==Phrack Inc.== Volume Four, Issue Thirty-Eight, File 15 of 15 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue XXXVIII / Part Three of Three PWN PWN PWN PWN Compiled by Dispater & Friends PWN PWN PWN PWN Special Thanks to Datastream Cowboy PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN CFP-2: Sterling Speaks For "The Unspeakable" March 25, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Barbara E. McMullen & John F. McMullen (Newsbytes) WASHINGTON, D.C. -- Bruce Sterling, the prime luncheon speaker at the 2nd Annual Conference On Computers Freedom & Privacy (CFP-2), fulfilled his program billing as "Speaking for the Unspeakable" by taking on three separate persona and delivering what might have been their messages. Sterling, best known as a science fiction writer, spoke for three characters, a "a malicious hacker," a Latin American police official, and a Hong Kong businessman, who were, in his words, "too venal, violent, treacherous, power- mad, suspicious, or meanspirited to receive (or accept) an invitation to attend." Sterling began his speech by introducing himself and then saying, "When the CFP committee asked me if I might recommend someone to speak here at CFP-2, I had an immediate candidate. I thought it would be great if we could all hear from a guy who's been known as Sergei. Sergei was the KGB agent runner for the Chaos Computer Club group who broke into Cliff Stoll's computer in the famous Cuckoo's Egg case. Now Sergei is described as a stocky bearded Russian espionage professional in his mid-40s. He's married, has kids and his hobby is fishing, in more senses than one, apparently. Sergei used to operate out of East Berlin, and, as far as I personally know, Sergei's operation was the world's first and only actual no-kidding, real-life case of international computer espionage. So I figured -- why not send Yelsin a fax and offer Sergei some hard currency; things are pretty lean over at KGB First Directorate these days. CFP could have flown this guy in from Moscow on a travel scholarship and I'm sure that a speech from Sergei would be far more interesting than anything I'm likely to offer here. My proposal wasn't taken up and instead I was asked to speak here myself. Too bad! "This struck me as rather a bad precedent for CFP which has struggled hard to maintain a broad universality of taste. Whereas you're apparently willing to tolerate science fiction writers, but already certain members of the computer community, KGB agents, are being quietly placed beyond the pale. But you know, ladies and gentlemen, just because you ignore someone doesn't mean that person ceases to exist -- and you've not converted someone's beliefs merely because you won't listen. But instead of Comrade Sergei, here I am -- and I am a science fiction writer and, because of that, I rejoice in a complete lack of any kind of creditability! "Today I hope to make the best of that anomalous position. Like other kinds of court jesters, science fiction writers are sometimes allowed to speak certain kinds of unspeakable truth, if only an apparent parody or metaphor. So today, ladies and gentlemen, I will exercise my inalienable civil rights as a science fiction writer to speak up on behalf of the excluded and the incredible. In fact, I plan to abuse my talents as a writer of fiction to actually recreate some of these excluded, incredible unspeakable people for you and to have them address you today. I want these people, three of them, to each briefly address this group just as if they were legitimately invited here and just as if they could truly speak their mind right here in public without being arrested." Sterling then went on to assure the crowd that he was not speaking his personal conviction, only those of his characters, and warned the group that some of the material might be offensive. He then launched into the delivery of his characters' speeches -- speeches which had the hacker talking about real damage -- "the derailing of trains"; the Latin police official, a friend and admirer of Noriega, discussing the proper way of dealing with hackers; and the businessman explaining way, in the age of high speed copiers, laser printers and diskette copying devices, the US copyright laws are irrelevant. Often intercepted by laughter and applause, Sterling received a standing ovation at the conclusion of the speech. Computer Press Association newsletter editor Barbara McMullen was overhead telling Sterling that he had replaced "Alan Kay as her favorite luncheon speaker," while conference chair Lance Hoffman, who had received an advance copy of the speech a few weeks before, described the speech as "incredible and tremendous". Sterling, relaxing after the talk with a glass of Jack Daniels, told Newsbytes that the speech had been fun but a strain, adding, "Next time they'll really have to get Sergei. I'm going back to fiction." Sterling's non-fiction work on computer crime, "The Hacker Crackdown" is due out from Bantam in the fall and an audio tape of the CFP-2 speech is available >from Audio Archives. He is the author of "Islands In The Net" and is the co- author, with William Gibson, of the presently best-selling "The Difference Engine." - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The Bruce Sterling luncheon video tape is now available, sizzling, and affordable to the Phrack readers. $19.95 + $4 (shipping and handling) Call now: (800)235-4922 or CFP Video Library Project P.O. Box 912 Topanga, CA 90290 Tell them you heard about it from The WELL and you'll get the above price. _______________________________________________________________________________ CFP-2 Features Role-Playing FBI Scenario March 25, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Barbara E. McMullen (Newsbytes) WASHINGTON, D.C.-- As part of the "Birds-of-a-Feather" (BOF) sessions featured at the 2nd Conference on Computers, Freedom & Privacy (CFP-2), FBI Agent J. Michael Gibbons, acting as a live gamemaster, orchestrated the play-acting of an investigation by federal agents into allegations of computer intrusion and criminal activity. The scenario, set up by Gibbons to show the difficulties faced by investigators in balancing the conducting of an investigation with a protection of the rights of the individual under investigation, was acted out with non-law enforcement officials cast in the role of investigators; New York State Police Senior Investigator Donald Delaney as "Doctor Doom," the suspected ringleader of the computer criminals; Newsbytes New York Bureau Chief John McMullen as a magistrate responsible for considering the investigators' request for a search warrant; and author Bruce Sterling as a neighbor and possible cohort of Doctor Doom. Gibbons, in his role of Gamemaster, regularly intercepted the action to involve the audience in a discussion of what the appropriate next step in the scenario would be -- "Do you visit the suspect or get a search warrant or visit his school or employer to obtain more information? Do you take books in the search and seizure? Printers? Monitors? etc." During the discussion with the audience, points of law were clarified by Mike Godwin, Electronic Frontier Foundation in-house counsel, and Alameda County Assistant District Attorney Donald Ingraham. The role-playing session immediately followed a BOF panel, "Hackers: Why Don't They Understand" which attempted to present a hacker view of on-line ethics. The panel, moderated by McMullen, was composed of Steven Levy, MacWorld columnist and author of "Hackers"; Dorothy Denning, Chair of Computer Science at Georgetown University; Glenn Tenney, California Congressional candidate and chair of the annual "Hacker's Conference"; Craig Neidorf, defendant in a controversial case involving the electronic publishing of a stolen document; "Dispater," the publisher of the electronic publication "Phrack"; Emmanuel Goldstein, editor and publisher of "2600: The Hacker Quarterly," and hacker "Phiber Optik." During the panel discussion, Levy, Denning and Tenney discussed the roots of the activities that we now refer to as hacking, Goldstein and Dispater described what they understood as hacking and asked for an end to what they see as overreaction by the law enforcement community, Neidorf discussed the case which, although dropped by the government, has left him over $50,000 in debt; and Phiber Optik described the details of two searches and seizures of his computer equipment and his 1991 arrest by Delaney. In Neidorf's talk, he called attention to the methods used in valuing the stolen document that he published as $78,000. He said that it came out after the trial that the $78,000 included the full value of the laser printer on which it was printed, the cost of the word processing system used in its production and the cost of the workstation on which it was entered. Neidorf's claims were substantiated by EFF counsel Godwin, whose filing of a motion in the Steve Jackson cases caused the release of papers including the one referred to by Neidorf. Godwin also pointed out that it was the disclosure by interested party John Nagle that the document, valued at $78,000, was obtainable in a book priced at under $20.00 that led to the dropping of the charges by the US Attorney's office. SRI security consultant Donn Parker, one of the many in the audience to participate, admonished Phiber and other hackers to use their demonstrated talents constructively and to complete an education that will prepare them for employment in the computer industry. Another audience member, Charles Conn, described his feeling of exhilaration when, as a 12-year old, he "hacked" into a computer at a local Kentucky Fried Chicken. Conn said "It was wonderful. It was like a drug. I just wanted to explore more and more." Parker later told Newsbytes that he thought that it was a mistake to put hackers such as Phiber Optik and those like Craig Neidorf who glorify hackers on a panel. Parker said, "Putting them on a panel glorifies them to other hackers and makes the problem worse." The Birds-of-a-Feather sessions were designed to provide an opportunity for discussions of topics that were not a part of the formal CFP-2 program. _______________________________________________________________________________ Computer Revenge A Growing Threat March 9, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Tom Steinert-Threlkeld (Dallas Morning News) Article in the Chicago Tribune, Page C3 The "downsizing" of corporate America is not only making companies lean and mean. It's doing the same thing to employees losing their jobs, said Thomas F. Ellis, a partner in Arthur Andersen & Co.'s Computer Risk Management Services. He looks at the latest form of revenge by employee against former employer. Fraud, embezzlement and theft of secrets are no longer the only forms of frustrated payback. The calling card in the digital age is computer sabotage. It's an invisible epidemic that corporations don't like to talk about while they're trying to convince banks and creditors they are becoming more efficient by downsizing, said Ellis and William Hugh Murray, information systems security consultant to Deloitte & Touche, another of the Big Six accounting firms. "A lot of the business trends in the U.S. are really threatening data security," said Sanford M. Sherizen, a Natick, Massachusetts computer security consultant. "Corporations are paying a huge price for it," without disclosing it. The downsizing has led to inadequate attention to security precautions, argues Sherizen. The underlying trend: Fewer and fewer people are being given more and more responsibility for information systems. That breeds opportunity for revenge, said Sherizen. No longer does only the supposedly misfit hacker, gulping down Cokes and Fritos in the middle of the night, merit watching. Sherizen's worldwide set of clients have found that the middle manager wearing the white shirt and tie in the middle of the day also deserves scrutiny, he says. Those managers, if mistreated, find it inviting to strike back creatively. The VTOC, for example. This is jargon for the Volume Table of Contents. This is a directory a computer compiles to keep track of where programs and data are stored. A large Andersen client was paralyzed recently when a VTOC in its information system was scrambled by a downsizing victim, Ellis said. "If you destroy the VTOC in a mainframe system, then you destroy the computer's ability to go out and find programs and data, so you can pretty effectively devastate a computer installation by destroying the VTOC, without ever touching the programs and data," he said. But those bent on revenge are not above leaving time bombs in computer systems that will go off after their departure, destroying programs and data. They also are appropriating information from magnetic memories and selling it at hefty prices in the burgeoning field known euphemistically as "commercial business intelligence," said Sherizen. Most companies hush up these cases, because they fear copycat avengers will strike when their vulnerability is exposed. They also don't like to be publicly embarrassed, the security experts say. Technical safeguards don't hold a candle to human safeguards, said Murray. The best way to protect against sabotage is to prevent disaffection in the first place. Treat as well as possible those who are being fired. Compensate fairly those who are staying. Show appreciation, day in and day out. Most revenge is slow to boil and comes >from employees who finally conclude that their contributions are going unrecognized, said Murray. "Saying 'please' and 'thank you' are an incredibly important control" against sabotage, he said. _______________________________________________________________________________ Computer Crime Problem Highlighted March 9, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Oscar Rojo (Toronto Star)(Page B3) With the growing corporate dependence on computers, "information crimes" have become easier to commit but harder to detect, says a Toronto-based security company. "Electronic intrusion is probably the most serious threat to companies that rely on computerized information systems," Intercon Security Ltd. says in its Allpoints publication. Allpoints cited a study of 900 businesses and law enforcement agencies in Florida showing that one of four businesses had been the victim of some form of computer crime. "While most of the media attention has focused on "hackers," individuals who deliberately and maliciously try to disrupt business and government systems, one estimate indicates that 75 per cent plus of electronic intrusion crimes may be "insider attacks" by disgruntled employees," the publication said. In Intercon's experience, vice-president Richard Chenoweth said the company is as likely to find a corporate crime committed by a disgruntled employee as one perpetrated by an outsider. Intercon said the technology exists to guard against most electronic intrusions. "The problem is that many information managers still don't believe there is a risk, so they are not making the best possible use of what is available." _______________________________________________________________________________ Criminals Move Into Cyberspace April 3, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Mick Hurrell (The Times)(Features Section) The hacker and the virus programmer embodied the popular notion of computer crime in the 1980s, and they are still the most widely known criminal acts in computer technology. The advent of new technologies over the past decade has created a whole new casebook of serious crimes, but they have yet to gain the notoriety of computer viruses such as Friday 13th or Michelangelo. More then 3,000 computer crimes around the world in the past 20 years have now been documented by SRI International (SRII), a Californian information security consultancy. They include attempted murder, fraud, theft, sabotage, espionage, extortion, conspiracy and ransom collection. Against this disturbing background, Donn Parker, SRII's senior international security consultant, is telling businesses they will be under increasing attack >from sophisticated criminals using computer technology and from others intent on causing disruption. "New technology brings new opportunities for crime," he says. "We must anticipate future types of crime in our security efforts before they become serious problems." His prospective list ranges from the annoying to the fraudulent, and includes small computer theft, desktop forgery, digital imaging piracy, voice and electronic mail terrorism, fax graffiti attacks, electronic data interchange fraud, and placement of unauthorized equipment in networks. Some of these crimes are more obvious than others. The advanced digital imaging systems now being used in the television and film industry to create spectacular special effects, for example, could become a new target for crime. As digital imaging can alter video images seamlessly, the possibilities for sophisticated fraud are numerous. The theft of small computers and components has already increased. "I think it will be worse than the typewriter theft problem of the 1970s and 1980s," Mr. Parker says. "We are now teaching information-security people that they have to learn how to protect small objects of high value. The content of the computers could be more valuable than the hardware itself. "I do not think the criminal community is yet aware of a computer's value other than on the used equipment market, but ultimately some are going to figure out that the contents the data are more valuable, which could lead to information being used for extortion." Desktop forgery is another crime that looks certain to boom and plague businesses of all types. Desktop publishing software, combined with the latest color laser printers and photocopiers, is proving an ideal forger's tool. Gone is the dingy cellar with printing plates and press: Forgers can work from comfortable offices or their own homes and produce more accurate fakes than ever before. Original documents can be fed into a computer using a scanner, then subtly altered before being printed out. Business documents such as purchase orders and invoices are obvious targets for the forgers, as are checks. The quality of a forgery is now limited only by the paper on which it is printed. Mr. Parker says: "As the technology gets cheaper and more available, this is something that could flourish." But although many of these new forms of computer crime bring with them the possibility of increased business losses, one threat overshadows them all. "The big security issues are going to involve networks and the connection of computers to many others outside an organization," says Rod Perry, a partner with Coopers & Lybrand Deloitte, the consultants. The fear is that sophisticated criminals will take advantage of a clash between the desire for system flexibility and the constraint necessarily imposed by security. Mr. Perry adds: "The business need is paramount, and people will accept the risk up to a point." Networks are attractive because they allow information to be easily transferred between users, and give free and easy access to data bases from many locations within an organization that can extend across countries and continents. Making them secure against interference from both outside and within is difficult. Mr. Parker says: "Today's microcomputers and local and global networks have left information security far behind. We are dealing with what we call cyberspace. We are connecting our networks so that we now have a single worldwide network of data communications. "We have inadvertently freed the criminal from proximity to the crime. A criminal can be anywhere in the world, enter cyberspace by computer, and commit a crime anywhere else. The criminal is free to choose the jurisdiction area >from which he works, to minimize the punishment if he gets caught." The great concern, he says, is if technological advances result in an "anarchy of conflicting security efforts. Consistent security practices should be applied uniformly as well as globally. "When organizations in different countries with different national laws, different ways of valuing information assets, and different national ethical customs, use equipment from different manufacturers in their networks, they face the problem of matching their levels of security. They use the lowest common denominator, which in some instances may be practically non-existent." Some computer security consultants believe that network security headaches will involve some restriction in how they are used. All agree that passwords no longer offer appropriate forms of security. Professor Roger Needham, of the University of Cambridge computing laboratory, says: "At the moment, there is a lot of shoddy computer use, but it will become more usual to take security seriously. In the world of doing business with paper, there are a tremendous number of rules of practice and conduct that are second nature; security procedures in the electronic medium will also have to become second nature." SRII is developing software for what it says will be the world's most sophisticated detection system, designed to identify criminal users as they commit their crime. Called IDES (Intruder Detection using Expert Systems), it works on the basis that a system intruder is likely to show a different behavior pattern from that of a legitimate user. IDES is programmed with a set of algorithms that build up profiles of how particular employees typically use the system. It can then inform the company's security division if it identifies any significant deviation. IDES also monitors the whole system for failed log-in attempts and the amount of processor time being used, and compares this with historical averages. A future refinement will allow the system to profile groups of subjects so that it can tell, for example, when a secretary is not behaving like a "typical" secretary. Business crime and computer crime will increasingly become one and the same, Mr. Parker says. Security will be increasingly built in to systems and "transparent" to the user. "I think the overall loss to business from computer crime will decrease," he says. "But the loss per incident will increase because the risks and the potential gains will be greater." _______________________________________________________________________________ PWN QuickNotes ~~~~~~~~~~~~~~ 1. New Law Enforcement Bulletin Board (Government Technology, January 1992, Page 17) -- St. Paul, Minnesota -- The International Association of Chiefs of Police (IACP) and LOGIN Information Services has announced IACP NET, a new computer network that will link law enforcement professionals nationwide. The network uses advanced computer capabilities to foster and empower IACP's belief that strength through cooperation is the key to the success of law enforcement endeavors. Communications services will be the interaction focus. An electronic mail feature allows private messaging among IACP NET members. Exchange of ideas will be encouraged and facilitated through electronic bulletin boards on general subject areas and computer conferencing on specific topics. Anchoring the communications service is the Quest-Response Service, a service created and proven successful by LOGIN that allows members to post and respond to requests for information in a formatted and accessible manner. _______________________________________________________________________________ 2. ATMs Gobble Bankcards In Colorado (Denver Post, February 19, 1992) -- About 1,000 Colorado ATM users had their Visas and Mastercards abruptly terminated in February by an out-of-control computer system. For 90 minutes during the President's Day weekend, the Rocky Mountain Bankcard System software told ATMS around the state to eat the cards instead of dishing out cash or taking deposits. The "once-in-a-decade" glitch went unnoticed because it occurred as programmers were patching in a correction to a different problem. The company is rushing new plastic and letters of apology to customers who got terminated. _______________________________________________________________________________ 3. Minister Denies Hackers Tampered With Licence Records (Chris Moncrieff, Press Association, January 27, 1992) -- Allegations that computer experts hacked into the records of the Driver and Vehicle Licensing Agency in Swansea are without substance and are to be retracted, Roads and Traffic Minister Christopher Chope said. He was responding in a Commons-written reply to Donald Anderson (Lab Swansea East), who had asked what investigations had been made following a report that hackers had been able to erase driving convictions from DVLA computer files. Mr. Chope said, "The Agency has discussed the recent allegations about unauthorized access to its computer records with the author of the original Police Review article, who has confirmed that there is no substance to them. "The author has agreed to retract the allegations in his next article." Mr. Anderson commented, "The importance of this reply is that it underlines the integrity of the system of driver-licence records held in Swansea in spite of the allegations." _______________________________________________________________________________ 4. Software Virus Found At INTEL (New York Times News Service, March 3, 1992) -- Intel Corporation said it had stopped shipping a computer network software program because some units were found to be infected with the "Michelangelo" virus, a program that infects IBM and compatible personal computers and can potentially destroy data. A division of Intel in Hillsboro, Oregon, said it had shipped more than 800 copies of the program, called LANSpool 3.01, which inadvertently contained the virus. The virus is designed to activate on March 6, Michelangelo's birthday, and can erase data and programs if it is not detected with antiviral software. The company said it had checked its software with a virus-scanning program before shipping it, but that it had failed to detect the virus. A number of computer makers and software publishers have issued similar alerts about the Michelangelo program and a variety of companies are now offering free software to check for the virus. There are more than 1,000 known software viruses that can copy themselves from computer to computer by attaching to programs and files. _______________________________________________________________________________ 5. Army Wants Virii (Bulletin of the Atomic Scientists, December 1991, Page 5) "Attention Hackers, Uncle Sam Wants You!" The U.S. Army has caught the computer virus bug and is now expanding its interest in germ warfare to include electronic germs. The Army Center for Signal Warfare is soliciting proposals for the development of a "weaponized virus" or a piece of "malicious software" that could destroy an enemy's computers or software (_Technology Review_, October 1991). As project engineer Bob Hein explained, "This is the army. We're in the weapons business." Hein said the army first became interested in the potential of computer viruses as offensive weapons after Myron Cramer's 1989 article in _Defense Electronics_ suggested that computer viruses offered "a new class of electronic warfare." But Gary Chapman, director of Computer Professionals for Social Responsibility, thinks it is more likely that the army's interest was piqued by a French science fiction novel, _Soft War_, describing army infiltration of Soviet computers. Chapman, who called that army's plan to design killer computer viruses a "stupid policy," said that any viruses the army comes up with are more likely to paralyze the heavily networked U.S. computer system than to infiltrate enemy computers. Hein insisted that the army will develop only controllable and predictable bugs that will not threaten U.S. computer users. Chapman pointed out that, like the biological agents they are named for, computer viruses are, by their very nature, uncontrollable. _______________________________________________________________________________ 6. BellSouth's MobilComm and Swiss watchmaker Swatch said they will form joint venture to market wristwatch pager. The watch will cost about $200 and will be sold in department stores. It will bear name of "Piepser," the German word for "beeper," using 4 tones to signal the wearer. Each signal is activated by a telephone number that owner assigns. In the 4th quarter of year, Swatch said it plans to introduce a model that can display telephone numbers. (Source: Communications Daily, March 5, 1992, Page 4) _______________________________________________________________________________ 7. U.S. District Judge Harold Greene denied several new motions by Nynex in a criminal case being brought by the Justice Department, charging the phone company with violating MFJ (Modified Final Judgment) through subsidiary Telco Research. The government also filed a new motion of its own, later denied, requesting Greene to hold a pretrial hearing to look into "actual or potential conflicts of interest" resulting from individuals to be called as witnesses for prosecution being represented by Nynex's law firm, Davis, Polk & Wardwell. DoJ said: "It appears that Davis, Polk represents present and former employes of Nynex in addition to the corporation." Nynex issued a statement saying it's "confident" that the trial would "confirm to our customers," shareholders, and the public that it has fully met its responsibilities under MFJ. Greene, having dismissed Nynex motions, set an April 6 trial date. (Communications Daily, March 24, 1992, Page 5) _______________________________________________________________________________ 8. US West has formed a subsidiary, US West Enhanced Services, that launched its first product, Fax Mail. The subsidiary will develop other products for the enhanced-services market, including voice, fax and data applications, the company said. Test marketing of Fax Mail was conducted in Boise and was product-introduced in Denver. US West described its new product as "voice mail for faxes," in that it stores incoming faxes until the subscriber calls in and instructs the service to print the waiting fax. Each fax mail subscriber is supplied with a personal fax telephone number. When a fax is received, Fax Mail can notify the subscriber automatically by depositing a message in voice mail or beeping a pager. The service costs $19.95 per month, US West said. (Communications Daily, March 24, 1992, Page 6) _______________________________________________________________________________ 9. Hacker Insurance -- Worried about the integrity of your bank's data network? Relax. Commercial banks and other depository institutions can now obtain up to $50 million in coverage for losses due to computer-related crime. A new policy from Aetna Casualty and Surety Co. offers insurance against computer viruses, software piracy, and toll-call fraud, among other high-tech rip- offs. The Hartford, Connecticut insurer will also cover liabilities due to service bureau and communications failures with Aetna Coverage for Computer and Electronic Network Technology. Paul A. Healy, VP of Aetna's fidelity bond unit, says "the policy will help institutions manage the risk associated with the changing technology." (Information Week, March 30, 1992, Page 16) _______________________________________________________________________________