The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 9 Issue 77

Wednesday 21 March 1990


o Stranded Satellite
Steve Bellovin
o Re: London Underground wrong-way train in rush-hour
Richard A. Schumacher
o Internet Intruder (John Markoff via PGN
o Internet Intruder Warning
J. Paul Holbrook
o Risks of reporting breakins
Randal Schwartz
o Re: Privacy in Printout
Tim Wood
Henry Spencer
o Computer-based phones threaten privacy (again!)
o Info on RISKS (comp.risks)

Stranded Satellite

Tue, 20 Mar 90 13:34:34 EST
An attempt to launch the $150M Intelsat 6 communications satellite from a Titan
3 rocket failed recently because of a wiring error in the booster.  The problem
was compounded by a human communications failure between the electricians and
the programmers.

The rocket was wired in a two-satellite configuration.  This was erroneous;
only one satellite was aboard that rocket.  The command to separate the
satellite from the booster rocket was generated by a computer; however, when
the computer people said that they would launch the ``first'' payload, they
meant the top one, while the the wiring people understood ``first'' to mean the
bottom payload compartment -- which wasn't used.  And -- if I attempt to
translate the newspaperese back into technical English -- it appears that the
separation signal had to travel through the satellite to reach the separation
device; given the faulty wiring, it didn't pass through.

  [Subsequent firing of liquid-fuled rocket thrusters has gotten the satellite
  into a higher orbit, where it may be safe (but still not usable) for a few
  extra months.  PGN]

Re: London Underground wrong-way train in rush-hour (RISKS-9.76)

Richard A. Schumacher <schumach%convex@uunet.UU.NET>
21 Mar 90 00:58:01 GMT
The article seems to suggest that train drivers on the Underground
have control over the switchwork (!). Can this possibly be true?

Internet Intruders

John Markoff via PGN (excerpted) <>
21 Mar 90 10:30:41
By JOHN MARKOFF, c.1990 N.Y. Times News Service

   A man identifying himself as the intruder who illegally penetrated part of a
nationwide computer linkup said Tuesday that he had done so to taunt computer
security specialists who have denounced activities like his.  His assertion
came in a telephone call to The New York Times on Tuesday afternoon.  The man
identified himself only as an Australian named Dave, and his account could not
be confirmed.  But he offered a multitude of details about various electronic
break-ins in recent months that were corroborated by several targets of the
intruder.  He said he was calling from outside the United States, but that
could not be verified.
   Federal investigators have said that in recent months the intruder has
illegally entered computers at dozens of institutions in a nationwide network,
the Internet.  Once inside the computers, they said, the intruder stole lists
of the passwords that allow users to enter the system and then erased files to
conceal himself.   [...]
   Investigators in the new Internet case said the federal authorities in
Chicago were close to finding the intruder and several associates.  The U.S.
attorney's office in Chicago refused to confirm that assertion.  The
investigators said that in some cases the intruder might have used a program
that scanned the network for computers that were vulnerable.
   In his telephone call to The Times on Tuesday, the man said he had broad
access to U.S. computer systems because of security flaws in those machines.
As a self-proclaimed computer hacker, he said, he decided to break in to the
computer security experts' systems as a challenge.  Among the targets of the
recent attacks were Clifford Stoll, a computer system manager at the
Smithsonian Astronomical Observatory at Harvard University, and Eugene
Spafford, a computer scientist who specializes in computer security issues at
Purdue University.  The caller said he was upset by Stoll's portrayal of
intruders in a new book, ``The Cuckoo's Egg.''  ``I was angry at his
description of a lot of people,'' the caller said.  ``He was going on about how
he hates all hackers, and he gave pretty much of a one-sided view of who
hackers are.''
   Several days ago the intruder illegally entered a computer Stoll manages at
Harvard University and changed a standard welcome message to read: ``Have Cliff
read his mail. The cuckoo has egg on his face. Anonymous.''  The caller
explained in detail his techniques for illegally entering computer systems.  He
gave information about Stoll's and Spafford's computer systems that matched
details they were familiar with.
   And he described a break-in at an external computer that links different
networks at Digital Equipment Corp.  A spokeswoman for the company confirmed
that a machine had been entered in the manner the caller described.  But the
caller was not able to penetrate more secure Digital computers, she said.
   The caller said he had intended to tease the security experts but not to
damage the systems he entered.  ``It used to be the security guys chase the
hackers,'' he said. ``Now it's the hackers chase the security people.''
   Several managers of computer systems that were entered said that no
significant harm had been done but that the invader had wasted the time of
system administrators, who were forced to drop their normal duties to deal with
the breaches in security.
   Ordinary users were also inconvenienced, the managers said, because their
computers had to be temporarily removed from the system for security reasons.
   Investigators familiar with the break-ins said the intruder had entered
systems by using several well-known security flaws that have been widely
distributed in computerized mailing lists
circulated among systems managers.
   Stoll, who from 1986 to 1988 tracked a group of West Germans breaking into
U.S. corporate, university and nonclassified military computers, said the
intruders had not proved any point.  ``It's sad that people have these
gunslinger ethics,'' he said.  ``It shows how easy it is to break into even a
modestly secure system.''  Spafford, who has also written <garbled>, but added
that nothing significant had been compromised.  [...]
   As a result of the break-ins, the Smithsonian Astronomical disconnected its
computers from the Internet, a network that connects severs around the world.
   Among the institutions believed to have been penetrated by the intruder are
the Los Alamos National Laboratory, Harvard, Digital Equipment, Livermore
Laboratories, Boston University and the University of Texas.
   Tuesday, the caller asserted that he had successfully entered dozens of
different computers by copying the password files to his machine and then
running a special program to decode the files.  That program was originally
written as a computer security experiment by a California-based computer
scientist and then distributed to other scientists.  [... reference to the
following CERT message...]
   Asked Tuesday whether he would continue his illegal activities, the caller
said he might lay low for a while.  ``It's getting a bit hot,'' he said, ``and
we went a bit berserk in the past week.''

Internet Intruder Warning

"J. Paul Holbrook" <ph@CERT.SEI.CMU.EDU>
Mon, 19 Mar 90 15:42:52 EST
                CERT Advisory
                March 19, 1990
              Internet Intruder Warning

There have been a number of media reports stemming from a March 19 New York
Times article entitled 'Computer System Intruder Plucks Passwords and
Avoids Detection.'  The article referred to a program that attempts to
get into computers around the Internet.

At this point, the Computer Emergency Response Team Coordination Center
(CERT/CC) does not have hard evidence that there is such a program.  What we
have seen are several persistent attempts on systems using known security
vulnerabilities.  All of these vulnerabilities have been previously reported.
Some national news agencies have referred to a 'virus' on the Internet; the
information we have now indicates that this is NOT true.  What we have seen and
can confirm is an intruder making persistent attempts to get into Internet

It is possible that a program may be discovered.  However, all the techniques
used in these attempts have also been used, in the past, by intruders probing
systems manually.

As of the morning of March 19, we know of several systems that have been broken
into and several dozen more attempts made on Thursday and Friday, March 15 and

Systems administrators should be aware that many systems around the Internet
may have these vulnerabilities, and intruders know how to exploit them.  To
avoid security breaches in the future, we recommend that all system
administrators check for the kinds of problems noted in this message.

The rest of this advisory describes problems with system configurations that we
have seen intruders using.  In particular, the intruders attempted to exploit
problems in Berkeley BSD derived UNIX systems and have attacked DEC VMS
systems.  In the advisory below, points 1 through 12 deal with Unix, points 13
and 14 deal with the VMS attacks.

If you have questions about a particular problem, please get in touch with your

The CERT makes copies of past advisories available via anonymous FTP (see the
end of this message).  Administrators may wish to review these as well.

We've had reports of intruders attempting to exploit the following areas:

1) Use TFTP (Trivial File Transfer Protocol) to steal password files.

   To test your system for this vulnerability, connect to your system using
TFTP and try 'get /etc/motd'.  If you can do this, anyone else can get your
password file as well.  To avoid this problem, disable tftpd.

   In conjunction with this, encourage your users to choose passwords that are
difficult to guess (e.g. words that are not contained in any dictionary of
words of any language; no proper nouns, including names of "famous" real or
imaginary characters; no acronyms that are common to computer professionals; no
simple variations of first or last names, etc.)  Furthermore, inform your users
not to leave any clear text username/password information in files on any

   If an intruder can get a password file, he/she will usually take it to
another machine and run password guessing programs on it. These programs
involve large dictionary searches and run quickly even on slow machines.  The
experience of many sites is that most systems that do not put any controls on
the types of passwords used probably have at least one password that can be

2) Exploit accounts without passwords or known passwords (accounts with vendor
supplied default passwords are favorites).  Also uses finger to get account
names and then tries simple passwords.

   Scan your password file for extra UID 0 accounts, accounts with no password,
or new entries in the password file.  Always change vendor supplied default
passwords when you install new system software.

3) Exploit holes in sendmail.

   Make sure you are running the latest sendmail from your vendor.  BSD 5.61
fixes all known holes that the intruder is using.

4) Exploit bugs in old versions of FTP; exploit mis-configured anonymous FTP

   Make sure you are running the most recent version of FTP which is the
Berkeley version 4.163 of Nov.  8 1988.  Check with your vendor for information
on configuration upgrades.  Also check your anonymous FTP configuration.  It is
important to follow the instructions provided with the operating system to
properly configure the files available through anonymous ftp (e.g., file
permissions, ownership, group, etc.).  Note especially that you should not use
your system's standard password file as the password file for FTP.

5) Exploit the fingerd hole used by the Morris Internet worm.

Make sure you're running a recent version of finger.  Numerous Berkeley BSD
derived versions of UNIX were vulnerable.

Some other things to check for:

6) Check user's .rhosts files and the /etc/hosts.equiv files for systems
outside your domain.  Make sure all hosts in these files are authorized and
that the files are not world-writable.

7) Examine all the files that are run by cron and at.  We've seen intruders
leave back doors in files run from cron or submitted to at.  These techniques
can let the intruder back on the system even after you've kicked him/her off.
Also, verify that all files/programs referenced (directly or indirectly) by the
cron and at jobs, and the job files themselves, are not world-writable.

8) If your machine supports uucp, check the L.cmds file to see if they've added
extra commands and that it is owned by root (not by uucp!)  and world-readable.
Also, the L.sys file should not be world-readable or world-writable.

9) Examine the /usr/lib/aliases (mail alias) file for unauthorized entries.
Some alias files include an alias named 'uudecode'; if this alias exists on
your system, and you are not explicitly using it, then it should be removed.

10) Look for hidden files (files that start with a period and are normally not
shown by ls) with odd names and/or setuid capabilities, as these can be used to
"hide" information or privileged (setuid root) programs, including /bin/sh.
Names such as '..  ' (dot dot space space), '...', and .xx have been used, as
have ordinary looking names such as '.mail'.  Places to look include especially
/tmp, /usr/tmp, and hidden directories (frequently within users' home

11) Check the integrity of critical system programs such as su, login, and
telnet.  Use a known, good copy of the program, such as the original
distribution media and compare it with the program you are running.

12) Older versions of systems often have security vulnerabilities that are well
known to intruders.  One of the best defenses against problems is to upgrade to
the latest version of your vendor's system.


13) The intruder exploits system default passwords that have not been changed
since installation.  Make sure to change all default passwords when the
software is installed.  The intruder also guesses simple user passwords.  See
point 1 above for suggestions on choosing good passwords.

14) If the intruder gets into a system, often the programs
loginout.exe and show.exe are modified.  Check these programs against
the files found in your distribution media.

If you believe that your system has been compromised, contact CERT via
telephone or e-mail.

J. Paul Holbrook, Computer Emergency Response Team (CERT), Software
Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3890
Internet E-mail:
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
       7:30a.m.-6:00p.m. EST, on call for emergencies
        other hours.

Past advisories and other information are available for anonymous ftp
from (

Risks of reporting breakins

Randal Schwartz <>
Tue, 20 Mar 90 09:15:32 PST
"Who *was* that bearded man?"

Just Peter Neumann, the RISKS moderator.  He was being interviewed on CNN
last night about the recent Internet breakins.

Now for the RISKS element:

The reporter, while talking about "hacker-this" and "virus-that", used screen
shots of a terminal.  The text was obviously from some BSD-like system, because
I recognized a listing of /etc.  A moment later, for at least two seconds on
the screen, I got a clear picture of /etc/passwd!  And a few moments later, an
entire login sequence (with hostname, username, and password)!  (I wasn't
taping it... sigh. :-)

When you let the press into your cube, be sure you aren't doing something
wonderful on your screen.

Does this qualify as an "out-of-band" transmission? :-)

Randal L. Schwartz, Stonehenge Consulting Services Beaverton, Oregon, USA

    [Good point, although it occurred at least once before on a filmed episode
    of a lady hacker being shown carrying out a breakin on camera.  PGN]

Re: Privacy in Printout (RISKS-9.76)

Tim Wood <>
Tue, 20 Mar 90 18:00:44 PST
It seems to me that the crux of this very disturbing story is whether or not
the defendant had a reasonable expectation of privacy in using the Police
Dept.'s TDD.  That expectation is governed by the physical surroundings,
assuming there is no electronic monitoring of the telephone or TDD call.  Are
arrestees' telephone/TDD conversations that take place in the sheriff's office
understood to be off-limits to the police?

A telephone caller in an occupied room would risk at least his side of the
conversation being overheard; a TDD caller would risk a department employee
looking over his shoulder to read the printed dialogue.

The occupied-room situation seems to offer no expectation of privacy for either
type of call, less for the TDD than for phone.  If, however, the defendant had
a reasonable expectation of privacy, then it would seem to be basic
discrimination against deaf people to use physical evidence of a private
conversation (the printed text itself) to prove a more serious charge, since no
such physical evidence would exist for an ordinary phone conversation.  The
printout (paper + content) may be police property, but there are many cases
where certain police property or knowledge is not admitted as evidence.

Note that the US Supreme Court recently ruled that users of cordless telephones
have no reasonable expectation of privacy.  Thus if the conversation took place
over such a phone, the conversation, whether spoken or TDD, seemingly could
have been recorded and used as evidence.  -TW

Sybase, Inc. / 6475 Christie Ave. / Emeryville, CA / 94608    415-596-3500

Re: Privacy in Printout (RISKS-9.76)

Tue, 20 Mar 90 11:48:14 EST
A somewhat similar question has been settled and may perhaps provide some
guidance: who owns a (physical, not electronic) letter?  The issue comes up in
connection with publication of "collected letters of J. Doe" books and the
like.  The way this has generally been resolved is that the addressee owns the
physical copy of the letter, but the sender (or his heir) owns the copyright on
the contents.
                                    Henry Spencer at U of Toronto Zoology

Computer-based phones threaten privacy (again!)

Mon, 19 Mar 90 15:38:05 EST
     Several universities with computer-based phone systems here in MI have
announced that they have in place, or intend to have in place, call
tracking systems which will provide printouts for each employee's
phone of ALL LOCAL CALLS (as well as long distance) including listing
the number called, date and time of the call, and the duration thereof.
The privacy implications of all this, and the attendant threat ald
capacity for abuse, are obvious.

Please report problems with the web pages to the maintainer