The RISKS Digest
Volume 8 Issue 36

Tuesday, 7th March 1989

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Malicious Hacking
Gene Spafford
News from the KGB/Wily Hackers
Klaus Brunnstein
The fight to purify the word "hacker" is lost
Steve Bellovin
Brad Templeton
Dangers of Spy programs
John ffitch
Re: reach out and spy on someone
Vandenberg
Social effects of viruses
Don Alvarez
Previous message to RISKS misunderstood [Power Failure Problems]
John Sinteur
Info on RISKS (comp.risks)

Malicious Hacking

Gene Spafford <spaf@cs.purdue.edu>
7 Mar 89 19:45:38 GMT
I've recently been in contact with someone doing a study for DOE on malicious
hacking.  In particular, the following 3 topics have been specifically
targetted for attention:
   1) Have there been any documented cases of loss of life, threat to
   life, massive economic loss, or other disastrous circumstances
   caused by someone breaking into or hacking on a system?  This is
   *not* concerned with system failures or poor design, but rather
   with acts of specific intent.
   2) Have there been any documented (or strongly suspected) cases
   of hacking/cracking/etc. for purposes of corporate espionage or
   sabotage, or for service to a foreign government?  The recent
   West German arrests are one case...are there others?
   3) Has anyone (other than Sherry Turkle) done any work on the
   psychological profile of someone likely to break into systems,
   be a compulsive hacker/cracker, etc?  If so, do you have references?

If you have any material on the above, I'd appreciate hearing about it.
I'd like to see if for my class on ethics & responsibility, and my
contact would like it for his report.  I'm sure that anyone
contributing to the report will get a copy, assuming that the final
report is unclassified.

Thanks in advance.     Gene Spafford
NSF/Purdue/U of Florida  Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet:  spaf@cs.purdue.edu   uucp:   ...!{decwrl,gatech,ucbvax}!purdue!spaf


News from the KGB/Wily Hackers

Klaus Brunnstein <brunnstein%rz.informatik.uni-hamburg.dbp.de@RELAY.CS.NET>
07 Mar 89 18:52 GMT+0100
Now, 5 days after the `sensational' disclosure of the German (NDR) Panorama TV
team, the dust of speculations begins to rise and the facts become slowly
visible; moreover, some questions which could not be answered (e.g. in Clifford
Stoll's CACM paper) may now be answered. Though not all facts are known
publicly, the following facts seem rather clear (most of the material has been
published; I learned some facts when I analysed, for another Panorama story,
some of the lists which had been sold to KGB, according to the journalists):

    - In 1986, some hackers from W.Berlin and Hannover discussed, 
      in `hacker parties' with alcohol and drugs, how to solve some 
      personal financial problems; at that time, first intrusions of 
      scientific computers (probably CERN/Geneva as `hacker training 
      camp) and CCC's spectacular Btx-intrusion gave many hackers 
      (assisted by newsmedia) the *puerile impression* that they could 
      intrude *into every computer system*; I remember contemporary 
      discussions on 1986/87 Chaos Computer Conferences about 
      possibilities, when one leading CCC member warned that such hacks 
      might also attract espionage (Steffen Wernery recently told
      that German counter-espionage had tried several times to hire
      him and other CCC members as advisors - unsuccessfully).

    - A `kernel group' of 5 hackers who worked together, in some way, 
      in the `KGB case' are (according to Der SPIEGEL, who published 
      the following names in its Monday, March 6 edition):

      ->Markus Hess, 27, from Hannover, Clifford Stoll's `Wily
        Hacker': after having ended (unfinished) his studies in 
        Mathematics, he works as programmer, and tries to get an
        Informatics diploma at the University of Hagen (FRG); he
        is said to have good knowledge of VMS and UNIX (see Cliffs
        paper: it seems to give a good personal profile!).

      ->Karl Koch, 23, from Hannover, who works as programmer;
        due to his luxurious lifestyle and his drug addiction, 
        his permanent financial problems have probably catalysed 
        the desire to sell `hacker knowledge' to interested 
        institutions.

      ->Hans Huebner, alias `Pengo', from Berlin, who after having
        received his Informatics diploma from Technical University
        of W.Berlin, founded a small computer house; the SPIEGEL
        writes that he needed money for investment in his small
        enterprise; though he doesnot belong to Chaos Computer
        Club (as he told me during last Chaos Computer Conference,
        December 1988), he holds close contacts to the national
        hacker scenes (Hamburg: Chaos Computer Club; Munich: Bavarian
        Hacker Post; Cologne: Computer Artists Cologne, and other
        smaller groups), and he was the person to speak about UUCP
        as a future communications medium (cf. my CCC'88 report
        in Risk Forum 89/01).

      ->Dirk Brezinski, from W.Berlin, programmer and sometimes
        `troubleshooter' for Siemens BS-2000 systems (the operating
        system of Siemens mainframe computers), who earned, when
        working for Siemens or a customer (BfA, a national insurance
        for employees) 20,000 DM (about 10,800 $) a month; he is
        regarded (by an intelligence officer) as `some kind of a 
        genious'.

      ->Peter Carl, from W.Berlin, a former croupier, who `always
        had enough cocaine'. (No information about his computer
        knowledge/experience available).

After successfully stimulating KGB's interest, the group (mainly Hess and Koch)
committed their well-documented hacks (-->Clifford Stoll: `Stalking the Wily
Hacker', CACM May 1988). SPIEGEL writes that the group *sold 5 diskettes full
of passwords*, from May to December 1986, to KGB officers which they met in
East Berlin; when Bremen University computer center, their favorite host for
transatlantic hacks, asked (Dec.86) the police to uncover the reasons for their
high telephone bills, they stopped the action.

This statement of Der SPIEGEL is probably wrong: as Cliff describes, the `Wily
Hacker' successfully worked until early 1988, when the path from his
PC/telephone was disclosed by TYMNET/German Post authorities (the German public
prosecutors didnot find enough evidence for a trial, when examining Hess'
apartment; moreover, they had acquired the material in illegal actions, so the
existing evidence couldnot be used and finally had to be scratched!).

In Hess' apartment, public prosecutors found (on March 3, 1989) password lists
from other hacks. On Monday, March 6, 1989, the Panorama team (who had
disclosed the NASA hack and basically the KGB connection) asked me to examine
some of the password lists; the material which I saw (for 30 minutes) consisted
of about 100 photocopied protocols of a hack during the night of July 27 to 28,
1987; it was the famous `NASA hack':  From a VAX 750 (with VMS 4.3), which they
entered via DATEX-P (the German packed-switched data-exchange network, an X.25
version), where they evidently previously had installed a Trojan horse
(UETFORT00.EXE), they tried, via SET HOST ..., to log-into other VAXes in
remote institutes. They always used SYSTEM account and the `proper' password
(unvisible).

    [Remark: Unfortunately, DECs installation procedure works only if a SYSTEM
    account is available; evidently, most system managers do not change the
    preset default password MANAGER; since Version 4.7, MANAGER is excluded,
    but on previous VMS versions, this hole probably exists in many systems!]

Since the hackers, in more than 40% of the cases, succeeded to login, their
first activitities were to SET PRIV=ALL; SET PRIO=9, and then to install (via
trans-net copy) the Trojan horse.  With the Trojan horse (not displayed under
SHow Users), they copied the password lists to their PCs. When looking through
the password list, I observed the well-known facts: more than 25% female or
male first names, historical persons, countries, cities, or local dishes (in
the Universities of Pisa, Pavia and Bologna, INSALATA was/is a favorite
password of several people).  Only in CASTOR and POLLUX, the password lists
contained less than 5% passwords of such nature easy to guess!

Apart from many (about 39) unsuccessful logins, many different CERN /GENEVA,
NASA systems (CASTOR, POLLUX, Goddard and Ames Space Flight Centers), several
US, GB, French, Italian and some German institutes connected in SPANEt were
`visited'. The documented session was from July 27, 10 p.m. to July 28, 1 a.m.
(I am not sure that I saw all the material available).

The media report that other hacks (probably not all committed by Hess and Koch
theirselves) were sold to KGB. Among them, Electronic and Computer Industry
seem to be of dominant interest for the USSR. If special CAD/CAM programs and
Megabit designs (esp.  from Thomson/France, from VAX systems) have been stolen,
the advantage and value for the USSR cannot be (over)estimated.

In FRG, the current discussion is whether the hackers succeeded to get into
`kernel areas' or only `peripheral areas'. This discussion is ridiculous since
most `peripheral systems' contain developments (methods, products) for future
systems, while the `kernel systems' mainly contain existing applications (of
past architectures).

The well-known hackers (esp.CCC) have been seriously attacked by some media. My
best guess is that CCC was itself *a victim* because the group succeeded to
informally get much of the information which they needed for some of the hacks,
and which they finally sold to KGB. Apart from `Pengo', I dont see close
relation between CCC and the KGB/Wily Hackers. Nevertheless, CCC and others,
like Cheshire Catalyst in US, have prepared a climate where espionage
inevitably sprang-off.

Klaus Brunnstein   Hamburg/FRG.


What's a hacker? (The fight to purify the word "hacker" is lost)

<ulysses!smb@research.att.com>
Tue, 07 Mar 89 22:13:14 EST
I'm not sure we want to open this can of worms (again), but...

The grammatical world is divided into two camps on such questions, the
prescriptivists and the descriptivists.  The former know the ``proper'' usage
for every word and phrase; the latter tell it like it is.  To insist that
``hacker'' still retains its original meaning is to align yourself with the
former camp.  Face it, that battle is over, and the purists have lost; the word
hacker, in many contexts, does now mean a criminal.

I've always been a descriptivist; trying to legislate how people talk is a
singularly fruitless activity, the activities of certain governments
notwithstanding.
                                --Steve BEllovin


The fight to purify the word "hacker" is lost

Brad Templeton <brad%looking.uucp@RELAY.CS.NET>
Mon Mar 6 22:30:10 1989
It is with regret that I have to say that this fight has been lost.  "Hacker"
and "computer criminal" are now equated in the public mind, to the extent that
this use of "hacker" now appears in newspaper headlines.  The German Spy
breakins confirm this in papers all over the world.

Once this has happened, we can't win the battle to get the old meaning back.

Who am I to announce the loss of this battle?  A frontliner.  My custom licence
plate is "HACK."  I got it back in the early days when it meant wizard.  Sigh.

Brad Templeton, Looking Glass Software Ltd.  —  Waterloo, Ontario 519/884-7473


False fire alarms

Peter Scott <PJS@grouch.JPL.NASA.GOV>
Tue, 7 Mar 89 10:02:21 PST
A colleague just related a story to me about his apartment building.
Recently the water main supplying the sprinklers fractured, some distance
away from the building.  The fire alarm is triggered by a drop in water
pressure in the sprinkler system, on the thesis that a sprinkler has been
set off.  So the fire department arrived, but couldn't figure out why the
alarms wouldn't shut off when no smoke alarms had been triggered, no
call buttons had been pushed, no sprinklers were running, and there was
nary a wisp of smoke.

Peter Scott (pjs@grouch.jpl.nasa.gov)


Dangers of Spy programs

jpff@maths.bath.ac.uk <@NSS.Cs.Ucl.AC.UK>
Tue, 7 Mar 89 18:10:54 GMT
The recent discussion of this reminds me of an incident which happened
when I was a research student in Cambridge (way back..) when the
computer we had was Titan.  A staff member wrote a program (called
L/WHO for other ex-Cambridge folk) which told who was logged on, and what
they were doing.  This was the first multiple access system in the UK,
and so this kind of information was of great interest.  A friend of
mine, Robin Fairbairns, took the program an extended it to give more
information, and we all enjoyed using it.  One of his enhancements was
to show which magnetic tapes a user had loaded.
  Now the incident.  The Titan Operating system scheduled tape jobs
separately as tape decks were a scarce resource.  In order to improve
throughput the scheduler would accelerate starting jobs which used
tapes which were already on a drive.  Using the L/WHO program a
student determined which tapes were in use, and used the information
to get their programs run quickly.  Of course the operators did not
notice the effect, as the tape scheduling was totally automatic, and
the cheating program did actually use the tape.  That is until the day
when the student program inadvertently wrote to block device zero, and
as this was a tape (usually it would be scratch disk) the tape was
overwritten.  The owner of the tape was not amused at all (I will
suppress the name as they are still very active).  Robin was persuaded
to remove the facility of giving tape names.
  The operators objected of course.  The operating system was not good at
telling them which tape was where, and they had been relying on L/WHO for some
time.  The upshot was that the spy program had a "is this user the operator"
function added (and also a "is this Robin F" bit).  After that I believe it
survived until the unfortunate switching off of such a great machine.
  I will not attempt a moral, except to remark that the program did not use any
privileged information.                                          ==John ffitch


Re: reach out and spy on someone

vandenberg <vanden@studsys.mu.edu>
6 Mar 89 03:05:06 CST (Mon)
Although I'm not a UNIX guru (or even close for that matter) I do know that
it is possible to 'monitor' someone else's terminal.  With our setup, a 3b5
running SYS5, the defaults are such that anyone can 'see' what's on another
terminal and even write to it.  As one my guess this can lead to rather
vicious games between bored students.

     {..uunet..uwvax!uwmcsd1..}!marque!studsys!vanden
         {..uwvax..arpa..}!studsys.mu.edu!vanden
                vanden%studsys@marque.UUCP


Social effects of viruses

Don Alvarez <boomer@space.mit.edu>
Mon, 6 Mar 89 22:01:24 EST
"Guy_Robinson.SBDERX<"@Xerox.COM writes about a Marvel Comics android(?) that
gets wiped out by a computer virus and says:

>One problem this situation raised was that the Vision's human WIFE was a little
>distraught! Could this be a whole new type of RISK to bear in mind?

I have a similar story from my own life, in which my roommate came home one
night around 11:00pm to find me and my fiancee sitting, clearly very depressed,
unhappily in the living room.  He asked "what's the matter?" and my fiancee said
"Don has a virus, and he just got reinfected, and there's nothing he can do
about it."  Needless to say my roommate felt this was not a good time to hang
around and quickly disappeared.  Only much later that night did he hear me on
the phone to a friend in California (which was three hours behind us) and piece
together that (a) I did not have any conventional social diseases (b) the
infection was to my computer (c) the date was november 4th, 1988 (d) the virus
was the "internet virus of 1988" and (e) the reason I couldn't do anything
about it was that I couldn't get in as root over the modem.  Talk about RISKS
of computer viruses!
                    - Don


Previous message to risks misunderstood (Power failure problems,

<ADEGROOT@HROEUR5.BITNET>
Sat, 4 Mar 89 10:59 N
          RISKS-8.28)

I received some flak from my previous employer after a message from me appeared
in risks 8.28. Apparently they are even considering legal action ('though I'm
not sure about this (yet)).  I would like to set something straight...

-I never mentioned the company's name in my message. Their view seems to be
that this isn't necessary, as everybody knows I worked for them. I feel
flattered, but I don't think it's true. I never had a function that exposed me
to the public in any way.

-They feel the message is degrading the company's image.  Well, RISKS is meant
as a forum to relate the risks of modern day technology to people
professionally interested in those risks. It is not meant as a forum to make
fun of companies ('listen what happened to them...'), nor of their employees.
Despite this flak (which I consider to be a slight hiccup on their side), I
still like the company very much, and I consider having worked with the people
a great honour. I wouldn't think of insulting them in any way. They're great
professionals, and I learned a lot from them.  I also believe my message was
received professionally by the Risks Forum, mainly because of the reply in
RISKS-8.30 by Jonathan I. Kamens, relating a very similar case that happened to
his University.  If you feel I did degrade the company's image (and also happen
to know the company's name), please send me a message. I would like to know how
many people agree with my previous employer's views on this...

-John Sinteur (mail to adegroot@hroeur5.bitnet)

     [RISKS Relevance sticklers may think that is not relevant.  However,
     because of the obvious risks of sending contributions to public
     BBoards, it seems relevant enough to include.  Please respond to John
     directly, although you may CC: RISKS-REQUEST (i.e., not for inclusion)
     if you wish.  PGN]

Please report problems with the web pages to the maintainer

x
Top