Copy Link
Add to Bookmark
Report
NuKE Issue 08-015
-----BEGIN PGP SIGNED MESSAGE-----
NuKE_NuKE_NuKe_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_N
uK Nu
KE "NuKE World News" uK
E_ "Hacker Related News Stories" KE
_N by E_
Nu Firecracker _N
uK Nu
KE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuK
NuKE Info-Journal #8
April 1994
________________________________________________________________________________
% 'Trojan horse' steals passwords on electronic highway %
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by: Joe Fasbinder - Fri, 4 Feb 94 12:58:07 PST
LOS ANGELES (UPI) __ Tens of thousands of users on the global computer
network known as the Internet were advised Friday that security has been
compromised, and that they should change their passwords immediately.
The Internet's federally funded Computer Emergency Response Team
issued a warning that computer ``crackers'' had deployed a stealthy
computer program that can copy down passwords used when Internet users
log onto remote computer systems through the vast network.
Those passwords are then passed by the clandestine computer program
back to the password thieves, who use them to log on to remote systems,
posing as the legitimate users.
With a valid password, a remote user could use a modem to dial into
the Internet from a virtually untraceable position and use the false
identity to potentially seize or destroy confidential information.
CERT, in an advisory sent by electronic mail to thousands of system
operators, declined to provide details of the incidents or to say if any
computer files had been damaged by the Internet bandits. But team
members said they would send out upgraded software to remote nodes on
the Internet to make them more secure in the future.
CERT also declined to identify the mode of operation for the bandit
software, though experts at Delphi Internet Services Corp. said the most
likely angle of attack is that of a ``Trojan horse.''
Such software poses as a program that is innocuous to get into a
remote system, where, unnoticed by the host computer it performs tasks
such as copying down computer passwords. Later, the ``Trojan horse'' can
be called upon by the person who placed it in the remote system to
reveal those passwords.
``Everyone is taking this very seriously,'' said Russell Williams,
vice president and general manager for Delphi, ``but you have to
remember that thousands of notices were sent out and the Internet serves
15 million people.''
Designed initially to link Department of Defense computers, the
system was expanded in the 1970s to include other government agencies,
universities and libraries, and has since spread to encompass businesses
and a steadily expanding number of individuals.
__________________________________________________________________________
December 13, 1993
Hackers and cyberpunks have received a lot of attention lately. From the Los
Angeles Times to Newsweek, from the famous WarGames movie to the detailed
exploits of Robert Morris, the Internet worm creator. Exposes of the computer
underground are terrifying many individuals into a deep computer phobia. The
perception is that bands of angry, antisocial adolescents are waiting in the
wings to wreak havoc on the nation's nuclear arsenal, monetary supply, and space
programs.
The reality is that there is a far greater information security risk from the
administrative assistant whose insurance premium was bumped and wages frozen
than from any Legion of Doom member.
In retailing, the greatest proportion of larceny occurs among internal
employees. The same goes for IS and others who have access to information
systems. The users who have privileges within accounting systems, databases,
and confidential records are more apt to err or sabotage the system than a rogue
hacker. Assuming that the network manager or MIS director has implemented
sufficient security procedures and protocols (nonpublished dial-in numbers,
adequate levels of password protection, delayed modem pickup, enforcement of
good passwords, and timely password changes), for a vast majority of
organizations, the threat of a hacker getting into the LAN is insignificant. It
is the quiet end-user lurking in the inside who has the greatest potential for
destruction.
For those who still have a fear of the cyberpunk, it is crucial to realize
that the cyberpunk is interested in a few, select establishments. Organizations
such as MITRE, NASA, FDIC, DOD, Blue Cross, SRI, Chemical Bank, and TRW are far
more fascinating and alluring than the standard businesses that have no
far-reaching impact.
Would you spend 12 hours attempting to penetrate the 10-user archaic LAN at
Irving Tire & Auto? Most ordinary business LANs such as Irving Tire have
nothing more than megabytes of boring memos, monotonous reports, and dull
databases. No self-respecting hacker would spend an entire evening rummaging
through such systems. There is simply no reward for the hacker in doing such.
For the vast majority of American businesses that are not part of the Fortune
500 or defense contractors, the fear of a hacker is simply more hype than
reality.
The real danger is perceiving the hype as reality. If an MIS staff spends
its time chasing the nonexistent hacker, the real internal security breach will
only continue to spread. That is one trojan horse that even the best security
software couldn't identify.
Two critical and effective proactive measures in any info-security system are
the distribution of a clear and understandable information systems policy manual
and the separation of duties among staff.
Telltale signs, such as key technical or financial staff members who never
take vacations or reject any concept of cross-training or promotion, are
indicators that some time of indiscretion may be occurring. Cross-training and
separation of duties are key steps to take to curtail any info-security
predicament.
It is far more glamorous and exciting to chase a hacker across three
continents with the NSA and Interpol at your side than to discipline a
disgruntled data entry clerk on the seventh floor. Yet it must be realized that
there is only one Clifford Stoll but thousands of perturbed employees and
breaches that need to be mended. As soon as the hype is discarded and the
dreams of being another James Bond are abandoned, one may finally tackle the
real info-security issues. But until then, the losses mount and the breach
grows and grows.
________________________________________________________________________________
January 12, 1994 Wednesday, THIRD
In today's high-tech world, even small businesses have elaborate,
computerized phone systems. Now the Better Business Bureau is warning of an
increase in phone scams using these complex systems.
The BBB says the scams, which can run up thousands of dollars of
long-distance telephone charges, are frequently the work of prison inmates who
use various methods to gain access to an outside company's telephone lines in
order to place the unauthorized calls.
In one scenario, the BBB says, an inmate calls the company, claiming to be a
new employee who does not have an access code and needs an outside line. Once
this information is given and he has an open line, the scam operator, many of
whom are skilled computer hackers, are free to place calls across the country
and world.
The company is unaware that anything is wrong until it receives an
exceptionally high phone bill. In many cases, the businesses must pay for these
calls, the BBB says.
The bureau advises businesses to understand all the capabilities of their
elaborate phone systems by checking with the vendors who sold the equipment.
Any vendor should be able to describe the fraud-defense features of its system,
the BBB says.
Lighter recalled: In one of the worst marketing ideas of 1993, the New York
Lighter Company Inc. manufactured disposable cigarette lighters decorated with
troll designs.
Now the company is recalling 24,000 of its "Good Time Troll" lighters because
they may tempt children to play with them.
The lighters sold for $3 each at convenience stores nationwide from January
through July 1993.
Owners of the lighters can call the company at 1-800-6262-4732 to receive
special pre-paid packaging and instructions for returning the lighters.
The company will send free gifts to consumers who return the lighters.
Casablanca fan recall: Casablanca Fan Co. is recalling about 3,264,000
ceiling fans, manufactured from 1981 through 1993. The fans, which sold for $200
to $2,500, can separate from the canopies on which they are mounted and fall,
possibly injuring bystanders.
In addition, falling fans may expose wires that pose electric shock hazards.
The company has received at least 50 reports of fans falling from ceiling
mountings.
The recalled fans can be identified by looking at the metal nameplates on the
exterior of every Casablanca fan. A recalled fan will have "Casablanca" on the
nameplate. Also, the second letter of the serial number on the name plate will
be A,B,C,O,P,R,S,T,U,V,W,X or Y.
Casablanca has designed a retrofit part to be installed by the consumer to
prevent the fan from falling from its mounting. For more information or to get
the free kit, call 1-800-390-3131.
The company says consumers should stop using the fans and prevent anyone from
walking, standing or sitting below them. If a fan falls, the circuit in which it
is connected should be turned off.
If you have a question or problem, write to The People Helper at The
Times-Picayune, 3800 Howard Ave., New Orleans, La. 70140, or call 821-1727.
Consumer complaints about mail-order companies or local businesses must be in
writing and should include copies, not originals, of the necessary
documentation.
________________________________________________________________________________
January 11, 1994, Tuesday, FINAL EDITION
An Oshawa-area youth has been charged with defrauding the cellular telephone
network run by Rogers Cantel Inc. of $ 500,000 worth of long-distance telephone
calls.
The alleged theft took place last spring and fall, Cantel's director of fraud
and security, Clive Woodrow, said in an interview yesterday.
The suspect cannot be identified because he was less than 17 years old at the
time charges were laid.
The suspect allegedly charged long-distance calls to Cantel customers' phone
numbers by using a computer to gain illegal access to their voice mailboxes and
changing the greetings, Woodrow said.
The greetings were then apparently used to approve calls billed to the Cantel
customers' numbers, Woodrow said.
A small number of customers were affected, he said. Some $ 200,000 worth of
the calls were made to a single Cantel phone number over a 17-day period, he
said.
Cantel blames Bell Canada's new automated long-distance billing service and
is locked in a dispute with Bell over which firm should shoulder the bulk of the
losses.
Since the alleged theft, Cantel has begun offering customers a service that
prevents their cellular telephones from accepting third-party bills, he said.
Long-distance fraud costs North American firms an estimated $ 2 billion a
year, telecommunications consultant Ian Angus said.
Much is conducted by computer hackers who gain illegal access to telephone
networks by figuring out how to break the access codes.
________________________________________________________________________________
September 13, 1993
Hackers warn they'll either be working for you or against you. Can you believe
anything they say?
SCOTT CHASIN is a young man working in what some people insist will be one of
the growth jobs of the 1990s __ cracking and entering computer systems. He has
remarkable qualifications, only some don't appear on his resume. A member of
the Legion of Doom hacker group __ notorious for penetrating and disrupting
telephone company systems __ Chasin, while never convicted, has had his brushes
with the law. He now works full-time managing personal computer networks for
Amoco in Houston.
Chasin claims that since his Legion of Doom days he hasn't done anything
illegal. However, he still spends several hours a night exploring the
computer underground. "I want to keep my hand in what's going on," he
explains. "The technology changes incredibly fast." Chasin has good reason to
stay on top of his game: He moonlights as a computer security consultant, he
says, paid by clients to safeguard their computers from people . . . like he
used to be.
Hackers are generally an annoyance to the business world, burrowing into
corporate databases and leaving taunts __ or worse. In 1992 alone, U.S.
companies were struck with more than $ 2 billion in unauthorized phone bills,
according to Telecommunications Advisors, Inc. Now, however, a more pragmatic
population of hackers is moving into its 20s and 30s. Like most people in that
age group, they are looking for a little job security. Many, like Chasin and
the self-proclaimed dean of hackers, Ian Murphy, say they intend to find it in
the corporate world, preferably in a position that takes advantage of their
unique skills. Whether as industrial spies or as computer security consultants,
hackers say they are entering the work force to do good. Then again, they may
be lying.
Beats slinging hash at McDonald's
There are a number of ways hackers can make money from their trade, and they
seem to be exploring all of them. "These kids don't want to give up hacking to
sling hash at a McDonald's" notes Gail Thackary, a deputy attorney for Maricopa
County, Ariz., who became a well-known hacker-buster with the Philadelphia
district attorney's office in the mid-1980s.
Some hackers hope to become software vendors, selling polished versions of
programs they swap among themselves. One hacker, known as Video Vindicator, is
preparing to distribute a program that scrambles confidential data files __ from
marketing databases to a bookie's accounting records __ making them unreadable
without the appropriate passwordlike code. A second program will help identify
cellular phone transmission frequencies, a product, he notes, that will be of
interest to drug dealers and other dubious characters looking for untappable
phone lines. "I'm hoping to make a couple of million the first year," he says,
without a trace of irony.
Fraud is another way to make hacking pay. Stealing credit card numbers from
credit bureaus and other sources has long been a hacker mainstay. But as credit
bureaus grow more adept at protecting card numbers and hackers' appetites for
equipment and cushy lifestyles grow, other, more lucrative crimes are becoming
attractive. Tapping into bank networks and electronically hijacking money is
one increasingly popular undertaking. Counterfeiting money and negotiable
securities with high-tech photocopying systems is another. "We're seeing the
merging of criminal computer activity with more traditional criminal activity,"
says special agent John Lewis of the Secret Service, which along with the FBI
investigates computer fraud.
Many hackers and some security professionals insist that companies have hired
hackers to go after competitors. "It's absolutely true, and I know it from
first-hand experience," says John O'Leary, director of education for the
Computer Security Institute, San Francisco. "I can't say I've seen a contract,
but I know of a company that has hired a hacker to break in."
The Secret Service's Lewis and supervisory special agent for the FBI's
Economic Crime Unit, Harold Hendershot, both say the threat may be a real one.
"Hackers have probably been hired for this," says Hendershot.
Competitive intelligence consultants comprise one rumored source of
employment for industrial spy-hackers. These small firms are hired by larger
companies to snoop out data on competitors, ostensibly via computer searches of
publicly accessible databases and other legitimate sources. But by all
accounts, some of these companies are hired on a no-questions-asked basis with
the understanding that they'll do whatever it takes to get the goods.
"Competitive intelligence companies are all sleazy; they're brokers for
thieves," says Gary Johnson, senior investigator with the Harris County district
attorney's office in Houston, who is experienced in hacker cases. He says
managers could be buying information stolen by hackers without knowing it or
being only dimly aware of the situation.
Hackers looking for employment opportunities can supposedly turn to the
hacker-operated computer bulletin board services. These services are located
throughout the United States and abroad, and are accessible by anyone with a
computer and modem. Although most of the material posted on the hacker boards
is juvenile blather about sex, computer games and societal ills, many of these
boards have "elite" sections that can be entered only by proving one's hacking
expertise via quizzes, references or phone interviews. It may be here that
hackers get down to business.
PAGE 84
Forbes, September 13, 1993
"If I want information on XYZ Corp., all I have to do is post a note offering
to swap a 359-megabyte hard drive in exchange," says Jim Kates, vice-president
of Stamford, Conn.-based Janus, a computer security firm. Kates has learned how
to bluff his way onto the elite boards and says he sees notes like that "all the
time."
But none of the dozens of hackers, computer security consultants, corporate
information systems managers or law enforcement agents specializing in computer
crime who were interviewed for this article could provide any verifiable
evidence of hacker espionage.
The larger, more established security consultants __ typically attached to
Big Six accounting firms since their services grew out of financial auditing
practices __ downplay the threat. "The mythical overseas hacker going after
companies isn't a big problem," says Alan James, manager of information
technology assurance services for Coopers & Lybrand in Los Angeles. "Generally
speaking, employees accidentally deleting files is a bigger problem." Harry
DeMaio, national marketing director of information protection services for
Deloitte & Touche, Wilton, Conn., contends that his clients are much more
concerned about the accessibility and accuracy of their data than they are about
competitors getting their hands on it. "Defense contractors, credit bureaus,
and toy and cosmetics manufacturers worry about the confidentiality of their
data," he says. "But for most companies it's almost a negligible issue."
Hackers maintain that computer security professionals dismiss the threat of
hired hackers either because they don't realize what's going on in the
computer underground, or because they know they can't protect against it. To
do so, they claim, you need to have been a hacker yourself.
Jekyll or Hyde?
Switching from malicious hacker to hackers' nemesis is a more natural transition
then may at first seem likely. "It's almost a rite of passage to first be
convicted of some computer crime and then try to find work as a computer
security consultant," says Michael Alexander, editor-in-chief of Info-Security
News, a bimonthly magazine for the computer security industry.
Although few hackers are known to have made it as security consultants, those
who dream of being rewarded for shutting down their colleagues can find a role
model of sorts in Ian Murphy. Captain Zap, as Murphy is known on the hacker
bulletin boards, first won a name for himself with his 1981 bust for, among
other things, breaking into the White House's computers.
Murphy claims to be hired on a regular basis to carry out various computer
security chores for corporations. Most notably, he performs penetration tests,
in which he attempts to break into clients' computers to identify their
vulnerabilities to hacker attack. To get his hands on passwords and other
computer documentation, he routinely sifts through dumpsters outside his
clients' buildings, he claims, even going so far as to physically break into
facilities, as he says he did at United Airlines' Saddlebrook, N.J., reservation
center.
Needless to say, getting paid to break into a company's computers without
risk of arrest is a hacker's fantasy, and Murphy loves to lord it over other
hackers. "I'm the only hacker on the planet who's doing this sort of thing," he
says. Adding to his hubris, People magazine ran a flattering profile of him,
and the computer industry trade magazine Information Week put Murphy on the
cover, unquestioningly reporting his self-described exploits and his claimed
earnings of up to $ 500,000 a year. (Murphy repeatedly telephoned to push for
the cover slot of this supplement.)
Murphy is a playfully obnoxious, pudgy 36-year-old who lives with his parents
in their Philadelphia home. His phone conversations are punctuated by shouting
matches with his mother, who becomes particularly riled when her son risks
electrocution by staying on the phone during thunderstorms. (A budding romance
with his Federal Express delivery-woman has kept the twice-divorced digital
swashbuckler out of the home as of late.) At times, Murphy seems to have a
little trouble separating fantasy from reality. He rants about building
battery-powered devices that will wipe out all nearby electronic chips with a
massive electromagnetic pulse. He says his company, IAM/Secure Data Systems, is
being taken public. He brags about a lucrative book deal that never quite
materializes. Murphy also refuses to provide the names of corporations on whose
behalf he has supposedly hacked, claiming he is bound by nondisclosure
agreements. He did participate in a Peat, Marwick & Mitchell-run penetration
test fo the Philadelphia Savings Fund Society (now defunct) in 1986. "Ian
performed in a satisfactory way," says a former partner of Peat, Marwick (not
Peat Marwick KPMG). "But we kept a very close eye on him."
The "backdoor" trick
If Murphy is a role model, it is only for the dishonest hacker who is unsuitable
for security work, fumes prosecutor Thackary. Rumor has it that Murphy has on
occasion sent companies unsolicited information about other hackers along with a
bill. "All that proves is that he's willing to sell out his friends in the
underground," she says. (Murphy denies such marketing tactics and insists he
doesn't turn in other hackers.) Not surprisingly, other law enforcement figures
who have dedicated their careers to shutting down hackers are less than charmed
by the notion of hiring exhackers to provide security. "Have you ever met one
of these kids face-to-face? They're nerds," says Harris County's Johnson.
"Even the mob wouldn't trust them."
But Johnson and Thackary's reaction to Murphy and his fellow
hacker/consultants is mild compared to those of computer security professionals.
When Scott Chasin and some of his Legion of Doom pals, including well-known
hacker Chris Goggans, started up a Houston security consulting firm called
Comsec in 1991, they were excoriated in articles and letters published in the
computer trade press. Chasin claims one prominent security professional
promised to call all of Comsec's prospective clients to warn them off. "How
would you feel if some young guy who knew all the tricks was entering your line
of work?"
Among the tricks hackers use to gain access to a company's computers is
leaving a "backdoor" to the system __ a program or password that allows them to
get back in at a latter time. "What happens if your relationship with a hacker
sours?" asks the Computer Security Institute's O'Leary. "Now you've got
somebody who has the keys to the kingdom and the motivation to do nasty things."
Hackers never truly reform, contends Thackary, especially when they hope to
trade on their expertise. "If they're going to get good information from the
underground on behalf of their clients, they have to be doing something in
return," she says, such as providing information about their employers.
Although hackers don't deny keeping their hands in the game, they claim there
is not conflict. "You don't bite the hand that feeds you," Murphy says.
Such promises, though, smack of extortion: Hire me or I may rip you off. And
not all hackers adhere to even this dubious guarantee. Harris County's Johnson
uncovered a scam in which hackers searched out local corporations whose dial-in
computer systems were protected by easily guessable passwords. They would leave
a harmless virus on the system, contact the company to warn it about a virus
that was "going around" and then offer a free security evaluation. If a company
bit, the hackers would use the evaluation as a cover to gain access to all of
the company's systems and then insert backdoors for later systems raiding.
Clueless "Ken dolls"
Ex-hackers concede their ethics aren't exactly mainstream, but insist they are a
company's best bet. Conventional security consultants, they say, are simply
clueless about how to defend against hackers. "The Big Six accounting firms
send over people dressed to the nines like Ken dolls, with degrees in accounting
and psychology, and they're generally incompetent," sneers Murphy. "While I'm
jumping into dumpsters, they're presenting a report that highly recommends
locking the door to the data center."
Chasin is equally contemptuous of the industry, claiming that one speaker at
a security industry seminar spent several minutes explaining to the audience of
computer security heads how to load software from a disk into a computer. "I
just sat there thinking, 'No wonder it was so easy when we were hacking,'" he
says.
But not all computer security professionals are gray-suit auditor types. A
short, slightly balding man in his 40s with a friendly, soft-spoken air, Peter
Goldis is the establishment's answer to hackers. He travels around the world
breaking into clients' computer systems for $ 6,000 to $ 75,000. The jobs are
often arranged by Coopers & Lybrand, among others, for whom he is a
subcontractor. He carries with him a loose-leaf binder filled with short
programs he has written to bypass the various security procedures implemented on
mainframes. One program, entitled "Get Another User's Password in a Top Secret
Shop," comprises 16 surprisingly simple lines, such as "LA 1,PARMS," that cause
the computer to spit out the passwords of employees who are authorized to
control all the machine's operations. By entering one of these passwords,
Goldis can roam unimpeded throughout the corporate cyberspace.
Sometimes the job takes 20 minutes, other times a few days. Goldis says 56
of his 60 penetration tests have been successful, and those that have failed
were retests for clients that had previously implemented his suggested security
fixes. The ease with which he customarily breaks into systems often shocks his
clients. "I was hired by a corporation in Australia, and within a few hours I
was far enough into their accounting system to start cutting checks," he
recalls. Janus' Jim Kates also performs penetration testing, as do most of the
Big Six firms and even IBM, if pushed.
Though mainstream security professionals tend to downplay penetration testing
as gimmicky, they point out that because legitimate professional can do the job,
there's no need to even consider hiring a hacker. "Why hire a Chris Goggans
when you can hire a Peter Goldis?" asks InfoSecurity News' Alexander.
But it's not clear that Peter Goldis or any other mainstream penetration
testers can really simulate a serious hacker attack. Password cracking is, of
course, where hackers shine. Murphy says he has snuck into executives' offices
after hours dressed as a custodian and prowled through countless trash cans.
Video Vindicator claims he and other hackers have a program that can
automatically break passwords on some systems within 30 minutes by trying every
word in the dictionary at a rate of 10,000 words per second.
Goldis and other security professionals concede that hackers are adept at
breaking through password security. But they claim companies can't learn much
from the experience because some employees will always be careless about keeping
their passwords secret and there will always be ways to sneak into buildings.
Goldis adds that hackers are most skilled at breaching security on PCs and
Unix-based systems, while corporations' most vital data resides on mainframes.
But Murphy, Chasin and other hackers insist they can show companies how to
make themselves invulnerable to password-prowling hackers. In addition, they
say mainframe expertise can be gleaned from readily available sources. Goldis
has himself picked up many of his best tricks from software manuals that
companies were about to discard. At any rate, hackers probably need not worry
about mastering mainframes. Corporations are moving at breakneck speed toward
PC- and Unix-based systems in the form of client/server architectures, which may
place professionals like Goldis and Kates at a disadvantage. Goldis says he's
studying the subject.
If hackers to have an edge, why don't more companies hire them to provide
penetration testing or other security services? Actually, say many hackers,
they do __ they just won't admit it. Besides being generally reluctant to
discuss security problems, corporate computer security managers recognize that
there is nothing to gain, and a lot to lose, by admitting that they hire
hackers. Michigan Bell was inundated with negative publicity when word leaked
out in 1989 that it had hired hacker John Maxfield as a security consultant.
The company now can't put enough distance between itself and the incident. "It
was a poorly conceived idea by one of my ex-bosses," says Craig Granger, current
director of computer security for the phone company. (The ex-boss is now an
ex-employee, Granger adds.) And when Chasin and friends formed Comsec (which
closed its doors last year), Computerworld, a trade publication, quoted Norman
Sutton, a computer manager at high-tech manufacturer Leemah Datacom, as liking
the idea of learning from hackers. Now Sutton refuses to discuss the issue,
except to state that he never employed Comsec or any other hackers.
In any case, companies may be hiring hackers without realizing it. "I'm not
sure I would present my credentials as a hacker if I were applying for a job,"
says Video Vindicator. Scott Chasin didn't; his boss at Amoco found out his
promising young hiree was a nationally known hacker only when he saw Chasin on
NBC's "Dateline" breaking into the network's computers. According to Chasin,
his boss was "tickled." Computer security managers at Exxon might wonder exactly
which possibilities were tickling him.
WHY THE THREAT IS GROWING
Companies now have more reason than ever before to fear hacker espionage, thanks
to a number of trends. Among them:
* GLOBALIZATION The pressures of international competition have spawned the
best-known recent cases of industrial espionage. Earlier this year the CIA
warned 49 U.S. defense contractors that the French government was preparing to
spy on them, prompting the Pentagon to ask Hughes Aircraft, Lockheed and other
aerospace companies not to participate in the Paris Air Show. And four giant
Japanese corporations reportedly bought secret Star Wars computer code in 1990
from a scientist at a hightech defense contractor in California.
Multinational hacking is already part of the picture. German hackers are
known to have attacked NASA databases, and law enforcement officials believe
corporations are fair game. "If I were a developing Eastern European
pharmaceutical company and I wanted a base of information," says Secret Service
special agent John Lewis, "my choices would be to launch a lab program to
develop it or to go somewhere it already existed. One way would be through
computer intrusion." Harold Hendershop, supervisory special agent for the FBI's
Economic Crime Unit, notes that Sweden-based hacker group the Dream Team (best
known for cracking copy protection on commercial and game software and then
distributing the programs on bulletin boards) is becoming increasingly brazen.
Other hackers say the Dream Team has also begun to engage in corporate
espionage; Hendershot doesn't rule out that possibility.
* THE MOVE TO CLIENT/SERVER ARCHITECTURES Companies have traditionally kept most
of their data either on mainframes, which can be guarded with security software,
or on stand-alone PCs, which usually can't be accessed from the outside. But as
client/server architectures become increasingly popular, both barriers are
removed. Servers, which act as data hubs for groups of PCs, typically run the
Unix operating system __ notorious for its lack of mainframe-style security
features and a particular favorite of hackers, many of whom learned their trade
on the Unix-based systems popular at high schools and universities. What's
more, servers often provide dial-in ports; if a hacker reaches such a server, he
or she would be able to access the attached PCs.
* HACKERS' STEEP LEARNING CURVE Law enforcement agents all agree that hacker's
obsession with sharing information via bulletin boards makes them better able to
stay abreast of the latest tricks of the trade and corporate vulnerabilities
than their adversaries. "Hackers use open communications as a weapon against
us," says Jim Kates, vice-president of Stamford, Conn.-based computer security
firm Janus. "Those of us in security don't like to talk about what we find
out."
TIGHTENING YOUR SECURITY
Companies tend to rely heavily on password security to prevent their computer
data from falling into the wrong hands, but hackers are adept at guessing or
stealing passwords. Some additional, often overlooked, ways to protect systems
include the following:
* TURN PCs AND SERVERS OFF AT NIGHT People often let their machines run 24 hours
a day, making them prime targets for after-hours hackers if the machines have
modems or are connected to servers with dial-in ports.
* INSTALL DIAL-BACK PROTECTION These devices allow modems to receive calls but
remain connected only long enough for a caller to enter a password. The device
then hangs up an calls the employee back at a preapproved phone number. To gain
access to a system with dial-back protection, a hacker would have to be at a
location with an approved phone number or reprogram the dial-back device with
his or her own number __ a difficult task.
* DISTRIBUTE ELECTRONIC AUTHENTICATORS TO EMPLOYEES WHO REQUIRE DIAL-IN ACCESS
These card-deck-sized devices generate new passwords every few seconds in sync
with a device attached to the dial-in system; all an employee has to do is type
in the password displayed by the authenticator. Even the cleverest and luckiest
hacker usually requires at least several hundred tries to correctly guess a
password; the authenticator demands that you get it right the first time. And
because the password is constantly changing, it can't be given out or stolen.
* IF A COMPANY MUST RELY ON PASSWORDS, IT SHOULD ENCOURAGE EMPLOYEES TO SELECT
THEM AS FOLLOWS Settle on a familiar phase, such as "Down and out in Beverly
Hills"; then list the first letter of each word, capitalizing just one of them;
finally, add a number to it. The resulting password __ something like "daoiBh6"
__ is easy to remember but difficult to guess, even for hackers equipped with
automated password guessers that try every word in the dictionary forwards and
backwards.
* RUN CONFIDENTIAL DATA FILES THROUGH ENCRYPTION SOFTWARE THAT STORES THEM IN
SCRAMBLED FORM Although this doesn't make files any harder for hackers to steal,
they won't be able to make sense of them if they do.
THE PROS AND CONS OF HIRING HACKERS
PROS
* Hackers will usually know the latest tricks other hackers are using to break
into systems and thus will be able to suggest ways to foil them.
* Hackers may be able to pick up advance notice of hacker attacks via
underground contacts or hacker bulletin boards.
* Unlike conventional computer security professionals, hackers are particularly
adept at dealing with PCs and Unix-based servers, which are increasingly where
the action is.
* Hackers can provide penetration tests as realistic as clients are likely to
want.
* Top-notch hackers can offer complete security evaluations __ including
remedies __ for a fraction of the cost of a Big Six accounting firm.
CONS
* Reformed hackers may not be completely reformed. Whether from habit or
paranoia, they could be tempted to leave "backdoors" in your systems that would
allow them to break in at a later date. Consequently, if your relationship
sours or they grow weary of being corporate players, your systems are sitting
ducks. Alternatively, hired hackers may offer information about your systems to
their cohorts in exchange for other information.
* Hackers don't like to turn in other hackers. A hired hacker might help
prevent a hacker attack but leave the attacker free to pry again.
* Hackers usually don't have enough assets to make lawsuits worthwhile, nor is
it likely they will be insured or bonded. Thus, companies shafted by hired
hackers are left little recourse for compensation.
* Most hackers don't know how to fit into the corporate scene. They may offend
managers and other employees with arrogant and juvenile attitudes. And they
might take it upon themselves to perform various acts of simulated theft or
sabotage, ostensibly to raise awareness but needlessly inconveniencing and even
frightening people in the process.
________________________________________________________________________________
January 19, 1994, Wednesday, BC cycle
Attorney General Janet Reno urged U.S. attorneys Wednesday to crack down on
street violence, seeking maximum prison time for career criminals.
"Many people estimate that 10 percent of the criminals commit 40 percent of
the crime," she told a U.S. Attorneys' National Conference.
"We need to identify those 10 percent in your communities, those violent
career criminals, and working with local prosecutors ... (get) the longest
possible sentence that will be a sentence actually served.
"If we can take them to federal court and get them off our streets, let's do
it in every possible way we can."
She urged each of the U.S. attorneys from across the country to undertake
violent crime initiatives, appointing specialists or combining with other U.S.
attorneys in a region to carry out programs to get violent criminals off
streets.
If local police or city prosecutors have taken an effective lead, follow them
and don't worry about who gets credit, she told the federal prosecuting
attorneys.
"We need to develop a plan to use all of our resources," she said.
Reno said prosecution of all other kinds of crime remained as important as
ever, listing everything from organized crime and drug smuggling to problems on
Indian reservations.
She also said technology crime, including young computer hackers disrupting
major corporations for fun, will reshape U.S. attorneys' future case loads.
________________________________________________________________________________
January 18, 1994, Tuesday
A Menlo Park man awaiting trial in San Jose federal court, in the first
espionage case against an alleged computer hacker, will be transferred to Los
Angeles to stand trial first on separate charges, a government prosecutor said.
Kevin Lee Poulsen, charged in a 14-count indictment with illegal possession
of a computer tape containing classified military information, will face charges
in Los Angeles that he used his hacking skills to rig radio call-in contests.
Meanwhile, a government appeal of a recent ruling in the espionage case is
pending in the Ninth Circuit U.S. Court of Appeals.
U.S. District Court Judge Ronald Whyte denied Poulsen's motion to be released
on his own recognizance at a Friday bail hearing.
The government two weeks ago appealed a ruling by Whyte suppressing evidence
taken in 1988 from computer tapes found in a Menlo Park storage locker rented by
Poulsen. Whyte found police had conducted a warrantless search of the facility.
A dispute over whether the suppression ruling knocked out a key espionage
charge was not resolved at Friday's hearing. But Whyte said that it appeared
that the tape on which the spying charge was based has come from the storage
locker. Poulsen's attorney, Paul Meltzer of Santa Cruz Meltzer & Leeming, said
that lose of the espionage charge has essentially gutted the government's case
against Poulsen.
But Assistant U.S. Attorney Robert Crowe has maintained that the crucial tape
containing classified Air Force information came from a subsequent search of
that he may seek a separate evidentiary hearing on the issue, if the government
appeal is unsuccessful.
Poulsen faces up to 85 years in prison in convicted on all charges in the
Northern California case and up to 100 years and $ 4 million in fines in the Los
Angeles case.
________________________________________________________________________________
January 18, 1994, Tuesday
A Menlo Park man awaiting trial in San Jose federal court, in the first
espionage case against an alleged computer hacker, will be transferred to Los
Angeles to stand trial first on separate charges, a government prosecutor said.
Kevin Lee Poulsen, charged in a 14-count indictment with illegal possession
of a computer tape containing classified military information, will face charges
in Los Angeles that he used his hacking skills to rig radio call-in contests.
Meanwhile, a government appeal of a recent ruling in the espionage case is
pending in the Ninth Circuit U.S. Court of Appeals.
U.S. District Court Judge Ronald Whyte denied Poulsen's motion to be released
on his own recognizance at a Friday bail hearing.
The government two weeks ago appealed a ruling by Whyte suppressing evidence
taken in 1988 from computer tapes found in a Menlo Park storage locker rented by
Poulsen. Whyte found police had conducted a warrantless search of the facility.
A dispute over whether the suppression ruling knocked out a key espionage
charge was not resolved at Friday's hearing. But Whyte said that it appeared
that the tape on which the spying charge was based has come from the storage
locker. Poulsen's attorney, Paul Meltzer of Santa Cruz Meltzer & Leeming, said
that lose of the espionage charge has essentially gutted the government's case
against Poulsen.
But Assistant U.S. Attorney Robert Crowe has maintained that the crucial tape
containing classified Air Force information came from a subsequent search of
that he may seek a separate evidentiary hearing on the issue, if the government
appeal is unsuccessful.
Poulsen faces up to 85 years in prison in convicted on all charges in the
Northern California case and up to 100 years and $ 4 million in fines in the Los
Angeles case.
-----BEGIN PGP SIGNATURE-----
Version: 2.2
iQCVAgUBLfmns00EOTLgG0HDAQGZKwP/UmUmrkR+IOjVqN83ddVKTTuiRWyBJkcK
EauupKYiVCloKaAE+16Kzg2Lk6eMPwnU29H7vT3v8eNAnp0Ply0HH3bODVVbZkG2
frKAbM3xbz0RBeSiVoW863BiGtISQwCOGoA5bWOpSR2Qm6ueXl7Xo5a5inybsZA4
0cSlmOmJop8=
=yJu0
-----END PGP SIGNATURE-----
