The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. - Archives (1988)
DOCUMENT: Rutgers 'Security List' for July 1988 (2 messages, 8899 bytes)
NOTICE: recognises the rights of all third-party works.


From:      _*Hobbit* <[email protected]>  11-JUL-1988 20:58
To:        [email protected]
For the second time in six months, I'm being forced to flee yet another
doomed machine.  We're selling the Vax 785 called, and moving
to a sun 4.  The boss-man wanted a faster machine, liked the other sun 4's we
already have, and decided to get one; in addition, the resale value of the
785 drops daily, so all of this comes at somewhat short notice.  Needless to
say the Security list has to move somewhere too, and since the rest of the
world seems to be going to Unix, I might as well sit down and learn how to
make sendmail stand on its head and handle the list.  This transition in
theory will be transparent -- I'll move the list's mechanism and messages to
the new machine at some point and start sending from there.  That machine
will probably answer as when we get everything going right.
I don't want to announce an official change until I know how to handle things
over there and write a zillion emacs macros, but things may fall fairly silent
with regard to remailing while I'm teaching myself and the new machine how
to deal with it.

			Your harried moderator...

Date:      Thu, 28 Jul 88 11:10:37 PST
From:      [email protected] (the tty of Geoff Goodfellow)
Subject:   NYT/Markoff Hacker Article & Memo.
A2434 21-Jul-88  15:54
c.1988 N.Y. Times News Service=

           NEW YORK _ Sophisticated personal computer users are becoming
increasingly adept at penetrating the nation's telephone system,
raising questions about the security and privacy of the phone
system, industry experts and law enforcement offiials say.
           The vulnerability of the phone system to such tampering has
grown significantly in the past decade or so as telephone companies
have largely replaced electro-mechanical call-routing equipment
with computer-controlled switches.
           As a result, people with the expertise can illegally connect
their personal computers to the phone network. With the proper
commands, these intruders can do such things as eavesdrop, add
calls to someone's bill, alter or destroy data, have all calls to a
particular number automatically forwarded to another number or keep
someone's line permanently busy, it was disclosed in an internal
memorandum written by a manager of electronic security operations
at the San Francisco-based Pacific Bell Telephone Co. and in
interviews with company officials.
           Peter Neumann, a computer security consultant at SRI
International Inc. in Menlo Park, Calif., said telephone companies
are only beginning to awaken to the security problems created by
the increasing computerization of the telephone network.
           ``As far as our vulnerability, we all have our heads in the
sand,'' he said. ``We have to redefine our notions of what we
entrust to computers and to communication networks.''
           Some personal computer enthusiasts, often called ``hackers,''
view the task of breaking into the telephone system as a test of
their skills and only infrequently inflict damage, industry
officials and consultants say. But others act with criminal intent.
           In his memo, the Pacific Bell security manager also warned that
an electronic intruder could essentially disable an entire central
switching office for routing calls, disrupting telephone service to
entire neighborhoods. Furthermore, he said, organized-crime groups
or terrorists might use such technology to their own advantage.
           The integrity of customer bills could also be compromised, he
said. Customers might rightfully or wrongfully dispute expensive
calls, claiming the calls were placed on their bills by computer
           Earlier this month, a teen-age computer enthusiast who requested
anonymity provided The New York Times with the Pacific Bell memo,
which was written a year ago. He said it had been obtained by a
fellow hacker who illicitly eavesdropped on a facsimile
transmission between Pacific Bell offices in San Francisco.
           The memo, which Pacific Bell verified as authentic, concluded
that ``the number of individuals capable of entering Pacific Bell
operating systems is growing'' and that ``computer hackers are
becoming more sophisticated in their attacks.''
           In one of two cases cited in the memo, a group of teen-age
computer hobbyists were able to do such things as ``monitor each
other's lines for fun'' and ``seize another person's dial tone and
make calls appear on their bill,'' the memo said. One of the
hackers used his knowledge to disconnect and tie up the telephone
services of people he did not like. In addition, ``he would add
several custom-calling features to their lines to create larger
bills,'' the memo said.
           In the second case, police searched the Southern California home
of a man thought to be breaking into the computers of a Santa Cruz,
Calif., software company. They discovered the man could also gain
access to all of Pacific Bell's Southern California switching
           Files were found containing codes and employee passwords for
connecting with _ or ``logging on to'' _ the Pacific Bell switching
systems and related computers. The man also had commands for
controlling the equipment.
           In another case involving tampering with telephone company
switching equipment, local police and the FBI in the San Francisco
area are investigating Kevin Poulsen, a former programmer at Sun
Microsystems, said Joseph Burton, an assistant U.S. attorney in San
Jose, and John Glang, a deputy district attorney for San Mateo
           Authorities searched Poulsen's apartment in Menlo Park in
February as well as the residence of a suspected accomplice in San
Francisco, the officials said.
           Poulsen was said to be in Southern California and was
unavailable for comment.
           Burton said he could not discuss a current investigation. Glang
would say only that the case had been taken over by the federal
government because ``there are some potential national security
           But a security expert familiar with the case, who requested
anonymity, said that Poulsen ``pretty clearly demonstrated you can
get in and romp around inside a Bell operating system.''
           ``What it pointed out,'' he said, ``was the serious
           Security consultants said other phone companies are equally
vulnerable to such breaches. They noted that most phone service in
the nation is provided by companies that were part of the Bell
System until it was broken up in 1984 and still use similar
equipment and procedures.
           Michigan Bell officials said they had caught an intruder who
tampered with the company's switching equipment last year. A
spokesman declined to give details of the incident but said no
arrest was made. ``We have been able to tighten our security
arrangements,'' said Phil Jones, a company spokesman. ``There were
lessons to be learned here.''
           Jack Hancock, vice president for information systems at Pacific
Bell, said his company had also taken steps to make it tougher to
penetrate its systems. He said, however, that the company had to
strike a balance between security and cost considerations so the
phone system would still be widely affordable and easy to maintain.
           ``We could secure the telephone system totally, but the cost
would be enormous,'' he said. ``A public service will probably
always have certain insecurities in it.''
           Though Pacific Bell refused to disclose the security measures it
had taken, the company said it had restricted the ability to dial
into its computers from remote points.
           As computerized communications become more sophisticated,
companies will be able to improve security at a reasonable cost,
said Barry K. Schwartz, a systems planning manager at Bell
Communications Research, which does research for the seven Bell
operating companies.
           It will be increasingly possible to program a computer so it
will only answer a call from an authorized phone, he said. Another
new technology on the horizon, he said, is electronic voice
verification. A security system using this technology would be able
to recognize those authorized to gain access to a computer by their
voice patterns.
           Telephone companies have long had to worry about electronic
abuse of their networks.
           For several decades individuals have used electronic equipment
to make long-distance phone calls for free. Some have used devices
that generate a series of tones that provides access to
long-distance lines. Telephone companies have installed equipment
on their lines to detect and thwart such abuse.
           In other instances, people have used personal computers to find
long-distance access codes belonging to other users. They do this
by programming computers to keep trying various numbers until they
hit upon one that works.
           But while costly, these kinds of abuse are not much of a threat
to the integrity of the system because they do not affect the
system itself.
           The new problems involving network tampering are arising,
experts say, because the switches that route calls are now mostly
electronic, meaning they are essentially big computers. If a
customer wants an option like call forwarding or call waiting added
to his or her telephone service, that is done by typing commands
into a computer, not by moving wires and switches.
           Pacific Bell said 79 percent of its customers are now served by
computerized switching systems.
           Experts say these electronic networks are especially vulnerable
to tampering because it is possible to dial up the computers
controlling the switches from the outside. Phone companies designed
their systems this way to make it easier for them to change the
system and diagnose problems.
           For example, a technician in the field trying to diagnose
problems on a line needs to be able to dial certain test circuits
in the central office. But such a dial-up capability can also be
used by outsiders with personal computers and modems who know the
proper numbers to call and the proper procedures to get on the
           The ability to eavesdrop on telephone calls is included in the
system to allow an operator to check to see whether a line that is
busy for a long time is being used or whether the phone is off the
hook or the line is broken.
           One security consultant who requested anonymity said this
capability had also made it much easier for law enforcement
officials to wiretap a line. When the police receive court
permission to conduct a wiretap, they can have the phone company
dial up the switch serving the line so conversations can be
monitored from a remote location.
           Obtaining the information needed to break into the phone system
can be difficult, but intruders often do it by impersonating phone
company employees _ a practice that hackers call ``social
           A teen-ager interviewed by Pacific Bell officials after his
arrest told investigators that he had entered a number of Pacific
Bell facilities in the San Francisco area disguised as a Federal
Express delivery man in order to search for manuals and other
documents, according to the company memo. The youth also said he
had impersonated telephone security officials to obtain passwords
and other information.
           ^CNYT-07-21-88 1855EDT<
Date:     Thu Jul 28, 1988 10:27 am  PDT
From:     John Markoff / MCI ID: 108-5848
TO:     * Geoffrey S. Goodfellow / MCI ID: 103-7391
Subject:  Pac Bell
I gave up trying to send you the memo via usenet. could you pass a 
copy along to the risks folks? thanks.
John Markoff

August 3, 1987
I've attached a summary of some recent events that are alarming.
I believe this information should be shared with XX XXXXXX?  I've sent
a copy to XXXXX.

                                                 COPY FOR: XXXXXX XXXXXXXXX

San Francisco, July 29, 1987
Case Nos.: 86-883, 87-497
Electronic Operations recently investigated two cases involving a
number of sophisticated hackers who were adept at illegally
compromising public and private sector computers.  Included among
the victims of these hackers was Pacific Bell, as well as other
local exchange carriers and long distance providers.
Below is a synopsis of the two cases (87-497 and 86-883), each
of which demonstrate weaknesses in Pacific Bell's remote access
dial-up systems.
Case No. 87-497
On May 14, 1987, Electronic Operations received a court order
directing Pacific Bell to place traps on the telephone numbers
assigned to a company known as "Santa Cruz Operations".  The
court order was issued in order to identify the telephone number
being used by an individual who was illegally entering Santa
Cruz Operations' computer and stealing information.
On May 28, 1987, a telephone number was identified five separate
times making illegal entry into Santa Cruz Operations' computer.
The originating telephone number was XXXXXXXXXXXXXXX, which is
Thousand Oaks, California.
On June 3, 1987, a search warrant was served at XXXXXXXXXXXXXXX xxxxxxXXXXXXXX
Thousand Oaks, California.  The residents of the
apartment, who were not at home, were identified as XXXXXXX
XXXXXX, a programmer for General Telephone, and XXXXXXXX XXXXXX, a
known computer hacker.  Found inside the apartment were three
computers, numerous floppy disks and a number of General
Telephone computer manuals.
XXXXXXX XXXXXXXX was arrested several years ago for hacking Pacific
Bell, UCLA and Hughes Aircraft Company computers.  XXXXXX was a
minor at the time of his arrest.  XXXXXX XXXXXXXX was recently
arrested for compromising the data base of Santa Cruz Operations.
The floppy disks that were seized pursuant to the search
warrant revealed XXXXXXXX involvment in compromising the
Pacific Bell UNIX operation systems and other data bases.  The
disks documented the following:
  o  XXXXXXXX compromise of all Southern California SCC/ESAC
     computers.  On file were the names, log-ins, passwords, and
     home telephone numbers for Northern and Southern ESAC
  o  The dial-up numbers and circuit identification documents
     for SCC computers and Data Kits.
  o  The commands for testing and seizing trunk testing lines
     and channels.
  o  The commands and log-ins for COSMOS wire centers for
     Northern and Southern California.
  o  The commands for line monitoring and the seizure of dial
  o  References to the impersonation of Southern California
     Security Agents and ESAC employees to obtain information.
  o  The commands for placing terminating and originating
  o  The addresses of Pacific Bell locations and the
     Electronic Door Lock access codes for the following
     Southern California central offices ELSG12, LSAN06, LSAN12,
     LSAN15, LSAN23, LSAN56, AVLN11, HLWD01, HWTH01, IGWD01,
     LOMT11, AND SNPD01.
  o  Inter-company Electronic Mail detailing new
     login/password procedures and safeguards.
  o  The work sheet of an UNIX encryption reader hacker file.
     If successful, this program could break into any UNIX system
     at will.
Case No. 86-883
On November 14, 1986, Electronic Operations received a search
warrant directing Pacific Bell to trap calls being made to the
Stanford University computer.  The Stanford Computer was being
illegally accessed and was then being used to access other large
computer systems throughout the country.
The calls to the Stanford Computer were routed through several
different common carriers and through numerous states.  Through a
combination of traps, traces and sifting through information
posted on the Stanford computer, several suspects were identified
throughout the United States.
The group of computer hackers who illegally accessed the Stanford
computer system were known as "The Legion of Doom".  Subsequent
investigation indicated that the Legion of Doom was responsible
  o  The use of Stanford University high-speed mainframes to
     attack and hack ESAC/SCC mini compuuters with an UNIX
     password hacker file.  Password files were then stored on
     the Stanford systems for other members of the Legion of Doom
     to use.  Login and passwords for every local exchange
     carrier as well as AT&T SCC/ESAC mini computers were on file.

  o  The Legion of Doom used the Stanford computers to enter
     and attack other institutions and private contractors'
     computers.  Some of the contractors' computers were used for
     national defense research.
On July 21, 1987, eight search warrants were served in three
states at homes where members of the Legion of Doom reside.
Three of the searches were conducted in California.  XXXXXX
XXXXXXXXX, Senior Investigator-Electronic Operations, accompanied
Secret Service agents at the service of a search warrant at XXXXXX 
XXXXX   XXXXXXXXXXX   xXXXXXXXXXXX  which was the residence
of XXXXX XXXXXXXX, a sixteen-year-old member of the Legion of Doom.
XXXXXXXXXX interviewed XXXXXXXX, who had used the pseudonym
"O'Ryan Quest", when accessing computers.  During the interview,
XXXXXXXX admitted the following:
  o  The entering of central offices, (Burlingame, San Mateo,
     San Bruno, Millbrae) disguised as a Federal Express
     deliveryman.  The entries were done to case out the CO's
     for the purpose of finding computer terminals with
     telephones, the locations of switches and bays, the names of
     Comtechs, and materials related to the operations of the
     central office.  XXXXXXXX also claimed to have been in the
     AT&T Administration office on Folsom Street, San Francisco.
  o  XXXXXXXX telephone service had been disconnected twice
     for nonpayment, and twice he had his service restored by
     impersonating a service representative.
  o  Learning to test circuits and trunks with his computer by
     using ROTL and CAROT test procedures.
  o  Members of the Legion of Doom often accessed test trunks
     to monitor each other's lines for fun.
  o  On several occasions XXXXXXX would post the telephone
     number of a public coin phone for access to his BBS, Digital
     IDS.  He would then access the Millbrae COSMOS wire center
     and add call forwarding to the coin phone.  He would
     activate the call forwarding to his home telephone number,
     securing the identity of his location.
  o  XXXXX would impersonate an employee who had
     authorization to use a Data Kit and have it turned on for
     him.  When he was done, he would call back and have the Data
     Kit turned off.

  o  XXXXXXXX also would use his knowledge to disconnect and
     busyout the telephone services of individuals he did not
     like.  Further, he would add several custom calling features
     to their lines to create larger bills.
  o  It was very easy to use the test trunks with his computer
     to seize another person's dial tone and make calls appear
     on their bills.  XXXXXXXX did not admit charging 976 calls
     to anyone, but he knew of others who did.
  o  When the Legion of Doom attacked a computer system, they
     gave themselves five minutes to complete the hacking.  If
     they were not successful in five minutes, they would attempt
     another system.  The Legion of Doom was able to crack a
     computer in under five minutes approximately 90% of the
  o  XXXXXXXXX would impersonate employees to get non-published
     telephone listings.  XXXXXXX received the non-published
     listing for Apple Computer Founder, Steve Wozniak, and
     members of The Beastie Boys rock group.
  o  XXXXXXXX told Dougherty of one New York member of the Legion
     of Doom, "Bill from Arnoc", who has been placing his own traps
     in New York.  Bill from Arnoc helped XXXXXXX place traps in
     Pacific Bell.
The review of the evidence seized at XXXXXXX residence tends to
corroborate all XXXXXXXX statements.
There are some important conclusions that can be drawn from the
above two cases regarding future computer system concerns.
  o  The number of individuals capable of entering Pacific Bell
     operating systems is growing.
  o  Computer Hackers are becoming more sophisticated in their
  o  Dial-up ports will always be a target for computer entry by a
  o  Even dial-up ports with remote callbacks and manually controlled
     modems can be compromised.
  o  A hacker can place a central office off-line by overloading
     a SCC mini computer by improperly placing traps or by putting
     traps on several DID multi-trunk groups such as MCI or
     Sprint groups.
  o  Terrorist or Organized Crime organizations could use this
     underground computer technology against Pacific Bell or to
     their own advantage.
  o  Pacific Bell proprietary data bases such as PTT ESAC or
     PB2 ESAC could be compromised.
  o  The integrity of accurate customer billing statements have
     been compromised through access to the CEBS (Computerized
     Electronic Billing System) and will remain questionable.  A
     customer can dispute large direct-dialed calls and claim his
     telephone was accessed by a computer hacker.
The information gained as a result of the above investigations
should be shared with those individuals responsible for the
integrity of our computer systems.  Further, an ongoing business
partnership between security and the individuals responsible for
the integrity of our computer systems should be initiated and
maintained to ensure prompt, effective resolution of future
computer related security issues.