
do not close the loopholes, because the right administrator did not receive the
|
|
new instructions or realize their importance.
|
|
_______________________________________________________________________________
|
|
|
|
Computer Virus Eradication Act of 1988 December 5, 1988
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
The following is a copy of HR-5061, a new bill being introduced in the House by
|
|
Wally Herger (R-CA) and Robert Carr (D-Mich.).
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
|
100th Congress 2D Session H.R. 5061
|
|
|
|
To amend title 18, United States Code, to provide penalties for persons
|
|
interfering with the operations of computers through the use of programs
|
|
containing hidden commands that can cause harm, and for other purposes.
|
|
|
|
IN THE HOUSE OF REPRESENTATIVES July 14, 1988
|
|
Mr. Herger (for himself and Mr. Carr) introduced the following bill; which was
|
|
referred to the Committee on the Judiciary
|
|
|
|
A BILL
|
|
To ammend title 18, United States Code, to provide penalties for persons
|
|
interfering with the operations of computers through the use of programs
|
|
containing hidden commands that can cause harm, and for other purposes.
|
|
|
|
- - -
|
|
|
|
Be it enacted by the Senate and House of Representatives of the United States
|
|
of America in Congress assembled,
|
|
|
|
SECTION 1. SHORT TITLE.
|
|
This Act may be cited as the "Computer Virus Eradication Act of
|
|
1988".
|
|
|
|
SECTION 2. TITLE 18 AMENDMENT.
|
|
(A) IN GENERAL.- Chapter 65 (relating to malicious mischief) of
|
|
title 18, United States Code, is amended by adding at the end the
|
|
following:
|
|
|
|
S 1368. Disseminating computer viruses and other harmful computer
|
|
programs
|
|
(a) Whoever knowingly --
|
|
(1) inserts into a program for a computer information or commands,
|
|
knowing or having reason to believe that such information or
|
|
commands will cause loss to users of a computer on which such
|
|
program is run or to those who rely on information processed
|
|
on such computer; and
|
|
(2) provides such a program to others in circumstances in which
|
|
those others do not know of the insertion or its effects; or
|
|
attempts to do so, shall if any such conduct affects
|
|
interstate or foreign commerce, be fined under this title or
|
|
imprisoned not more than 10 years, or both.
|
|
(b) Whoever suffers loss by reason of a violation of subsection (a)
|
|
may, in a civil action against the violator, obtain appropriate
|
|
relief. In a civil action under this section, the court may
|
|
award to the prevailing party a reasonable attorney's fee and
|
|
other litigation expenses.
|
|
|
|
|
|
(B) CLERICAL AMENDMENT.- The table of sections at the begining of
|
|
chapter 65 of title 18, United States Code, is amended by adding at
|
|
the end the following:
|
|
S 1368. Disseminating computer viruses and other harmful computer
|
|
programs.
|
|
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
|
NOTE: The above text was typed in by hand from a printed copy of HR5 061.
|
|
There is a possibility that there may be typographical errors which
|
|
could affect the nature of the bill.
|
|
|
|
For an official copy of the bill, please contact:
|
|
|
|
Mr. Doug Riggs
|
|
1108 Longworth Bldg
|
|
Washington D.C. 20515
|
|
|
|
Information Presented by
|
|
Don Alvarez of the MIT Center For Space Research
|
|
_______________________________________________________________________________
|
|
|
|
Virus Conference In Arlington, Virginia December 5, 1988
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Entitled "Preventing and Containing Computer Virus Attacks", it takes place
|
|
January 30-31, in Arlington, VA. Speakers include Representative Wally Herger
|
|
(R-CA), a special agent from the FBI, John Landry (ADAPSO virus committee
|
|
chairman), Patricia Sission from NASA, as well as a collection of attorneys and
|
|
business folk. The conference is chaired by Dave Douglass, no information
|
|
provided. It supposedly costs $695.
|
|
|
|
The address provided is:
|
|
|
|
United Communications Group
|
|
4550 Montgomery Avenue
|
|
Suite 700N
|
|
Bethesda, MD 20814-3382
|
|
|
|
|
|
Information Provided By Gregg Tehennepe
|
|
_______________________________________________________________________________
|
|
|
|
New York Times Reviews Novel About Computer Sabotage December 7, 1988
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
The Sunday, December 4, 1988 issue of the New York Times Book Review (their
|
|
Christmas Books issue) prominently reviews a new novel, 'Trapdoor,' by Bernard
|
|
J. O'Keefe. The premise (from the review by Newgate Callender, NYT's crime
|
|
fiction reviewer):
|
|
|
|
"A brilliant American woman of Lebanese descent has developed the computer code
|
|
that controls the operation of all our nuclear devices. Turned down for the
|
|
job she has sought, convinced male chauvinism is the reason, she is ripe to be
|
|
conned by a Lebanese activist. At his suggestion she inserts a virus into the
|
|
computer system that in a short time will render the entire American nuclear
|
|
arsenal useless. ... The Lebanese President ... demands that Israel withdraw
|
|
from the West Bank, or else he will tell the Russians that the United States
|
|
will lie helpless for a week or so."
|
|
|
|
Callender's review begins with the lead sentence, "November 2, 1988, was the
|
|
day computers in American went mad, thanks to the 'virus' program inserted by
|
|
the now-famous, fun-loving Robert T. Morris, Jr."
|
|
|
|
Some background on the author, also from the review:
|
|
|
|
"Bernard J. O'Keefe (is) chairman of the high-tech company EG&G and of an
|
|
international task force on nuclear terrorism ... (and is) the author
|
|
of a nonfiction book called 'Nuclear Hostages.' O'Keefe says, "I wrote this
|
|
parable to point out the complexity of modern technology and to demonstrate
|
|
how one error, one misjudgment, or one act of sabotage could lead to actions
|
|
that would annihilate civilization.""
|
|
|
|
Callender also says "...the execution is less brilliant than the idea. The
|
|
book has the usual flashbacks, the usual stereotyped characters, the usual
|
|
stiff dialogue."
|
|
|
|
Although the reviewer doesn't say so, the premise of this novel is quite
|
|
similar to a 1985 French thriller, published in the U.S. as 'Softwar.' That
|
|
novel was also based on the idea that a nation's arsenal could be completely
|
|
disabled from a single point of sabotage, although in 'Softwar' it was the
|
|
Soviet Union on the receiving end. Popular reviewers of both books apparently
|
|
find nothing implausible in the premise.
|
|
_______________________________________________________________________________
|
|
|
|
Hacker Enters U.S. Lab's Computers December 10, 1988
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
By Thomas H. Maugh II (Los Angeles Times Service)
|
|
|
|
A computer hacker has entered computers at the government's Lawrence Livermore
|
|
Laboratory in the San Francisco Bay area eight times since last Saturday, but
|
|
has not caused any damage and has not been able to enter computers that contain
|
|
classified information, Livermore officials said Friday. [Do they ever admit
|
|
to anyone gaining access to classified data? -KL]
|
|
|
|
Nuclear weapons and the Star Wars defense system are designed at Livermore, but
|
|
information about those projects is kept in supercomputers that are physically
|
|
and electronically separate from other computers at the laboratory.
|
|
|
|
The hacker, whose identitiy remains unknown, entered the non-classified
|
|
computer system at Livermore through Internet, a nationwide computer network
|
|
that was shut down at the beginning of November by a computer virus. Chuck
|
|
Cole, Livermore's chief of security, said the two incidents apparently are
|
|
unrelated.
|
|
|
|
The hacker entered the computers through an operating system and then through a
|
|
conventional telephone line, he gave himself "super-user" status, providing
|
|
access to virtually all functions of the non-classified computer systems.
|
|
|
|
Officials quickly limited the super-user access, although they left some
|
|
computers vulnerable to entry in the hope of catching the intruder.
|
|
|
|
"There has been no maliciousness so far," Cole said. "He could have destroyed
|
|
data, but he didn't. He just looks through data files, operating records, and
|
|
password files...It seems to be someone doing a joy-riding thing."
|
|
_______________________________________________________________________________
|
|
|
|
Shattering Revelations December 11, 1988
|
|
~~~~~~~~~~~~~~~~~~~~~~
|
|
Taken from the RISKS Digest (Edited for this presentation)
|
|
|
|
[Shatter is a hacker based in England, he is currently accused of breaking into
|
|
computers at Massachusetts Institute of Technology. -KL]
|
|
|
|
(In this article, "IT" seems to refer to the computer community as a whole -KL)
|
|
|
|
Some of you may have already heard of me via articles in the Wall Street
|
|
Journal, New York Times, etc, but for those of you who do not have access to
|
|
copies of these newspapers I am a hacker of over 10 years activity who is based
|
|
near Nottingham, England [Rumored to be a false statement]. My specialities
|
|
are the various packet switched networks around the world such as PSS, Telepac,
|
|
Transpac, etc with various forays into UNIX, NOS/VE VMS, VM/SP, CMS, etc.
|
|
|
|
I feel that as a hacker with so much activity and expirience I am qualified to
|
|
make the following points on behalf of the whole hacking community.
|
|
|
|
Hackers are not the vandals and common criminals you all think we are in fact
|
|
most of the "TRUE" hackers around have a genuine respect and love for all forms
|
|
of computers and the data that they contain. We are as a community very
|
|
responsible and dedicated to the whole idea of IT, but we also have a strong
|
|
dislike to the abuse of IT that is perpetrated by various governments and
|
|
organizations either directly or indirectly. There is of course a small
|
|
minority of so called hackers who do cause trouble and crash systems or steal
|
|
money, but these people on the whole are dealt with by other hackers in a way
|
|
that most of you could not even think of and most never repeat their "crimes"
|
|
again.
|
|
|
|
The term "HACKER" is still one to be very proud of and I am sure that in days
|
|
past, anyone with a computer was called a hacker and they were very proud of
|
|
the fact that someone felt that you had a great technical expertise that
|
|
warrented the use of the term. However, all of the accusers out there now
|
|
suffer from the standard problem that nearly all people involved within IT have
|
|
and that is non-communication. You never pass on the information that you pick
|
|
up and teach to others within IT [American Government organizations and
|
|
Educational Institutes are among the greatest offenders] and this allows the
|
|
hacking community [who do communicate] to be at least one step ahead of the
|
|
system administrators when it comes to finding security problems and finding
|
|
the cause and solution for the problem.
|
|
|
|
A case in point is the recent Arpanet Worm and the FTP bug. Both these
|
|
problems have been known for many months if not years but, when talking to
|
|
various system administrators recently, not one of them had been informed about
|
|
them and this left their systems wide open even though they had done all they
|
|
could to secure them with the information they had.
|
|
|
|
An interesting piece of information is that hackers in England knew about
|
|
Morris's Worm at least 12 hours before it became public knowledge and although
|
|
England was not able to be infected due to the hardware in use, we were able to
|
|
inform the relevent people and patrol Internet to Janet gateways to look for
|
|
any occurance of the Worm and therefore we performed a valuble service to the
|
|
computing community in England -- although we did not get any thanks or
|
|
acknowledgement for this service.
|
|
|
|
Hackers should be nurtured and helped to perform what they consider a hobby.
|
|
Some people may do crosswords for intelectual challenge -- I study computers
|
|
and learn about how things interact together to function correctly (or
|
|
incorrectly as the case may be). The use of a group of hackers can perform a
|
|
valuable service and find problems that most of you could not even start to
|
|
think of or would even have the inclination to look for.
|
|
|
|
So please don't treat us like lepers and paupers. Find yourself a "TAME"
|
|
hacker and show him the respect he deserves. He will perform a valuble service
|
|
for you. Above all COMMUNICATE with each other don't keep information to
|
|
yourselves.
|
|
|
|
Bst Rgrds
|
|
Shatter
|
|
_______________________________________________________________________________
|
|
|
|
IBM Sells Rolm To Siemens AG December 14, 1988
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
International Business Machines Corp. (IBM) announced on Tuesday that it was
|
|
selling its Rolm telephone equipment subsidiary to West Germany's Siemens AG.
|
|
|
|
Rolm has lost several hundred million dollars since IBM bought it in 1984 for
|
|
$1.5 billion. Rolm was the first, or one of the first companies to market
|
|
digital PBX systems.
|
|
|
|
As most telecom hobbyists already know, the PBX market has been very soft for
|
|
years. It has suffered from little or no growth and very bitter price
|
|
competition.
|
|
|
|
Siemens, a leading PBX supplier in Europe wants to bolster its sales in the
|
|
United States, and believes it can do so by aquiring Rolm's sales and service
|
|
operations. Quite obviously, it will also gain access to some of the lucrative
|
|
IBM customers in Europe.
|
|
|
|
Rolm was an early leader in digital PBX's, but they were surpassed in 1984 by
|
|
AT&T and Northern Telecom Ltd. of Canada. Part of the strategy behind IBM's
|
|
purchase of Rolm was IBM's belief that small personal computers would be linked
|
|
through digital PBX's. Although this has happened, most businesses seem to
|
|
prefer ethernet arrangements; something neither IBM or Rolm had given much
|
|
thought to. IBM was certain the late 1980's would see office computers
|
|
everywhere hooked up through PBX's.
|
|
|
|
IBM made a mistake, and at a recent press conference they admitted it and
|
|
announced that Rolm was going bye-bye, as part of the corporate restructuring
|
|
which has seen IBM divest itself of numerous non-computer related businesses in
|
|
the past several months. From its beginning until 1984, Rolm could not run
|
|
itself very well; now IBM has washed its corporate hands. Time will tell how
|
|
much luck the Europeans have with it.
|
|
|
|
Information Contributed by Patrick Townson
|
|
_______________________________________________________________________________
|
|
|
|
Virus Invades The Soviet Union December 19, 1988
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
>From The San Francisco Chronicle (P. A16)
|
|
|
|
(UPI) - The Soviet Union announced on Decemeber 18, 1988 that that so-called
|
|
computer viruses have invaded systems in at least five government-run
|
|
institutions since August, but Soviet scientists say they have developed a way
|
|
to detect known viruses and prevent serious damage.
|
|
|
|
In August 1988, a virus infected 80 computers at the Soviet Academy of Sciences
|
|
before it was brought under control 18 hours later. It was traced to a group
|
|
of Soviet and foreign schoolchildren attending the Institute's summer computer
|
|
studies program, apparently resulting from the copying of game programs.
|
|
|
|
Sergei Abramov of the Soviet Academy of Sciences claims they have developed a
|
|
protective system, PC-shield, that protects Soviet computers against known
|
|
virus strains. It has been tested on IBM computers in the Soviet Union. "This
|
|
protective system has no counterpart in the world," he said (although the
|
|
details remain a state secret).
|
|
_______________________________________________________________________________
|
|
|
|
Phrack World News Quicknotes Issue XXII
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
1. Rumor has it that the infamous John Draper aka Captain Crunch is currently
|
|
running loose on the UUCP network. Recently, it has been said that he has
|
|
opened up some sort of information gateway to Russia, for reasons unknown.
|
|
-------------------------------------------------------------------------------
|
|
2. Information Available For A Price
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
A company called Credit Checker and Nationwide SS says that anyone can;
|
|
o Take a lot of risk out of doing business.
|
|
o Check the credit of anyone, anywhere in the United States
|
|
o Pull Automobile Drivers License information from 49 states
|
|
o Trace people by their Social Security Number
|
|
|
|
By "Using ANY computer with a modem!"
|
|
|
|
To subscribe to this unique 24-hour on-line network call 1-800-255-6643.
|
|
|
|
Can your next door neighbor really afford that new BMW ?
|
|
-------------------------------------------------------------------------------
|
|
3. Reagan Signs Hearing-Aid Compatibility Bill
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
There is new legislation recently passed which requires all new phones to be
|
|
compatible with hearing aids by next August. The law requires a small device
|
|
to be included in new phones to eliminate the loud squeal that wearers of
|
|
hearing aids with telecoils pick up when using certain phones. Importers are
|
|
not exempted from the law. Cellular phones and those manufactured for export
|
|
are exempt.
|
|
_______________________________________________________________________________
|
|
=========================================================================
|
|
|