The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. - Archives (1987)
DOCUMENT: Rutgers 'Security List' for August 1987 (18 messages, 13314 bytes)
NOTICE: recognises the rights of all third-party works.


From:      "McMahon,Brian D" <MCMAHON%[email protected]>  12-Aug-1987 12:10:25
To:        [email protected]
From: "McMahon,Brian D" <MCMAHON%[email protected]>
To: [email protected]
Subject: More bad news on EMBL break-in

Yesterday, I posted a message from the info-vax list to this board; at
least, I *think* I posted it.  I never actually saw it leave.  Just in
case, I'll repeat that before going on to the latest combat reports, and
network loads be damned - this is serious.

In a message dated 31-Jul-1987, Roy Omond <OMOND%EMBL.BITNET> of the
European Microbiology Lab in Heidelberg reported the following hair-raising

>Well, the well known patch to SECURESHR.EXE took a *long* time in coming
>to Europe.  In fact, it took me several days to convince the local DEC
>people that there was a security loophole in VMS 4.5 ... *sigh*.
>Anyway, in the meantime, we got screwed around by German hackers
>(probably from the notorious Chaos Computer Club in Hamburg).  Before I
>had the chance to install the patch, "they" managed to get in and did
>pretty well at covering their tracks.  They patched two images, SHOW.EXE
>and LOGINOUT.EXE, so that a) they could login to *any* account with a certain
>password, which I'll not divulge, b) SYS$GW_IJOBCNT was decremented and
>c) that process would not show up in SHOW USERS.  They have cost us a lot of
>real money by using our X.25 connection to login to several places all round
>the globe.  I have done my best to notify per PSImail those VAX sites that
>were accessed from our hacked system.  I pray (and pray and pray ...) that
>no other damage has been done, and that I'm not sitting on a time bomb.
>Anyway, the following information might help others to check if they have
>been tampered with:
>Use CHECKSUM to perform a checksum of LOGINOUT.EXE and SHOW.EXE as follows:
>        $ Check Sys$System:Loginout.Exe
>        $ Show Symbol Checksum$Checksum
>        if you get the value 3490940838 then you're in trouble.
>        $ Check Sys$System:Show.Exe
>        if you get 1598142435, then again you're in trouble.
>Now something I'm a bit unsure about whether I should publicise :
>Two persons with known connections with the Chaos Computer Club in Hamburg
>who I know have distributed the patches mentioned above (and in my opinion
>are to be considered along with the lowest dregs of society) I will name
>here :
>        Claus Traenkner (at our own outstation of the EMBL in Hamburg)
>and     Stefan Weirauch (at the Univ. of Karlsruhe)
>in the hope that someone somewhere will a) be saved some hassle from them
>and b) might perform physical violence on them.
>Jeez, I'm scared ...
>Roy Omond

Pretty bad, already.  But today, I found this cheery piece, dated 04-Aug-1987:

>Further to my "important message" of last week, I  have since discovered
>that the patches done to LOGINOUT.EXE were even more lethal than I had
>imagined.  Not only would it allow entry to any username with the magic
>password, but it would also store (in 1's complement form) the valid
>password of all users logging in since the patch was installed in the
>12 bytes "reserved for customer use" in the UAF.  How many system managers
>ever even look at these bytes, never mind spot the danger there ?
>Well, they also distributed a small vanilla program to decypher these
>bytes and, lo and behold, a list of username/password pairs with accounts
>with (potentially) all privileges neatly marked with an asterisk.
>So everyone who even suspects that something might be amiss, look very
>closely at your UAF.  Look in particular at the 12 bytes from offset
>1f6 (hex) in each record.  If you reverse the 1's complement on these
>bytes and get something that looks like a password then ... :-(
>(Users with passwords longer than 12 characters or those with 2 passwords
>(like me) are relatively ok).
>Yet another hacker name to surface is user DKL at Bitnet/EARN node
>DHDMPI5 (the Max-Planck Institute for Atomic Physics, our neighbouring
>institute in Heidelberg).  I don't know who the person is, but I hope
>that he/she is condemned to working with IBM MVS for evermore.

I will post to info-vax the suggestion that further developments be send to
this list, as well as to info-vax, by their originators, so you won't have
to deal with me any more.  I have a hunch this may not be over yet...

                           Brian McMahon, Grinnell College
                               <[email protected]>

From:      "Stefan Weirauch, IRA, Uni Karlsruhe"   12-Aug-1987 12:48:12
To:[email protected],
Remarks on the messages from Roy Omond (31-Jul) and Michael Bednarek (4-Aug).

Just back from my summer holidays I have to notice some very strange
statements in connection with my name.

Roy Omond wrote:

> Now something I'm a bit unsure about whether I should publicise :

He better should have given it more thought...

> Two persons with known connections with the Chaos Computer Club in Hamburg
> who I know have distributed the patches mentioned above (and in my opinion
> are to be considered along with the lowest dregs of society) I will name

This is, in fact, a primitve insult, based on nothing but speculations.

>         Claus Traenkner (at our own outstation of the EMBL in Hamburg)
> and     Stefan Weirauch (at the Univ. of Karlsruhe)
> in the hope that someone somewhere will a) be saved some hassle from them
> and b) might perform physical violence on them.

Well, just an instigation to perform violance.

To build an opinion about this way of writing a public message is left
to the reader.

However, as System/Security Manager I know very well those problems with
hackers (see below). In case of detecting such a penetrator, I grab him and
take further steps personally.
At my site no personal mail relative to those topics in Roy Omonds message
reached me. May be, that is not astonishing in the light of a message,
which is based on some vague informations. 

Michael Bednarek wrote:

> I knew I had seen this name before, and (using rn) the command ?weirauch?ra
> showed article <[email protected]> which is a patch
> to PHONE. The date was 21-Jul-1987.
> In the light of Roy's experience you might want to examine the nature of that
> patch.

Well, this comment fully deserves my agreement, because you will see, how well
written the Phone Patch is (of course, I mean the second, bugfixed version).
But, does it make sense, to examine software, distributed over the net, only
if there is someone, railing at the creator ?
I think, you allways should very carefully examing such software, performing
modifications of the operating system. If your are not able to do this, for
example, because you have no micro-fiches, it is reasonable to wait for such
modifications from DEC.
I did not add such a hint to my PHONEPAT - description, because I suppose, we
all think that way.

As I mentioned in my PHONEPAT message, there are many clever student users at
our site, detecting bugs or undocumented features in VMS. I spend a lot of
time in preventing them from successfully attacking the system. To do this
efficiently I made my thoughts about the things a hacker might perform.
Thus, I learned much, and hacked patches to parts of the system as a problem
of system security (again affecting my nerves and time) are old for me;
if they are new to you, dont accuse those people, making their experiences
with these aspects of security, but learn from them and be thankful ! 

Stefan Weirauch                 CSNET:    WEIRAUCH%[email protected]
Informatik-Rechner-Abteilung    UUCP:     WEIRAUCH%iravcl%[email protected]
Universitaet Karlsruhe          PSI:      PSI%026245721042100::WEIRAUCH
D-7500 Karlsruhe 1
West Germany
From:      John Owens <[email protected]>  15-Aug-1987 10:12:39
To:        [email protected], [email protected]
Well, most garage door openers that I've seen (I don't have one myself,
not having a garage) have a set of DIP switches you can use to encode
a unique pattern.  The frequencies, at least within the same brand, are
the same.  So you could set your two openers to be one bit apart, and
leave the hood off of the dip switches, and switch the one bit....

John Owens		Old Dominion University - Norfolk, Virginia, USA
[email protected]		old arpa: john%[email protected]
[email protected]		old uucp: {decuac,harvard,hoptoad,mcnc}!xanth!john
From:      GREENY <MISS026%[email protected]>  17-Aug-1987 10:49:48
To:        <[email protected]>
>A friend of mine has a two car / two door garage.  He wants to install
>a remote control garage door opener on both doors with different frequencies
>for each door.  He would also like ONE controller ...

Seems simple enough to me. The crystals in those handy-dandy garage door
openers are *usually* (if they arent...just de-solder em..) plugged into
a socket somewhere in the controller.  Just mount the two crystals somewhere
else and wire them thru a DPDT (Double Pole Double Throw) switch from Radio
Shack and wire the switch into the now empty socket from the crystals.
Stick it in the car with some double stick mounting tape, and label the
switch Left/Right or 1/2 or 0/1 (whatever suits your fancy...) and then
hit the button.  When it's on "1" door "1" opens, and when on "0", door "0" biggie.  And if there is such an "off the shelf" (i.e. Unhackerish)
type available, it probably is part of a so-called "system" and costs giga-

Hope this helps....
bye for now but not for long....

Bitnet: [email protected]
Internet: miss026%[email protected]
From:      Joe Harrington <[email protected]>  17-Aug-1987 22:22:51
To:        [email protected]
MIT, in a noncharacteristic burst of liberal generosity (or they're
tired of getting kicked in the *** by people who demand their rights),
gives you the option of having your ssn or a pseudo ssn which they
provide as your MIT ID number.  The pseudo ssn's all begin with 888,
as (so goes the story) there have not (yet) been any real ssn's
issued with that prefix.

If it is true that no 888 numbers have been issued (please reply if
you think otherwise and have counterexamples), then giving some random
888 number as your ssn could be an easy solution for people who wanted
to hide theirs and avoid hassle (though be careful about
misrepresenting yourself on signed legal documents).

Unfortunately, it is too late for me, as my ssn is plastered all over
everything.  Oh well,
From:      "Mike @ (214)575-3517" <LINNIG%[email protected]>  18-Aug-1987 12:27:21
To:        [email protected]
sure, you can do that .. but not by changing the frequencies.

Some of the new garage door openers send a digital code (typically 8 bits)
as part of their signal.  The door opener and the controller have to
be set to the same code for it to work.

All you need is two openers (same brand and model) and one controller.  
To change codes on my controller, their are some jumper cables that you
cut to set the bits.  Wire a switch up to one of the jumper cables.  
Set the codes in the door openers so they only differ by one bit (the
one with the switch).  Now the switch allows you to send two different
codes, one for each door.


	Mike Linnig,
	Texas Instruments
From:      Brint Cooper <[email protected]>  18-Aug-1987 13:44:30
To:        [email protected]
	Nearly all of the requests for SSN that I have seen have not
required me to produce the card.  In every case that I can think of, I
could just supply the number from memory.

	What's to prevent someone who objects to passing his/her SSN
around the town to provide a false one?  

	Similarly, many places now require a phone number on a credit
card slip (Visa/MC).  They don't check this number as part of
verification.  In restaurants, it's not even requested until you're
signing the slip and leaving.  I wonder what they do with this info.  It
might help someone who's fradulently using your credit card number.  It
might also be sold to telemarketing firms.  Again, why not submit a
false  one?  Or your work phone?  Or whatever?

From:      [email protected] (Dave Curry)  29-Aug-1987 12:03:02
To:        RMOREY%ATLAS%[email protected]
     From:  RMOREY%ATLAS%[email protected]
     Date:      Fri, 31 Jul 87 11:03 EST
     Subject:   Dogs, defense against

     I have heard about aerosol sprays that deter attackers, but can't find
     them and don't know if they are legal. Someone suggested to my wife
     that she buy a squirt gun with a 30-foot range and fill it with
     ammonia to shoot at dogs. Q: Would this work without getting me into a
     lawsuit from seriously injuring a dog?

Ammonia?  Sounds pretty nasty, and I would think it could hurt the dog.
I've always heard lemon juice is what you should use.

     And what is in aerosol sprays that are used for self defense, if
     not mace? What sprays are legal and where are they found?

Well, there is "PARALYZER", which is basically Army tear gas.  It comes
in a small black aerosol; most "army surplus" type stores sell them,
among other places.  I'm not sure what a dog would do if you sprayed
him with it though; the stuff is NASTY.

     I'm not a dog hater. I've never been a dog owner, either. Does
     anyone have any better suggestions?

Most of the postal carriers here have some sort of small aerosol
clipped to their mail bags; I assume it is for discouraging dogs.  You
might call your local post office and ask them what they recommend.

--Dave Curry
From:      Carl DeFranco <[email protected]>  31-Aug-1987 09:30:52
To:        rmorey%atlas%rca[email protected], [email protected]
I'm assuming this is related to the net.  R. Morey inquired about things
to protect people from less than freindly dogs.  There are a number of
such products available, tho' I'm not sure of the sources.

     1.  STOP! is an aerosol designed for protection specifically
     from dogs.  Aimed at their snouts, it will stop them in their
     tracks without doing permanent harm.  A bicycling friend of
     mine swears by it.

     2.  DAZER is a new electronic device that generates high
     frequency sound painful to dogs.  A recent Syracuse, NY
     newspaper article described tests as ambiguous - when it
     worked it worked very well.
     3.  The originally mentioned ammonia squirt gun trick is very
     effetive if you can hit the dog.

Regarding liability for hurting dogs:  I'm not a lawyer, but in nearly
every community, some form of leash laws exist.  Even when they don't,
a pet owner is responsible for his/her pets actions.  If they leave the
confines of the owners property, you are justified in using reasonable
means, including physical harm if truly necessary, to protect the health
and safety of yourself and your family.  I personally wouldn't hesistate
to take action against a dangerous animal if it threatened me, my wife,
or my children.  I would also be glad to answer any pet owners complaints
about my treatment of their animal.  By the way, I have a large dog and
two cats of my own - I'm NOT an animal hater.

Carl DeFranco
[email protected]
From:      John Pershing <[email protected]>   31-Aug-1987 09:56:35
To:        [email protected]
There used to be a product called "Halt!", sold at bicycle stores, that
was *quite* effective at stopping charging dogs in their tracks.
However, I have no idea what would happen when it wears off, as I was
always long gone by that time -- maybe you would simply have a very angry
dog on your hands...

Halt! is more-or-less aerosol Tabasco Sauce, and does not cause any harm
to the dog; ammonia, on the other hand, can cause blindness if you get it
in the dog's eyes.  I don't know if Halt! is still available, but I assume
that it is -- check out your local bike shop.

      John A. Pershing Jr.
From:      Simson L. Garfinkel <[email protected]>  31-Aug-1987 14:04:19
To:        [email protected]
(I saw this on somebody's desk today. It is on official stationary.)

	      Fort George G. Meade, Maryland, 20755-6000
			 Serial: V1-072/L-87

			     24 July 1987

Dear Gentlemen and Ladies:

	The National Security Agency, in conjunction with four major
U. S. Corporations, is currently developing a new family of secure
telephones. These new phones, designated STU-III, will begin fielding
in October 1987, and will serve as the primary secure telephone for
the U. S. Government and its contractors. In support of this program,
the National Security Agency will host a "STU-III" Seminar for U. S.
Contractor Personnell" on 5-8 October 1987 at the Aladdin Hotel, Las
Vegas, nevada.

	The purpose of this seminar is to furnish the U. S. contractor
community with essential information on the STU-III family of secure
telephones, and to provide a forum for discussing STU-III issues of
mutual interest. This meeting is the only one of its type planned for
the contractor community in the foreseeable future. If your company
plans to acquire STU-III terminals, appropriate personnel should


Highlights from agenda:

Tuseday, 6 October 1987:

	STU-III overview and Program status
	STU-III Implementation Schedule and Field Plans
	STU-III Testing (Progress report and future plans)
	STU-III Vendor Presentations


WEDNESDAY, 7 October 1987

	STU-III Key Management System Overview
	STU-III TErminal Keying procedures
	Vendor Keying Demonstrations
	STU-III Doctrine 
	Contractor STU-III Key Management Sturcture
	Command Authority/User Representative/COMSEC Custodian Relationships

Thursday, 8 October 1987

	STU-III Key Ordering and Distrib7ution
	Accounting for STU-III Key
	Key Management System Milestones and Schedule

	A security clearance is not required for attendance at this
seminar. However, attendance will be limited to U. S. Citizens only,
and the attached registration from must be signed by each attendee.
The name and phone number of a company security officer should also be
provided, so that U. S. citizenship may be verified.

	Further information concerning the seminar may be obtained
from Mrs. Linda Amrein, Miss Maureen Anderson, or Mr. Bill Johnston on
(301) 688-7897/8255. 
From:      James M Galvin <[email protected]>  31-Aug-1987 14:38:55
To:        [email protected]
Hmmm, watching all the discussion about social security numbers, I am
curious about two things in regards to phone numbers.

When I use my credit card retailers invariably ask for a phone number
under your signature, and worse insist on it.  Generally I just give
them a random number.  (I even used 999-123-4567 once, and nobody

First, can a retailer insist on a phone number?

Second, am I in trouble for giving out wrong numbers?

And just to go a step further, what about when they ask for your address?

From:      [email protected] (Nark Mason)  31-Aug-1987 15:44:09
To:        RMOREY%ATLAS%[email protected], [email protected]
There are two kinds of spray dog repellants I know of, one's mace (CN
or CS gas) and the other's just something nasty billed as a dog repellant.
Generally either one will repel an attacker, man or dog. But if you run into
a really mean dog or really mean (or drugged) human it will just make
them mad.
I've spent a lot of time biking in the mountains in western mass and NY
and have had problems with dogs. I got a can of mace (CN I think, it was
illegal - tear gas), next dog I ran into I leveled the can at him and he
ran for cover before I had a chance to douse him. I haven't carried a can
since, all the dogs I've run into KNOW, they've been maced before.
Unless the dogs are an extra ornery junkyard type mace, CS, CN or dog
repellant will teach them quickly to stay away.
(good luck finding the stuff, I believe it's illegal many places - my
grandmother got some from her mailman once [for use on dogs])
From:      [email protected] (Nark Mason)  1-Sep-1987 09:09:00
To:        [email protected]
There's been a lot of talk about how not to give out your SS #, the one
thing I still fail to understand is why not give out your SS #? How can
it be abused?
From:      Mary Akers <[email protected]>   1-Sep-1987 10:38:49
To:        [email protected]
I received this over the net from a friend.  I thought it would make an
interesting counter point to the recent discussion on releasing Social Security
Numbers - note the section about using false numbers.

Date: Tue, 11 Aug 87 19:00:24 edt
From: [email protected] (Martin Minow)
To: [email protected]
Subject: [Found on Usenet (net.consumers)] 
	Social Security Administration -- Inside Scoop

From: [email protected] (Lance Keigwin)

Just after college I accepted a job with the Social Security Admin (SSA)
in a NYC district office.  I spent several years with SSA as a claims
representative, operations supervisor, and regional program specialist.
Fortunately I had the good sense to leave several years ago, when it
became very clear that federal service was not an alternative to anything.

In these jobs I dealt with all levels of the SS program.  Undoubtedly the
two biggest headaches for SSA (and the public claimants) were resolving
discrepancies in dates of birth and earnings records.  Screwups in
establishing age is another story, and far less controversial.  SSA's
record there is really pretty good, if the claims rep is not a dope.

But scrambled earnings records are almost impossible to fix.  This
usually happens when somehow an employer gets a hold of a wrong number,
usually from an employee (although the employer could pick it up from
almost anywhere...and they do!).  Of course there is cross-checking
against what SSA believes is the right name and number but all it takes
is some (#$%@$%) clerk to cross refer two numbers to the same person and
zap!  Suddenly you're record relects someone else's wages too.  Or worse:
your covered earnings are credited to some third party.  This happens all
the time because people forget their numbers, re-apply for a second one,
guess wrong, etc.  Safeguards exist but if you consider the scale here
(all those workers, all those employers, and the general interest of the
average gov't employee in doing the job right even if it means more work
and worsened processing statistics) there are bound to be major problems.

When does the error come to light to you, John Q. Public?  If at all,
almost always at retirement, some decades in the future; at a time when
many employer records are gone, if not the employer itself, and your
recollection is at best fuzzy.  Chances are probably 9 in 10 that you'll
never get credit for all the taxes you paid, if your record is messed up
obviously enough for a rep to notice it and to look into it.

My advice:

1) Never, NEVER give anyone a fake SSN.  It will haunt you later in life.
If SSA has to search for earnings under a different number (spotted on an
application for employment, a credit card report, school record, etc.) you
will suffer significant delays in getting your correct benefit at best.
More likely, you will never live to see the tax credit.

2) Always, ALWAYS request a statement of your earnings every three
years.  There are screwy statute of limitations regulations (3 years,
3 months and 15 days), about when an error can be corrected.  Also the
statement of earnings you get will only breakout the last several years
individually, and will total all prior years in one lump sum, so it it
good to do it periodically.

3) If you suspect an error, ask for a complete posting of each year
(a "certified earnings record").  If you're given a little card to
complete and told it will be mailed to you, don't buy it!  You can only
get a complete record by seeing a Service or Claims representative, who
must complete an SSA-450 for transmission to HQ in Baltimore.  Insist on
a photocopy of it when it arrives.  Be troublesome, if necessary.

4) If you do see an error, put your dispute in writing and if you must
mail it in, do so certified mail.  Establishing the date you first
suspected an error is important.  SSA has ways of "scouting" an employer's
records.  Ask to have it done.

5) Check your W-2 for the correct SSN.  Paystubs too, but especially
the W-2.  Report any error to your employer and IRS.

6) If you don't want to give your correct SSN to someone and feel you
must fake it, give them a number that starts with "9".  There is no
such thing as a real 900-series number so you are not risking screwing
up yours or someone else's account.  SSA will never accept it.

7) If you get an official decision that goes against you, protest if
you really believe you're being cheated.  There are several appellate
steps, and usually the official who decides is reasonably intelligent
and responsible.  Read the back of the notice about "reconsiderations",
"hearings", etc.  The reversal rate it very high.

As a matter of interest, two years after I started work for SSA I
requested a record of my earnings.  Sure enough, there was an error in
two quarters.  Want to guess who the employer was that messed up?
Yep, SSA.  It took them 3 years to fix it.  Good thing I had an "in". :-)

I also discovered that my retired father should have been getting benefits
for three of his student children (an SSA snafu).  I had us apply, and
asked for full retroactivity (over 8 years).  The claims examiner awarded
only 12 months of retroactivity.  I appealed.  We won.  Total family
benefits came to over $7000.  I used my $1500 to buy a washer and dryer.

Lance P. Keigwin ([email protected]) (408)496-0111 (operator)  562-7738 (direct)
From:      "Bryan, Jerry"                   <VM0A61%[email protected]>  1-Sep-1987 14:40:51
To:        <[email protected]>
>To the best of my recollection, the last time I renewed my California
>driver's license, I was told my SS# was required.  I asked for confirmation,
>saying it was my understanding that it could not be required by law, but
>they were adamant, so I did not pursue the issue even to the point of
>asking to talk to a supervisor.

>                        Jeff Rothenberg

>                        The RAND Corp.
>                        [email protected]

My understanding is that in about 1979 or so, Congress made an
explicit exception to the Privacy Act of 1974 to explicitly
permit states to use SSN's for all forms of motor vehicle
registration, including both your driver's license and the
registration of your car.  This means, of course, that the
original Privacy Act really does not mean anything any more because
your driver's licence is such a ubiquitous ID that once there,
it is available to all the world.
From:      "Bryan, Jerry"                   <VM0A61%[email protected]>  1-Sep-1987 14:53:04
To:        <[email protected]>
>One of my biggest frustrations is interest bearing bank accounts.  The IRS
>requires you to give the bank your SS#, but as far as I know there are
>no restrictions on what they can do with it.  Does anyone have a solution
>for this?

Write your congressman.  Existing law is *not* on your side.  I fear I
am cynical, but I have lost several times  -- after fighting hard and
even hiring lawyers.  Present law favors, encourages, and often
requires the use and disclosure of SSN's.  The somewhat limited
provisions restricting SSN's that were present in the Privacy Act of
1974 have been emasculated by subsequent legislation.
From:      <FXSDD%[email protected]>  1-Sep-1987 17:03:33
To:        [email protected]
From:    Scott Dennis, Computer Support
Subject: Social Security Numbers

In Alaska, they appear to have a more enlightened approach to Social Security
numbers.  When I renewed my drivers license a couple of years back, I told them
to remove it.  The clerk didn't know how to do it, but the supervisor was very
helpful.  My license now shows 000-00-0000 in the SS # location.
  My other experience with this was at Arizona State University, where
they use it for a student ID number.  I refused to give it, and they were happy
to issue me a 998-xx-xxxx number.  Their forms call it a 'student ID #'
  The University of Alaska is pretty insistant on getting the actual number,
however.  Their forms have the gall to always call it a 'SS #'