Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
An attempt to launch the $150M Intelsat 6 communications satellite from a Titan 3 rocket failed recently because of a wiring error in the booster. The problem was compounded by a human communications failure between the electricians and the programmers. The rocket was wired in a two-satellite configuration. This was erroneous; only one satellite was aboard that rocket. The command to separate the satellite from the booster rocket was generated by a computer; however, when the computer people said that they would launch the ``first'' payload, they meant the top one, while the the wiring people understood ``first'' to mean the bottom payload compartment — which wasn't used. And — if I attempt to translate the newspaperese back into technical English — it appears that the separation signal had to travel through the satellite to reach the separation device; given the faulty wiring, it didn't pass through. [Subsequent firing of liquid-fuled rocket thrusters has gotten the satellite into a higher orbit, where it may be safe (but still not usable) for a few extra months. PGN]
The article seems to suggest that train drivers on the Underground have control over the switchwork (!). Can this possibly be true?
SELF-PROCLAIMED `HACKER' SENDS MESSAGE TO CRITICS By JOHN MARKOFF, c.1990 N.Y. Times News Service A man identifying himself as the intruder who illegally penetrated part of a nationwide computer linkup said Tuesday that he had done so to taunt computer security specialists who have denounced activities like his. His assertion came in a telephone call to The New York Times on Tuesday afternoon. The man identified himself only as an Australian named Dave, and his account could not be confirmed. But he offered a multitude of details about various electronic break-ins in recent months that were corroborated by several targets of the intruder. He said he was calling from outside the United States, but that could not be verified. Federal investigators have said that in recent months the intruder has illegally entered computers at dozens of institutions in a nationwide network, the Internet. Once inside the computers, they said, the intruder stole lists of the passwords that allow users to enter the system and then erased files to conceal himself. [...] Investigators in the new Internet case said the federal authorities in Chicago were close to finding the intruder and several associates. The U.S. attorney's office in Chicago refused to confirm that assertion. The investigators said that in some cases the intruder might have used a program that scanned the network for computers that were vulnerable. In his telephone call to The Times on Tuesday, the man said he had broad access to U.S. computer systems because of security flaws in those machines. As a self-proclaimed computer hacker, he said, he decided to break in to the computer security experts' systems as a challenge. Among the targets of the recent attacks were Clifford Stoll, a computer system manager at the Smithsonian Astronomical Observatory at Harvard University, and Eugene Spafford, a computer scientist who specializes in computer security issues at Purdue University. The caller said he was upset by Stoll's portrayal of intruders in a new book, ``The Cuckoo's Egg.'' ``I was angry at his description of a lot of people,'' the caller said. ``He was going on about how he hates all hackers, and he gave pretty much of a one-sided view of who hackers are.'' Several days ago the intruder illegally entered a computer Stoll manages at Harvard University and changed a standard welcome message to read: ``Have Cliff read his mail. The cuckoo has egg on his face. Anonymous.'' The caller explained in detail his techniques for illegally entering computer systems. He gave information about Stoll's and Spafford's computer systems that matched details they were familiar with. And he described a break-in at an external computer that links different networks at Digital Equipment Corp. A spokeswoman for the company confirmed that a machine had been entered in the manner the caller described. But the caller was not able to penetrate more secure Digital computers, she said. The caller said he had intended to tease the security experts but not to damage the systems he entered. ``It used to be the security guys chase the hackers,'' he said. ``Now it's the hackers chase the security people.'' Several managers of computer systems that were entered said that no significant harm had been done but that the invader had wasted the time of system administrators, who were forced to drop their normal duties to deal with the breaches in security. Ordinary users were also inconvenienced, the managers said, because their computers had to be temporarily removed from the system for security reasons. Investigators familiar with the break-ins said the intruder had entered systems by using several well-known security flaws that have been widely distributed in computerized mailing lists circulated among systems managers. Stoll, who from 1986 to 1988 tracked a group of West Germans breaking into U.S. corporate, university and nonclassified military computers, said the intruders had not proved any point. ``It's sad that people have these gunslinger ethics,'' he said. ``It shows how easy it is to break into even a modestly secure system.'' Spafford, who has also written <garbled>, but added that nothing significant had been compromised. [...] As a result of the break-ins, the Smithsonian Astronomical disconnected its computers from the Internet, a network that connects severs around the world. Among the institutions believed to have been penetrated by the intruder are the Los Alamos National Laboratory, Harvard, Digital Equipment, Livermore Laboratories, Boston University and the University of Texas. Tuesday, the caller asserted that he had successfully entered dozens of different computers by copying the password files to his machine and then running a special program to decode the files. That program was originally written as a computer security experiment by a California-based computer scientist and then distributed to other scientists. [... reference to the following CERT message...] Asked Tuesday whether he would continue his illegal activities, the caller said he might lay low for a while. ``It's getting a bit hot,'' he said, ``and we went a bit berserk in the past week.''
CA-90:02
CERT Advisory
March 19, 1990
Internet Intruder Warning
There have been a number of media reports stemming from a March 19 New York
Times article entitled 'Computer System Intruder Plucks Passwords and
Avoids Detection.' The article referred to a program that attempts to
get into computers around the Internet.
At this point, the Computer Emergency Response Team Coordination Center
(CERT/CC) does not have hard evidence that there is such a program. What we
have seen are several persistent attempts on systems using known security
vulnerabilities. All of these vulnerabilities have been previously reported.
Some national news agencies have referred to a 'virus' on the Internet; the
information we have now indicates that this is NOT true. What we have seen and
can confirm is an intruder making persistent attempts to get into Internet
systems.
It is possible that a program may be discovered. However, all the techniques
used in these attempts have also been used, in the past, by intruders probing
systems manually.
As of the morning of March 19, we know of several systems that have been broken
into and several dozen more attempts made on Thursday and Friday, March 15 and
16.
Systems administrators should be aware that many systems around the Internet
may have these vulnerabilities, and intruders know how to exploit them. To
avoid security breaches in the future, we recommend that all system
administrators check for the kinds of problems noted in this message.
The rest of this advisory describes problems with system configurations that we
have seen intruders using. In particular, the intruders attempted to exploit
problems in Berkeley BSD derived UNIX systems and have attacked DEC VMS
systems. In the advisory below, points 1 through 12 deal with Unix, points 13
and 14 deal with the VMS attacks.
If you have questions about a particular problem, please get in touch with your
vendor.
The CERT makes copies of past advisories available via anonymous FTP (see the
end of this message). Administrators may wish to review these as well.
We've had reports of intruders attempting to exploit the following areas:
1) Use TFTP (Trivial File Transfer Protocol) to steal password files.
To test your system for this vulnerability, connect to your system using
TFTP and try 'get /etc/motd'. If you can do this, anyone else can get your
password file as well. To avoid this problem, disable tftpd.
In conjunction with this, encourage your users to choose passwords that are
difficult to guess (e.g. words that are not contained in any dictionary of
words of any language; no proper nouns, including names of "famous" real or
imaginary characters; no acronyms that are common to computer professionals; no
simple variations of first or last names, etc.) Furthermore, inform your users
not to leave any clear text username/password information in files on any
system.
If an intruder can get a password file, he/she will usually take it to
another machine and run password guessing programs on it. These programs
involve large dictionary searches and run quickly even on slow machines. The
experience of many sites is that most systems that do not put any controls on
the types of passwords used probably have at least one password that can be
guessed.
2) Exploit accounts without passwords or known passwords (accounts with vendor
supplied default passwords are favorites). Also uses finger to get account
names and then tries simple passwords.
Scan your password file for extra UID 0 accounts, accounts with no password,
or new entries in the password file. Always change vendor supplied default
passwords when you install new system software.
3) Exploit holes in sendmail.
Make sure you are running the latest sendmail from your vendor. BSD 5.61
fixes all known holes that the intruder is using.
4) Exploit bugs in old versions of FTP; exploit mis-configured anonymous FTP
Make sure you are running the most recent version of FTP which is the
Berkeley version 4.163 of Nov. 8 1988. Check with your vendor for information
on configuration upgrades. Also check your anonymous FTP configuration. It is
important to follow the instructions provided with the operating system to
properly configure the files available through anonymous ftp (e.g., file
permissions, ownership, group, etc.). Note especially that you should not use
your system's standard password file as the password file for FTP.
5) Exploit the fingerd hole used by the Morris Internet worm.
Make sure you're running a recent version of finger. Numerous Berkeley BSD
derived versions of UNIX were vulnerable.
Some other things to check for:
6) Check user's .rhosts files and the /etc/hosts.equiv files for systems
outside your domain. Make sure all hosts in these files are authorized and
that the files are not world-writable.
7) Examine all the files that are run by cron and at. We've seen intruders
leave back doors in files run from cron or submitted to at. These techniques
can let the intruder back on the system even after you've kicked him/her off.
Also, verify that all files/programs referenced (directly or indirectly) by the
cron and at jobs, and the job files themselves, are not world-writable.
8) If your machine supports uucp, check the L.cmds file to see if they've added
extra commands and that it is owned by root (not by uucp!) and world-readable.
Also, the L.sys file should not be world-readable or world-writable.
9) Examine the /usr/lib/aliases (mail alias) file for unauthorized entries.
Some alias files include an alias named 'uudecode'; if this alias exists on
your system, and you are not explicitly using it, then it should be removed.
10) Look for hidden files (files that start with a period and are normally not
shown by ls) with odd names and/or setuid capabilities, as these can be used to
"hide" information or privileged (setuid root) programs, including /bin/sh.
Names such as '.. ' (dot dot space space), '...', and .xx have been used, as
have ordinary looking names such as '.mail'. Places to look include especially
/tmp, /usr/tmp, and hidden directories (frequently within users' home
directories).
11) Check the integrity of critical system programs such as su, login, and
telnet. Use a known, good copy of the program, such as the original
distribution media and compare it with the program you are running.
12) Older versions of systems often have security vulnerabilities that are well
known to intruders. One of the best defenses against problems is to upgrade to
the latest version of your vendor's system.
VMS SYSTEM ATTACKS:
13) The intruder exploits system default passwords that have not been changed
since installation. Make sure to change all default passwords when the
software is installed. The intruder also guesses simple user passwords. See
point 1 above for suggestions on choosing good passwords.
14) If the intruder gets into a system, often the programs
loginout.exe and show.exe are modified. Check these programs against
the files found in your distribution media.
If you believe that your system has been compromised, contact CERT via
telephone or e-mail.
J. Paul Holbrook, Computer Emergency Response Team (CERT), Software
Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3890
Internet E-mail: cert@cert.sei.cmu.edu
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
7:30a.m.-6:00p.m. EST, on call for emergencies
other hours.
Past advisories and other information are available for anonymous ftp
from cert.sei.cmu.edu (128.237.253.5).
"Who *was* that bearded man?"
Just Peter Neumann, the RISKS moderator. He was being interviewed on CNN
last night about the recent Internet breakins.
Now for the RISKS element:
The reporter, while talking about "hacker-this" and "virus-that", used screen
shots of a terminal. The text was obviously from some BSD-like system, because
I recognized a listing of /etc. A moment later, for at least two seconds on
the screen, I got a clear picture of /etc/passwd! And a few moments later, an
entire login sequence (with hostname, username, and password)! (I wasn't
taping it... sigh. :-)
When you let the press into your cube, be sure you aren't doing something
wonderful on your screen.
Does this qualify as an "out-of-band" transmission? :-)
Randal L. Schwartz, Stonehenge Consulting Services Beaverton, Oregon, USA
(503)777-0095
[Good point, although it occurred at least once before on a filmed episode
of a lady hacker being shown carrying out a breakin on camera. PGN]
It seems to me that the crux of this very disturbing story is whether or not the defendant had a reasonable expectation of privacy in using the Police Dept.'s TDD. That expectation is governed by the physical surroundings, assuming there is no electronic monitoring of the telephone or TDD call. Are arrestees' telephone/TDD conversations that take place in the sheriff's office understood to be off-limits to the police? A telephone caller in an occupied room would risk at least his side of the conversation being overheard; a TDD caller would risk a department employee looking over his shoulder to read the printed dialogue. The occupied-room situation seems to offer no expectation of privacy for either type of call, less for the TDD than for phone. If, however, the defendant had a reasonable expectation of privacy, then it would seem to be basic discrimination against deaf people to use physical evidence of a private conversation (the printed text itself) to prove a more serious charge, since no such physical evidence would exist for an ordinary phone conversation. The printout (paper + content) may be police property, but there are many cases where certain police property or knowledge is not admitted as evidence. Note that the US Supreme Court recently ruled that users of cordless telephones have no reasonable expectation of privacy. Thus if the conversation took place over such a phone, the conversation, whether spoken or TDD, seemingly could have been recorded and used as evidence. -TW Sybase, Inc. / 6475 Christie Ave. / Emeryville, CA / 94608 415-596-3500
A somewhat similar question has been settled and may perhaps provide some
guidance: who owns a (physical, not electronic) letter? The issue comes up in
connection with publication of "collected letters of J. Doe" books and the
like. The way this has generally been resolved is that the addressee owns the
physical copy of the letter, but the sender (or his heir) owns the copyright on
the contents.
Henry Spencer at U of Toronto Zoology
Several universities with computer-based phone systems here in MI have
announced that they have in place, or intend to have in place, call
tracking systems which will provide printouts for each employee's
phone of ALL LOCAL CALLS (as well as long distance) including listing
the number called, date and time of the call, and the duration thereof.
The privacy implications of all this, and the attendant threat ald
capacity for abuse, are obvious.
Please report problems with the web pages to the maintainer