The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Rutgers 'Security List' (incl. misc.security) - Archives (1990)
DOCUMENT: Rutgers 'Security List' for April 1990 (78 messages, 35599 bytes)
SOURCE: http://securitydigest.org/exec/display?f=rutgers/archive/1990/04.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

-----------[000000][next][prev][last][first]----------------------------------------------------
Date:      1 Apr 90 00:08:20 GMT
From:      uace0@uhnix2.uh.edu (Michael B. Vederman)
To:        security@rutgers.edu
Subject:   Re: Them Locks Are Easy
My ISUZU pickup was recently  broken into, and it took me a couple
of days to figure out how it was done.  One day I was washing it especially
well, and noticed a small scrape and gap in between the hard plastic that
surrounds the door handle & lock, and the metal of the door.  Evidently, all
it takes is a long skinny screwdriver to pry in between that plastic cover
and the metal.  Once you've got a little hole, it's just a matter of feeling
around in there with the screwdriver to hit the lever on the back of the door
lock, and pop! it's unlocked!  No more stereo!  (I know, I know, I was gonna
get an alarm as soon as I got a job...)

Many foreign car manufacturers are making their cars & trucks with doors like
that.  The cute little plastic outline around the handle & lock, and all it
takes is a screwdriver.

-- 
------------------------------------------------------------------------------
Double Click Me | Double Click Software | P.O. Box 741206 | Houston, Tx, 77274
------------------------------------------------------------------------------
Support BBS: (713)944-0108 | SHADOW | DC FORMATTER | DC UTILITIES | and others

-----------[000001][next][prev][last][first]----------------------------------------------------
Date:      Mon, 2 Apr 90 00:50:42 -0700
From:      Andy Freeman <andy@neon.stanford.edu>
To:        misc-security@decwrl.dec.com
Subject:   Re: car keys
>They did not ask for proof of ownership, or anything else, which made
>me quite nervous!

The VIN is visible from outside the car.  An appropriate response is to
find someone who will make a public stink, who happens to own a Mazda,
and send them keys to their car.

-andy
-- 
UUCP:    {arpa gateways, sun, decwrl, uunet, rutgers}!neon.stanford.edu!andy
ARPA:    andy@neon.stanford.edu
BELLNET: (415) 723-3088

-----------[000002][next][prev][last][first]----------------------------------------------------
Date:      2 Apr 90 08:46:33 PDT (Monday)
From:      "Court_K_Packer.wbst845"@xerox.com
To:        security-request@pyrite.rutgers.edu
Subject:   Re: Burn Boxes
I am looking for a source for burn boxes.  In the past we had  internally
made wooden boxes with metal baffles that did quite well.  Without getting
into long explanations as to why, the decision was made to do away with the
wooden boxes and replace them with metal ones.  The metal ones only come in
one size and  are VERY easy to jam with one sheet of crumpled paper.
computer forms are nigh impossible. I am told that there is only ONE source
for off-the-shelf burn boxes in the good old US of A.

Don't counter with a suggestion for a shredder.  We had a couple of
different ones and they were not around too long. Burned out motors,
stripped gears, etc.

Any suggestions? 

-----------[000003][next][prev][last][first]----------------------------------------------------
Date:      Mon, 02 Apr 90 09:50 CST
From:      GREENY <MISS026@ecncdc.bitnet>
To:        <security@pyrite.rutgers.edu>
Subject:   re: car theft
> ....use a flashing LED ...even if it isnt hooked up to an alarm...

I tend to disagree with this theory.  All a crook has to do to see if the
LED is attached to anything is to shake the car and see who shows up.  Most
good alarms have shock detection and the alarm will go off....or if they
have some lock experience and pop the door open with a good car opening tool
then the alarm will go off and chances are they will cruise...with the LED,
this doesn't happen...

However, I like my alarm on my car.  It has a bunch of inputs for door pin
switches, shock detectors, etc.  I run a splice from each of these inputs to
a programmable voice siren driver (which has 4 inputs...), and have a
different recorded message for each input.  Door pins get "Hey....you just
opened my door...did you slim jim it?", shock detectors get "Hey quick
rocking/smacking my car...", tow detector says "QUIT TOWING MY CAR AWAY!!!",
and glass breakage detector gets "Hey, you just smashed my window...".

I got the prog. voice driver from work for about $45-$50.00 and they got it
from Oregon Scientific....

l8a...
Bye for now but not for long
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
MacNet: GREENY
America Online: GREENY1

-----------[000004][next][prev][last][first]----------------------------------------------------
Date:      Mon, 02 Apr 90 10:04 CST
From:      GREENY <MISS026@ecncdc.bitnet>
To:        <security@pyrite.rutgers.edu>
Subject:   re: then locks are easy
> does anybody sell decent locks made for car doors...

no.....only OEM stuff is likely to work.  Besides, it wont make a difference
just about anyone can get a set of locksmith car opening tools and have your
car open in under a minute....

There are armor plated shields that you can fit around the steering column
that have a Medeco lock in them to replace your ignition lock, but these
only prevent the car from being stolen...

> ...the windows are still made of fragile glass...

you bet! how else would you get of out the car in an accident where all the
doors got sealed? (this has happened to me....I just kicked out the window..)

Bye for now but not for long
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
MacNet: GREENY

-----------[000005][next][prev][last][first]----------------------------------------------------
Date:      2 Apr 90 16:04:00 GMT
From:      MISS026@ecncdc.BITNET (GREENY)
To:        misc.security
Subject:   re: then locks are easy

> does anybody sell decent locks made for car doors...

no.....only OEM stuff is likely to work.  Besides, it wont make a difference
just about anyone can get a set of locksmith car opening tools and have your
car open in under a minute....

There are armor plated shields that you can fit around the steering column
that have a Medeco lock in them to replace your ignition lock, but these
only prevent the car from being stolen...

> ...the windows are still made of fragile glass...

you bet! how else would you get of out the car in an accident where all the
doors got sealed? (this has happened to me....I just kicked out the window..)

Bye for now but not for long
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
MacNet: GREENY

-----------[000006][next][prev][last][first]----------------------------------------------------
Date:      2 Apr 90 18:14:06 GMT
From:      karkania@aecom.yu.edu (George Karkanias)
To:        misc.security
Subject:   looking for inexpensive antitheft device for car.


	I was wondering if someone could recommend an inexpensive
antitheft device for my car.  The car is not very valuable but I'm
looking to avoid the inconvenience of another theft. :-(

	I'm interested in devices along the lines of steering wheel
locks.  I would hope the cost to be under $150 if some other device
is suggested.  The car is a Volkswagon Rabbit.

	Any suggestions and opinions would be greatly appreciated.

Info on vendors in the NY city area would also be a great help.

	Please email.

			Thanks in advance,
-- 
George Karkanias: Dept. of Neuro. AECOM
                  Bronx, NY 10461 

and remember  ""Nature is a mother."

-----------[000007][next][prev][last][first]----------------------------------------------------
Date:      Tue, 3 Apr 90 06:52:13 PDT
From:      teraida!ratvax.dnet!ROBERTS@pyramid.com (Friends don't let friends use DOS.)
To:        "security@aim.rutgers.edu"@TEDA.DNET
Subject:   Re: Call for Security Hacks
> I am building a package for use in the war against "System Crackers"

I knows dozens of methods for breaking into computers.  But how do I
know I can safely send them to you?

George Roberts
..teda!ratvax.dnet!roberts
..decwrl!teda!ratvax.dnet!roberts

-----------[000008][next][prev][last][first]----------------------------------------------------
Date:      3 Apr 90 03:26:00 GMT
From:      tihor@ACF4.NYU.EDU (Stephen Tihor)
To:        misc.security
Subject:   Re: Welcome banners

We have asked the authors of that DDN bulliten to provide a citation
so that we can have our counsel examine it for us.  They refused.

Based on several years of such requests I believe that this is a 
"urban legend".  It may still be a useful idea to put something 
more useful up there for security reasons.

-----------[000009][next][prev][last][first]----------------------------------------------------
Date:      Tue, 3 Apr 1990 9:04:42 EDT
From:      SISSON@nssdca.gsfc.nasa.gov (SPAN ???something??? - phone # (301) 286-7251)
To:        security@pyrite.rutgers.edu
Subject:   Here's an article on the recent INTERNET hacker
The following article was forwarded from the CERT/CC group.
This is the only information I have at the moment.  When I hear 
anything else I'll be sure to send it out to this distribution list!

Pat Sisson
SPAN Network Information Center
former NSI Security Administrator
***************
***************

The following article was forwarded to the CERT/CC at the SEI by one
of the sites that was affected by the most recent set of related
incidents.  I am forwarding the article to you for your information.
I would expect that we will all learn more over the next few days.  I
also expect the US press will be calling many of us for information.  

The CERT/CC stance on this event is: "No Comment."

---------

PM-Australia-Hacking     04-02 0231
Police Smash Computer-Hacking Operation

	   MELBOURNE, Australia (AP) _ Federal police today smashed a
computer-hacking ring and arrested three young men following
complaints from the FBI about illegal intrusions into university
computer systems in the United States.
	   The three were charged in Melbourne Court with damaging data in
government computers, which is punishable with a maximum of 10
years in jail. Their identities were not made available but police
said they ranged in age from 18 to 21.
	   A police spokesman said the suspects were arrested following
raids earlier in the day in which computers were put out of action
to prevent the destruction of software.
	   The arrests followed a six-month investigation conducted jointly
by Australian federal police, the FBI and police in the state of
Victoria.
	   Federal police alleged the three hackers _ using the codenames
Phoenix, Electron and Nom _ hacked into universities and
laboratories in Australia and overseas.
	   Police said it was the biggest Australian-based computer hacking
operation uncovered so far.
	   U.S. investigators first discovered an Australian-based hacker
was at work in 1988 when it was found the Citibank system had been
illegally entered. Further reports of extensive illegal entry to
U.S. computers followed throughout last year.
	   A Federal Police spokesman said their investigation began in
earnest only six months ago after the Commonwealth Crimes Act was
approved last July covering offenses on illegal computer use.
	AP-NR-04-02-90 0823EDT

-----------[000010][next][prev][last][first]----------------------------------------------------
Date:      3 Apr 90 13:52:13 GMT
From:      ROBERTS@ratvax.dnet (Friends don't let friends use DOS.)
To:        misc.security
Subject:   Re: Call for Security Hacks

> I am building a package for use in the war against "System Crackers"

I knows dozens of methods for breaking into computers.  But how do I
know I can safely send them to you?

George Roberts
..teda!ratvax.dnet!roberts
..decwrl!teda!ratvax.dnet!roberts

-----------[000011][next][prev][last][first]----------------------------------------------------
Date:      3 Apr 90 14:16:21 GMT
From:      murphy@DECUAC.DEC.COM (Rick Murphy)
To:        misc.security
Subject:   Re: Welcome banners

> a case against a hacker because (he ruled) the message "Welcome to ..."
> was a clear invitation to everyone.. 

I'm quite sure this is an "urban legend" of the computer community. 
It's one of those rumors that have been passed around for so long that
they've become fact :-)... I first heard this story several years ago.

Anyone have specific knowledge of any such case?
 
>The bulletin also suggested that  the banners not contain system
>information (e.g., "VAX/VMS 5.2 on VAX 11/780")

That's a good recommendation.

> it should also not contain
> the words "for official use only," because it seems that to hackers, this
> message means it *must* be defense (or at least evil-government) related,
> and therefore attracts them in droves.

Well, if you can't say "Welcome" and you can't say "Don't use this
system" what *can*
you say?
	-Rick

Rick Murphy, WA1SPT/4                   Digital Equipment, Landover, MD
murphy@ufp.dco.dec.com                 (UFP stands for United Federation
                                         of Planets - not what *you* were
decwrl!ufp.dco!murphy                    thinking!)
Disclaimer: I don't even speak for myself - my wife does!

-----------[000012][next][prev][last][first]----------------------------------------------------
Date:      3 Apr 90 19:52:49 GMT
From:      jik@ATHENA.MIT.EDU (Jonathan I. Kamens)
To:        misc.security
Subject:   Re: New superhacker at work?


  The CERT has already put out an advisory (CA-90:02, March 19, 1990,
"Internet Intruder Warning") detailing the actions of this hacker.  I
wouldn't call him a "superhacker"; he isn't doing anything incredibly
new or different, he's just using the already-known security holes that
so many systems haven't even bothered to fix, even after Morris' worm.

  There was a story about this guy in the New York Times a couple weeks
ago, apparently because someone claiming to be the hacker called them up
(I can't remember the details incredibly clearly, but I seem to recall
that he identified himself as "Dave".) and started describing details of
the systems that had been breached that supposedly only the person who
did the breaching would know.

  Apparently, one of the system he broke into was one of Cliff Stoll's
machines, and he broke root and changed the motd to read, "Tell Cliff to
read his mail -- the Cuckoo has egg on his face," or something like that.

  CERT advisories, including this one, are available for anonymous ftp
from cert.sei.cmu.edu (128.237.253.5).  I don't have anything to do with
CERT, other than reading their advisories :-).

Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik@Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8495			      Home: 617-782-0710

-----------[000013][next][prev][last][first]----------------------------------------------------
Date:      Tue, 3 Apr 90 20:09:18 GMT
From:      robert@altitude.cam.org (Robert Masse)
To:        misc-security@uunet.uu.net
Subject:   Internet Security
At the moment security on the internet and other systems are pretty pitiful.

As one person stated, when you log on a system, and it says the version, 
nodename etc, it helps the hacker in many ways.  Example, on UNIX, BSD
(some of them) have bugs in the UUCP area, where you can call a system
up, run uucico and download the password file.  On the system V's you 
cannot do this.  

Also, a lot of users have the same password as there name (ie: mike, mike-
john, john- steve, steve).  On various UNIX systems, you can run the 'who'
process at the login prompt.  If a hacker does this, he can see all the user
names that are logged on and then attempt to hack the passwords.  

In my opinion, system administraters should start cracking down on the
security field.  Right now there are too many SA's saying "Naaaah, it could
never happen to my system, they only break into Military computers".
 
Wake Up!

-- 
                  Robert Masse  (514)466-2689/home
                 Internet: robert@altitude.CAM.ORG
                UUCP: uunet!philmtl!altitude!robert

-----------[000014][next][prev][last][first]----------------------------------------------------
Date:      4 Apr 90 01:18:51 GMT
From:      Doug Gwyn <gwyn@smoke.brl.mil>
To:        misc-security@rutgers.edu
Subject:   Re: New superhacker at work?
>     Has anyone heard or seen anything anywhere about a new
>'superhacker' breaking into various sites on the Internet recently?

The news articles I saw indicated that he was simply exploiting the
same well-known security loopholes that the Morris worm had used,
and copying /etc/passwd to a more convenient system where he'd run
a dictionary-based /etc/passwd cracker on it in order to obtain user
accounts and passwords for various systems.  Nothing new and no
point to his activity.  One report said "an Australian named Dave"
claimed to be responsible, and that he was reacting to Stoll's
unfavorable evaluation of such so-called "hacking" in "The Cuckoo's
Egg".  Seems childish to me.  In any case, it's not worthy of the
name "superhacker".  In fact, he might be using a security sweep
tool that BRL developed to spot exactly these security flaws.  (We
made it available to some system administrators upon request.)
There has been far more than enough time for system administrators
to repair these well-known security flaws (or at least to get their
system vendors to repair them), if they had cared to do so.  If you
read "The Cuckoo's Egg" you should appreciate that incompetent
system administration is the main reason that security loopholes
persist.  And a low sense of ethics is the main reason they are
exploited.

-----------[000015][next][prev][last][first]----------------------------------------------------
Date:      Wed, 4 Apr 90 05:19:23 EDT
From:      Mark Brader <msb@sq.com>
To:        security@rutgers.edu
Subject:   holograms on bills
First, to clarify one thing, the so-called hologram on the new
Canadian $50 is no such thing.  I don't know how it is made, but
it has the appearance of a slightly textured piece of metal foil of
solid color (with the denomination overlaid on it in opaque white).
The special feature is that the color changes from green to yellow
as the patch is viewed from different angles.

More interesting is the new Australian $10 note (as they say) that
was just being introduced when I visited there in 1988.  I delayed
mentioning this because I was hoping someone would have newer or
more detailed information on how it's made or how successful the
techniques have been.

The paper that it's printed on is unusual and feels as though it is
impregnated with plastic, like those strong mailing envelopes that
one sometimes sees nowadays.  In one corner of the note, the paper
has a *hole* of irregular, roughly circular shape, about 25 mm across.

Suspended in the center of this hole is an oval foil patch 17 x 20 mm
with a portrait.  The portrait is not done in ink, nor embossed in the
conventional way -- it appears to be delineated by many small sections
of diffraction grating, so that when viewed under a directional light,
the picture is seen in many different colors that change as the note
is turned or the viewing angle changed.  I guess the grating's rulings show
through the foil, as the back looks like a mirror image of the same picture.

Finally, the suspension of the portrait in the hole is achieved by an
almost perfectly transparent plastic section, which blends into the
main part of the note with no joint that can be felt.  (The joint can
however be seen if one looks for it.  My guess is that two pieces of
the plastic are applied to opposite sides of the hole, with the foil
patch already on one of them, and then heated to fuse everything.)
There are some more subtle details here, like the shape of the plastic
piece, but this message is long enough.

Mark Brader, SoftQuad Inc., Toronto, utzoo!sq!msb, msb@sq.com
	We can design a system that's proof against accident and stupidity;
	but we CAN'T design one that's proof against deliberate malice.
	-- a spaceship designer in Arthur C. Clarke's "2001: A Space Odyssey"

-----------[000016][next][prev][last][first]----------------------------------------------------
Date:      4 Apr 90 03:44:08 GMT
From:      Doug Gwyn <gwyn@smoke.brl.mil>
To:        misc-security@rutgers.edu
Subject:   Re: Locks/Security in large institutions (e.g. Universities)
>1) In institutions which have frequent room rotations, as in the
>   dormitories of a University, what kinds of policies have been
>   implemented to keep the rooms secure from year to year at your
>   institution?

Removable-core systems make this relatively easy and inexpensive.
In fact you can just permute the cores, no need to re-pin them.
Best of all (no pun intended) is if the cores are not stamped on
the outside with a keying code but only on the inside.  That way
the only way someone could use an old copy of a key is to try it
in about half the locks until he found the matching core!

-----------[000017][next][prev][last][first]----------------------------------------------------
Date:      Wed, 04 Apr 90 19:12:23 -0900
From:      "Tony - Computer Consultant"  <AXACH@alaska.bitnet>
To:        security@pyrite.rutgers.edu
Subject:   RE: trashcan security
The issue of Trashcan security has recently gone to the legislature up here
in Alaska.  An officer is now allowed to search your garbage WITHOUT a
search warrant...My guess is that this issue is one left up to the individual
states.

                                                Tony
                                                AXACH@ALASKA       bitnet

-----------[000018][next][prev][last][first]----------------------------------------------------
Date:      4 Apr 90 07:37:10 GMT
From:      mtv@milton.u.washington.edu (David Schanen)
To:        misc-security@ames.arc.nasa.gov
Subject:   Network intruder (Repost from comp.risks)
	I decided to re-post this here as apparently some of you haven't heard
	the details yet.  "comp.risks" is a newsgroup, also on usenet.
		
		-Dave
	
   p.s. You may make contributions and/or comments to: risks@csl.sri.com

-------------------------------------------------------------------------------

RISKS-LIST: RISKS-FORUM Digest  Wednesday 21 March 1990   Volume 9 : Issue 77

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

SELF-PROCLAIMED `HACKER' SENDS MESSAGE TO CRITICS
By JOHN MARKOFF, c.1990 N.Y. Times News Service

   A man identifying himself as the intruder who illegally penetrated part of a
nationwide computer linkup said Tuesday that he had done so to taunt computer
security specialists who have denounced activities like his.  His assertion
came in a telephone call to The New York Times on Tuesday afternoon.  The man
identified himself only as an Australian named Dave, and his account could not
be confirmed.  But he offered a multitude of details about various electronic
break-ins in recent months that were corroborated by several targets of the
intruder.  He said he was calling from outside the United States, but that
could not be verified.
   Federal investigators have said that in recent months the intruder has
illegally entered computers at dozens of institutions in a nationwide network,
the Internet.  Once inside the computers, they said, the intruder stole lists
of the passwords that allow users to enter the system and then erased files to
conceal himself.   [...]
   Investigators in the new Internet case said the federal authorities in
Chicago were close to finding the intruder and several associates.  The U.S.
attorney's office in Chicago refused to confirm that assertion.  The
investigators said that in some cases the intruder might have used a program
that scanned the network for computers that were vulnerable.
   In his telephone call to The Times on Tuesday, the man said he had broad
access to U.S. computer systems because of security flaws in those machines.
As a self-proclaimed computer hacker, he said, he decided to break in to the
computer security experts' systems as a challenge.  Among the targets of the
recent attacks were Clifford Stoll, a computer system manager at the
Smithsonian Astronomical Observatory at Harvard University, and Eugene
Spafford, a computer scientist who specializes in computer security issues at
Purdue University.  The caller said he was upset by Stoll's portrayal of
intruders in a new book, ``The Cuckoo's Egg.''  ``I was angry at his
description of a lot of people,'' the caller said.  ``He was going on about how
he hates all hackers, and he gave pretty much of a one-sided view of who
hackers are.''
   Several days ago the intruder illegally entered a computer Stoll manages at
Harvard University and changed a standard welcome message to read: ``Have Cliff
read his mail. The cuckoo has egg on his face. Anonymous.''  The caller
explained in detail his techniques for illegally entering computer systems.  He
gave information about Stoll's and Spafford's computer systems that matched
details they were familiar with.
   And he described a break-in at an external computer that links different
networks at Digital Equipment Corp.  A spokeswoman for the company confirmed
that a machine had been entered in the manner the caller described.  But the
caller was not able to penetrate more secure Digital computers, she said.
   The caller said he had intended to tease the security experts but not to
damage the systems he entered.  ``It used to be the security guys chase the
hackers,'' he said. ``Now it's the hackers chase the security people.''
   Several managers of computer systems that were entered said that no
significant harm had been done but that the invader had wasted the time of
system administrators, who were forced to drop their normal duties to deal with
the breaches in security.
   Ordinary users were also inconvenienced, the managers said, because their
computers had to be temporarily removed from the system for security reasons.
   Investigators familiar with the break-ins said the intruder had entered
systems by using several well-known security flaws that have been widely
distributed in computerized mailing lists
circulated among systems managers.
   Stoll, who from 1986 to 1988 tracked a group of West Germans breaking into
U.S. corporate, university and nonclassified military computers, said the
intruders had not proved any point.  ``It's sad that people have these
gunslinger ethics,'' he said.  ``It shows how easy it is to break into even a
modestly secure system.''  Spafford, who has also written <garbled>, but added
that nothing significant had been compromised.  [...]
   As a result of the break-ins, the Smithsonian Astronomical disconnected its
computers from the Internet, a network that connects severs around the world.
   Among the institutions believed to have been penetrated by the intruder are
the Los Alamos National Laboratory, Harvard, Digital Equipment, Livermore
Laboratories, Boston University and the University of Texas.
   Tuesday, the caller asserted that he had successfully entered dozens of
different computers by copying the password files to his machine and then
running a special program to decode the files.  That program was originally
written as a computer security experiment by a California-based computer
scientist and then distributed to other scientists.  [... reference to the
following CERT message...]
   Asked Tuesday whether he would continue his illegal activities, the caller
said he might lay low for a while.  ``It's getting a bit hot,'' he said, ``and
we went a bit berserk in the past week.''

------------------------------

CA-90:02
			    CERT Advisory
			    March 19, 1990
		      Internet Intruder Warning

There have been a number of media reports stemming from a March 19 New York
Times article entitled 'Computer System Intruder Plucks Passwords and
Avoids Detection.'  The article referred to a program that attempts to
get into computers around the Internet.

At this point, the Computer Emergency Response Team Coordination Center
(CERT/CC) does not have hard evidence that there is such a program.  What we
have seen are several persistent attempts on systems using known security
vulnerabilities.  All of these vulnerabilities have been previously reported.
Some national news agencies have referred to a 'virus' on the Internet; the
information we have now indicates that this is NOT true.  What we have seen and
can confirm is an intruder making persistent attempts to get into Internet
systems.

It is possible that a program may be discovered.  However, all the techniques
used in these attempts have also been used, in the past, by intruders probing
systems manually.

As of the morning of March 19, we know of several systems that have been broken
into and several dozen more attempts made on Thursday and Friday, March 15 and
16.

Systems administrators should be aware that many systems around the Internet
may have these vulnerabilities, and intruders know how to exploit them.  To
avoid security breaches in the future, we recommend that all system
administrators check for the kinds of problems noted in this message.

The rest of this advisory describes problems with system configurations that we
have seen intruders using.  In particular, the intruders attempted to exploit
problems in Berkeley BSD derived UNIX systems and have attacked DEC VMS
systems.  In the advisory below, points 1 through 12 deal with Unix, points 13
and 14 deal with the VMS attacks.

If you have questions about a particular problem, please get in touch with your
vendor.

The CERT makes copies of past advisories available via anonymous FTP (see the
end of this message).  Administrators may wish to review these as well.

We've had reports of intruders attempting to exploit the following areas:

1) Use TFTP (Trivial File Transfer Protocol) to steal password files.  

   To test your system for this vulnerability, connect to your system using
TFTP and try 'get /etc/motd'.  If you can do this, anyone else can get your
password file as well.  To avoid this problem, disable tftpd.

   In conjunction with this, encourage your users to choose passwords that are
difficult to guess (e.g. words that are not contained in any dictionary of
words of any language; no proper nouns, including names of "famous" real or
imaginary characters; no acronyms that are common to computer professionals; no
simple variations of first or last names, etc.)  Furthermore, inform your users
not to leave any clear text username/password information in files on any
system.

   If an intruder can get a password file, he/she will usually take it to
another machine and run password guessing programs on it. These programs
involve large dictionary searches and run quickly even on slow machines.  The
experience of many sites is that most systems that do not put any controls on
the types of passwords used probably have at least one password that can be
guessed.

2) Exploit accounts without passwords or known passwords (accounts with vendor
supplied default passwords are favorites).  Also uses finger to get account
names and then tries simple passwords.

   Scan your password file for extra UID 0 accounts, accounts with no password,
or new entries in the password file.  Always change vendor supplied default
passwords when you install new system software.

3) Exploit holes in sendmail.

   Make sure you are running the latest sendmail from your vendor.  BSD 5.61
fixes all known holes that the intruder is using.

4) Exploit bugs in old versions of FTP; exploit mis-configured anonymous FTP

   Make sure you are running the most recent version of FTP which is the
Berkeley version 4.163 of Nov.  8 1988.  Check with your vendor for information
on configuration upgrades.  Also check your anonymous FTP configuration.  It is
important to follow the instructions provided with the operating system to
properly configure the files available through anonymous ftp (e.g., file
permissions, ownership, group, etc.).  Note especially that you should not use
your system's standard password file as the password file for FTP.

5) Exploit the fingerd hole used by the Morris Internet worm.  

Make sure you're running a recent version of finger.  Numerous Berkeley BSD
derived versions of UNIX were vulnerable.

Some other things to check for:

6) Check user's .rhosts files and the /etc/hosts.equiv files for systems
outside your domain.  Make sure all hosts in these files are authorized and
that the files are not world-writable.

7) Examine all the files that are run by cron and at.  We've seen intruders
leave back doors in files run from cron or submitted to at.  These techniques
can let the intruder back on the system even after you've kicked him/her off.
Also, verify that all files/programs referenced (directly or indirectly) by the
cron and at jobs, and the job files themselves, are not world-writable.

8) If your machine supports uucp, check the L.cmds file to see if they've added
extra commands and that it is owned by root (not by uucp!)  and world-readable.
Also, the L.sys file should not be world-readable or world-writable.

9) Examine the /usr/lib/aliases (mail alias) file for unauthorized entries.
Some alias files include an alias named 'uudecode'; if this alias exists on
your system, and you are not explicitly using it, then it should be removed.

10) Look for hidden files (files that start with a period and are normally not
shown by ls) with odd names and/or setuid capabilities, as these can be used to
"hide" information or privileged (setuid root) programs, including /bin/sh.
Names such as '..  ' (dot dot space space), '...', and .xx have been used, as
have ordinary looking names such as '.mail'.  Places to look include especially
/tmp, /usr/tmp, and hidden directories (frequently within users' home
directories).

11) Check the integrity of critical system programs such as su, login, and
telnet.  Use a known, good copy of the program, such as the original
distribution media and compare it with the program you are running.

12) Older versions of systems often have security vulnerabilities that are well
known to intruders.  One of the best defenses against problems is to upgrade to
the latest version of your vendor's system.

VMS SYSTEM ATTACKS:

13) The intruder exploits system default passwords that have not been changed
since installation.  Make sure to change all default passwords when the
software is installed.  The intruder also guesses simple user passwords.  See
point 1 above for suggestions on choosing good passwords.

14) If the intruder gets into a system, often the programs
loginout.exe and show.exe are modified.  Check these programs against
the files found in your distribution media.

If you believe that your system has been compromised, contact CERT via
telephone or e-mail.

J. Paul Holbrook, Computer Emergency Response Team (CERT), Software 
Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3890
Internet E-mail: cert@cert.sei.cmu.edu
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer 
  	   7:30a.m.-6:00p.m. EST, on call for emergencies

	    other hours.

Past advisories and other information are available for anonymous ftp
from cert.sei.cmu.edu (128.237.253.5).

------------------------------

Date: Tue, 20 Mar 90 09:15:32 PST
>From: Randal Schwartz <merlyn@iwarp.intel.com>
Subject: Risks of reporting breakins

"Who *was* that bearded man?"

Just Peter Neumann, the RISKS moderator.  He was being interviewed on CNN
last night about the recent Internet breakins.

Now for the RISKS element:

The reporter, while talking about "hacker-this" and "virus-that", used screen
shots of a terminal.  The text was obviously from some BSD-like system, because
I recognized a listing of /etc.  A moment later, for at least two seconds on
the screen, I got a clear picture of /etc/passwd!  And a few moments later, an
entire login sequence (with hostname, username, and password)!  (I wasn't
taping it... sigh. :-)

When you let the press into your cube, be sure you aren't doing something
wonderful on your screen.

Does this qualify as an "out-of-band" transmission? :-)

Randal L. Schwartz, Stonehenge Consulting Services Beaverton, Oregon, USA
(503)777-0095

    [Good point, although it occurred at least once before on a filmed episode
    of a lady hacker being shown carrying out a breakin on camera.  PGN]

------------------------------

-----------[000019][next][prev][last][first]----------------------------------------------------
Date:      4 Apr 90 09:19:23 GMT
From:      msb@sq.com (Mark Brader)
To:        misc.security
Subject:   holograms on bills

First, to clarify one thing, the so-called hologram on the new
Canadian $50 is no such thing.  I don't know how it is made, but
it has the appearance of a slightly textured piece of metal foil of
solid color (with the denomination overlaid on it in opaque white).
The special feature is that the color changes from green to yellow
as the patch is viewed from different angles.

More interesting is the new Australian $10 note (as they say) that
was just being introduced when I visited there in 1988.  I delayed
mentioning this because I was hoping someone would have newer or
more detailed information on how it's made or how successful the
techniques have been.

The paper that it's printed on is unusual and feels as though it is
impregnated with plastic, like those strong mailing envelopes that
one sometimes sees nowadays.  In one corner of the note, the paper
has a *hole* of irregular, roughly circular shape, about 25 mm across.

Suspended in the center of this hole is an oval foil patch 17 x 20 mm
with a portrait.  The portrait is not done in ink, nor embossed in the
conventional way -- it appears to be delineated by many small sections
of diffraction grating, so that when viewed under a directional light,
the picture is seen in many different colors that change as the note
is turned or the viewing angle changed.  I guess the grating's rulings show
through the foil, as the back looks like a mirror image of the same picture.

Finally, the suspension of the portrait in the hole is achieved by an
almost perfectly transparent plastic section, which blends into the
main part of the note with no joint that can be felt.  (The joint can
however be seen if one looks for it.  My guess is that two pieces of
the plastic are applied to opposite sides of the hole, with the foil
patch already on one of them, and then heated to fuse everything.)
There are some more subtle details here, like the shape of the plastic
piece, but this message is long enough.

Mark Brader, SoftQuad Inc., Toronto, utzoo!sq!msb, msb@sq.com
	We can design a system that's proof against accident and stupidity;
	but we CAN'T design one that's proof against deliberate malice.
	-- a spaceship designer in Arthur C. Clarke's "2001: A Space Odyssey"

-----------[000020][next][prev][last][first]----------------------------------------------------
Date:      Thu, 5 Apr 90 11:23:53 PDT
From:      rogers@marlin.nosc.mil (Rollo D. Rogers)
To:        galvin@tis.com
Cc:        gwyn@smoke.brl.mil, misc-security@rutgers.edu
Subject:   Re:: Answerbacks / Vendor Liability
Howdy,

Well, if the Federal Govt. (DOD) has their way, by 1992 DEC & SUN will
have to provide Operating Systems that are at least C2 secure, if they
wanta sell to Uncle Sam. At least that is what we in DOD Computer Security
have been told... :-)

  REgards, RollO~~

-----------[000021][next][prev][last][first]----------------------------------------------------
Date:      Thu, 5 Apr 90 10:50 CDT
From:      douglas@ddsw1.mcs.com (Douglas Mason)
To:        misc-security@rutgers.edu
Subject:   Re: Opening an old safe?
There is commercially available equipment that can open even a quite
complex safe.  For about $10k you can get as personal-computer-turned
safecracker that actually works pretty damn good!

$10k is a lot of money if you aren't doing it professionally, but I image
it pays for itself quite quickly for some people out there!  :-)

A friend that runs a security/sweep type business brings intersting things
like that over.

-Douglas Mason

-- 
Douglas T. Mason | douglas@ddsw1.UUCP or dtmason@m-net | 

-----------[000022][next][prev][last][first]----------------------------------------------------
Date:      5 Apr 90 06:40:16 GMT
From:      mccoy@ILS.NWU.EDU (Jim McCoy)
To:        misc.security
Subject:   Re: trashcan security

> Of course, this leads to the question of WHY anyone with anything
> to hide would merely THROW AWAY incriminating documents...

Because some people do not think.  People assume that it is illegal to
poke into their trash or assume that it will not be done.

Once you place a trashbag on the street for municipal pickup it
becomes public property.  Anyone can take the trashbag and do whatever
they want with it.  Commercial dumpsters and other private disposal
units may be a different case, as it could probably be argued that the
units are private property and require a warrant. (Although only the
law enforcement agencies need this, private individuals [and private
investigators] can take what they want and claim it had spilled to the
ground or been blown out by the wind, etc.)

[note: My legal background is very general, but I am fairly certain
about the trashbags on the street part]

> any of the credit card companies require that used credit card vouchers
> be shredded or burned when disposed of, etc?

Most credit card receipts that I know of are perforated so that the
carbon paper will split into two parts in the middle of the card
number.  Merchants are supposed to throw them away in different
trashcans or mix them up in some fashion.

jim

------------------------------< Jim McCoy >------------------------------------
mccoy@acns.nwu.edu                  |  "Those whom the gods would destroy,
mccoy@ils.nwu.edu                   |   they first make mad...
#include <disclaimer.h>             |              -Sophocles
-----------------------<"To thine own self be true">--------------------------

-----------[000023][next][prev][last][first]----------------------------------------------------
Date:      5 Apr 90 07:22:54 GMT
From:      brian@UCSD.EDU (Brian Kantor)
To:        misc.security
Subject:   Re:  Opening an old safe?

I suspect that nearly every office safe in existence can be opened by
rolling it into the freight elevator, taking it up to the roof, and
pushing it off onto the pavement 20 stories below.  It should at least
spring the hinges.

Money isn't fragile.

Of course, if the safe can't be moved this won't work.  Is there any
other reason it might not?  Am I just dreaming?

No, it's not subtle.  But who's likely to notice one loud crash in the
middle of the night in an office complex?
	- Brian

-----------[000024][next][prev][last][first]----------------------------------------------------
Date:      5 Apr 90 15:30:08 GMT
From:      waters@darla.sps.mot.com (Strawberry Jammer)
To:        misc.security
Subject:   Re: trashcan security

{        Of course, this leads to the question of WHY anyone with anything
{to hide would merely THROW AWAY incriminating documents...

Of course just what is incriminating can be hard to say in advance too.

And who says it is THEIR garbage?

I'm just glad my lawyer uses "The Ollie North Memorial Shredder" on
everything he trashes! (I'm not kidding he has a large label on the side)

{        The question is, of course, how common is this sort of thing
{really, is any sort of a warrant required (in the US anyway), etc.

Not since the "Reagan Court" decided that your garbage was "in the public
domain.

{        Sort of the same problem in reverse applies to retailers, do
{any of the credit card companies require that used credit card vouchers
{be shredded or burned when disposed of, etc?

Not that I'm aware of, certainly none of the small businesses that I have
worked with bother. 

           *Mike Waters    AA4MW/7  waters@dover.sps.mot.com *
 
Reality--what a concept!

-----------[000025][next][prev][last][first]----------------------------------------------------
Date:      5 Apr 90 15:41:23 GMT
From:      Doug Gwyn <gwyn@smoke.brl.mil>
To:        misc-security@rutgers.edu
Subject:   Re: Opening an old safe
>Since it's a small town and probably doesn't have
>a lot of safes in it, doesn't it seem likely that the guy knew
>the combination and just said that he'd done it by feel?

While that's possible, it is nonetheless true that one can open
older combination locks by a manipulation technique without much
difficulty.  Newer locks, at least the good ones, incorporate
anti-manipulation features.

-----------[000026][next][prev][last][first]----------------------------------------------------
Date:      5 Apr 90 15:50:00 GMT
From:      douglas@ddsw1.mcs.com (Douglas Mason)
To:        misc.security
Subject:   Re: Opening an old safe?

There is commercially available equipment that can open even a quite
complex safe.  For about $10k you can get as personal-computer-turned
safecracker that actually works pretty damn good!

$10k is a lot of money if you aren't doing it professionally, but I image
it pays for itself quite quickly for some people out there!  :-)

A friend that runs a security/sweep type business brings intersting things
like that over.

-Douglas Mason

-- 
Douglas T. Mason | douglas@ddsw1.UUCP or dtmason@m-net | 

-----------[000027][next][prev][last][first]----------------------------------------------------
Date:      5 Apr 90 18:23:53 GMT
From:      rogers@MARLIN.NOSC.MIL (Rollo D. Rogers)
To:        misc.security
Subject:   Re:: Answerbacks / Vendor Liability

Howdy,

Well, if the Federal Govt. (DOD) has their way, by 1992 DEC & SUN will
have to provide Operating Systems that are at least C2 secure, if they
wanta sell to Uncle Sam. At least that is what we in DOD Computer Security
have been told... :-)

  REgards, RollO~~

-----------[000028][next][prev][last][first]----------------------------------------------------
Date:      Fri, 06 Apr 90 10:42:43 -0500
From:      kovar%popvax@harvard.harvard.edu
To:        security@pyrite.rutgers.edu
Subject:   Re: Opening an old safe?
  Some very nice practical examples of opening safes and related items
can be found in the book "Surely You Must be Joking, Mr. Feynman" by
Richard Feynman. It's a very good read anyhow, but he describes how
he learned to open all of the file cabinets that were used for storing
the atomic bomb data.

-David

-----------[000029][next][prev][last][first]----------------------------------------------------
Date:      6 Apr 90 02:59:27 GMT
From:      al@escom.com (Al Donaldson)
To:        misc-security@uunet.uu.net
Subject:   Re: trashcan security
I worked for a company (a vendor in the security business) who collected
all printouts, listings, etc., rather than throwing them in the trash.
Idea was to eventually shred it all, I guess, but as the years rolled 
by the boxes of old listings piled up til one could barely get in the lab.

Since the county dump was on my way home, I offered to take it to the 
dump 3 or 4 boxes at a time and throw it in front of the fork loaders
that fill up the huge trucks that go to the disposal site.  Nah, someone
might actually search through several acres of used diapers and actually
find our CODE!!  

So, a month or two later the company hires a new janitor.  Wanting to 
make a good impression, he sees all these boxes of trash piled near the
door and takes them out and puts them in the dumpster, where they should
have gone years before and where they stayed for a week til the trash 
haulers showed up.  No one I knew was about to haul it back in.  :-)

Al

-----------[000030][next][prev][last][first]----------------------------------------------------
Date:      6 Apr 90 06:10:29 GMT
From:      jef@well.sf.ca.us (Jef Poskanzer)
To:        misc-security@uunet.uu.net
Subject:   Re: Debate on Computer Hacking
What Harper's published was edited down by about a factor of ten from
the original.  If you want to see the original, feel free to get yourself
a WELL account and visit the "hacking" conference.
---
Jef

  Jef Poskanzer  jef@well.sf.ca.us  {ucbvax, apple, hplabs}!well!jef
  "Be in nothing so moderate as in love of man." -- Robinson Jeffers

-----------[000031][next][prev][last][first]----------------------------------------------------
Date:      Fri,  6 Apr 90 14:12:06 EDT
From:      szirin@cbnewsm.ATT.COM (seth.zirin)
To:        misc-security@att.att.com
Subject:   Re:  Opening an old safe?
A safe technician supply catalog that arrived in the mail this week listed
at least three (3) "amplifiers" for use when "cracking" safes.  There's
more to it than sound, but sound is helpful also.

>More modern "spy proof" &
>"manipulation proof" locks resist such penetration attempts.

There is no such thing as a "spy proof" lock.  The term is "spy proof dial"
and refers to a dial that shields view of the numbers so they can be
seen by only the dialer.  A "spy proof" dial does not make a lock significantly
more difficult to manipulate.

No modern lock is called "manipulation proof" since manufacturers are
smart enough to not make wild claims that will cost them during litigation.
The correct term is "manipulation resistant" and refers to locks designed
with features that make traditional methods of manipulation impractical
or impossible.

>A thermal lance is typically a hollow fuel rod with a high pressure oxygen
>source in the center (2000-4000 psi gas tank) usually used to burn

The oxygen exits the tank through a regulator and flows through a rubber
hose at less than 90 PSI.  The 2000-4000 PSI would be a bit much for a
rubber welding hose.

Cobalt drill bits will not cut the plates and/or plugs of solid tungsten
carbide found in many newer high security safes.  The mini-lance is
often the only way to bypass these and other dastardly barrier materials.

I hope I didn't say too much,

Seth Zirin

(Member: Safe and Vault Technicians Association)

-----------[000032][next][prev][last][first]----------------------------------------------------
Date:      Fri, 6 Apr 90 10:48:28 EET DST
From:      Jyrki Jouko Juhani Kasvi <s30735p@taltta.hut.fi>
To:        security@pyrite.rutgers.edu
Subject:   Re: Opening an old safe
Opening old safes can be a REAL problem ...

	At least in one case it was darn dangerous too and
	I'd like to hear comments on how close we actually
	were to bang our brains out.
		You see, we had this decades old huge (about
	1*1.5*2 metres) safe with almost as old dynamite in
	it -- and the keys had been lost for at least ten
	years... Finally when the room the safe was in had
	to be repaired, something had to be done. The problem
	was that the building the safe was in, was made out
	of concrete, so opening it inside was out of question
	(No idea to collapse the whole pigshed -- with pigs
	and all, especially when the first floor was full of
	wheat.)
		So the safe was lifted with a tractor and
	*bang* and carriend *crash* in the middle of *bum*
	the field *///*. There the lock (the key-part) was
	drilled open by a wolunteer (my poor dad actually)
	*screeeeeech* *sparks_too*, the number-part opened
	and the dynamite (in a surprisingly good condition)
	destroyed...

Yours, JJJ -- (s30735p@taltta.hut.fi)
OD

-----------[000033][next][prev][last][first]----------------------------------------------------
Date:      6 Apr 90 11:47:13 GMT
From:      gopstein@soleil.UUCP (Rich Gopstein)
To:        misc.security
Subject:   Re: Opening an old safe?

I've been thinking about this problem for a while (while my library
tries to get a copy of "Guide to Manipulation"), and I don't understand
how someone can open a safe by touch.  This is my (apparently incorrect)
understanding:

I found an old safe to experiment on (one which I know the combination
to), and spent a few minutes turning the dial and listening to the
tumblers contacting each other.  I was able to repeatedly hear all of
the clicks.  Then I thought about what the clicking information had
given me -- nearly nothing.  From the rotational distance between clicks,
you can only determine the thickness of the pins in the tumblers
which contact each other.  How can you relate this to the location of
the locking mechanism's indents? When you're turning the dial, nothing
is touching the indents, so there is no tactile information about where
they are...  You would get the same set of "clicks" no matter what the
combination is set to.

			-- Confused

-- 
Rich Gopstein

..!rutgers!soleil!gopstein

-----------[000034][next][prev][last][first]----------------------------------------------------
Date:      6 Apr 90 15:42:43 GMT
From:      kovar%popvax@HARVARD.HARVARD.EDU
To:        misc.security
Subject:   Re: Opening an old safe?


  Some very nice practical examples of opening safes and related items
can be found in the book "Surely You Must be Joking, Mr. Feynman" by
Richard Feynman. It's a very good read anyhow, but he describes how
he learned to open all of the file cabinets that were used for storing
the atomic bomb data.

-David

-----------[000035][next][prev][last][first]----------------------------------------------------
Date:      7 Apr 90 00:37:16 GMT
From:      kelly@uts.amdahl.com (Kelly Goen)
To:        misc-security@ames.arc.nasa.gov
Subject:   Re:  Opening an old safe?
Tip the safe over and crow bar the bottom panel(with a giant sized can
opener shaped implement made of good steel.... widely used...but
you have to fabricate the opener yourself... works great on
most small office safes(read cheap construction)...
    cheers
    kelly

-----------[000036][next][prev][last][first]----------------------------------------------------
Date:      Sat, 7 Apr 90 10:45:05 MDT
From:      jimkirk@outlaw.uwyo.edu (James Kirkpatrick)
To:        security@pyrite.rutgers.edu
Subject:   Re: Data Compression and Cryptography
It is generally conceded that data compression of some sort is a good
thing to do to a text file before encryption.  This reduces the size
and also reduces the redundancy, making cryptanalysis more difficult.

However, if the compression scheme is known (a good presumption), and
the scheme itself introduces patterns/redundancy or known text, it may
actually give a cryptanalyst a stronger leverage point than the
uncompressed encrypted text.  For example, if a data compressor always
starts the output file with the text string "PKXARC4.1", you can probably
apply a known-plaintext attack (which may not be helpful, of course,
depending on the cryptosystem used).

Has anybody studied this problem, or surveyed compression methods and
packages?  For example, is Lempel-Ziv compression more cryptographically
"sound" than, say, ZOO or the various ARC packages commonly in use
on Personal Computers?

-----------[000037][next][prev][last][first]----------------------------------------------------
Date:      7 Apr 90 16:45:05 GMT
From:      jimkirk@OUTLAW.UWYO.EDU (James Kirkpatrick)
To:        misc.security
Subject:   Re: Data Compression and Cryptography

It is generally conceded that data compression of some sort is a good
thing to do to a text file before encryption.  This reduces the size
and also reduces the redundancy, making cryptanalysis more difficult.

However, if the compression scheme is known (a good presumption), and
the scheme itself introduces patterns/redundancy or known text, it may
actually give a cryptanalyst a stronger leverage point than the
uncompressed encrypted text.  For example, if a data compressor always
starts the output file with the text string "PKXARC4.1", you can probably
apply a known-plaintext attack (which may not be helpful, of course,
depending on the cryptosystem used).

Has anybody studied this problem, or surveyed compression methods and
packages?  For example, is Lempel-Ziv compression more cryptographically
"sound" than, say, ZOO or the various ARC packages commonly in use
on Personal Computers?

-----------[000038][next][prev][last][first]----------------------------------------------------
Date:      Tue, 10 Apr 90 08:04:24 -0600
From:      zeleznik@cs.utah.edu (Mike Zeleznik)
To:        security@pyrite.rutgers.edu
Subject:   Re: Crime & Secure systems
>Sun frequently implies that SunOS 4.x is a C2 system, but then in the
>security features guide mentions that they never actually had it evaluated

Perhaps this has been mentioned before, but it has to be kept in mind.
There are a lot more products that are

  "DESIGNED TO  TCSEC level ** specifications"
than are
  "CERTIFIED AT TCSEC level ** specifications"

and the sales lit often is not clear on this fact.

Mike

  Michael Zeleznik              Computer Science Dept.
                                University of Utah
  zeleznik@cs.utah.edu          Salt Lake City, UT  84112
                                (801) 581-5617

-----------[000039][next][prev][last][first]----------------------------------------------------
Date:      Wed, 11 Apr 90 22:27:10 -0900
From:      "Jonathan Clemens"  <FSJPC@alaska.bitnet>
To:        security@pyrite.rutgers.edu
Subject:   Re: Locks/Security in large institutions (e.g. Universities)
Removable cores? After my high-school exploits, I would heasitate to
use any such system... An associate and myself, using just calipers,
hacksaw, file, and key blanks, totally destroyed the security in our
entire school district. The high school was cored with BEST locks,
including locks on the electrical panels and padlocks.

We stole six identical cores off of three electrical panels that had
been locked open. My associate, given only the two books on locksmithing
that we'd checked out from the local library, took apart the cores,
measured the pin heights, and, given 10 BEST blanks that I'd bought
(no questions asked) from Fred Meyer's, managed to manufacture a change
key, and a key to unlock that core. He never managed to make a master
key, but we didn't need that one to move about. We'd just remove the
original door core, insert one of the electrical panel cores (we had
four left), unlock it, open the door, re-lock it, and insert the original
core. I eventually developed a pseudo-core (a dowel with properly
drilled holes) that could hold the fork to "lock" and "unlock" the
doors.

My associate and I parted ways after a difference of opinion regarding
what we would do with the keys (oh, yes, they duplicated nicely at Fred
Meyer's). There were eventually a series of thefts, and I implicated him,
but nothing could ever be proven.

A task I'd embarked upon as an enthusiastic young hacker (following the
'hacker ethic', although I didn't know it as such at the time) opened
my eyes to just how vulnerable these systems are.

> Best of all (no pun intended) is if the cores are not stamped on
> the outside with a keying code but only on the inside.  That way
> the only way someone could use an old copy of a key is to try it
> in about half the locks until he found the matching core!

PLUS, without the numbers on the outside, people (like my associate and I)
can't just casually browse the building, gathering the sub-mastering and
mastering zones and conventions. All we needed was time, and the whole thing
became plain. You could hand either of us a key, and we could tell you which
department it went to, and occasionally the teacher to whom it belonged.

                                        Jonathan Clemens

-----------[000040][next][prev][last][first]----------------------------------------------------
Date:      Wed, 11 Apr 90 15:47:16 -0400
From:      simsong@athena.mit.edu
To:        security@rutgers.edu
Subject:   problems with shar files
Sitting in somebody's office today, watching them get a shar file from
the net, I started wondering if this common practice of unsharing
files without detailed, line-by-line inspection, isn't asking for a
disaster.

Imagine a shar file that echoed lines like:
	x Foobar1
	x Foobar2
	x Foobar3

But it was really executing commands like:
	echo x Foobar1
	/bin/rm *
	echo x Foobar2
	/bin/rm ../*

Well, you get the idea.  Richard Stallman suggested that one way
around this problem would be for newsgroups to send out uuencoded tar
files.  It seems another way would be to have a program (other than
sh) to decode shar files which only allowed certain shell commands to
execute.

Thoughts?

-----------[000041][next][prev][last][first]----------------------------------------------------
Date:      11 APR 90 21:12:58 CDT
From:      MARK KINSLER <KINSLER@usmcp6.bitnet>
To:        <SECURITY@TCSVM>
Subject:   A source for alarm stuff
One good place is MCM Electronics in Dayton, Ohio.  The toll-free
number is 1 800 543 4330.  They are basically a TV repair supply
company, and their alarm stuff isn't all that sophisticated.  But
their prices are good and they have a good catalog.  Call them
and they'll send one out.
   Or get a big dog.
    Woof!

<kinsler@usmcp6.bitnet>, U of Southern Mississippi, Gulf Coast

-----------[000042][next][prev][last][first]----------------------------------------------------
Date:      Thu, 12 Apr 90 03:02 CST
From:      <MISS026@ecncdc.bitnet>
To:        <security@pyrite.rutgers.edu>
Subject:   re^2: Locks/Security in large institutions (e.g. Universities)
> Removable core systems make this ...easy and inexpensive...just permute
> the cores....

uh huh, why go to all that trouble and expense of paying the campus locksmiths
to permute the cores? Just charge any and all students that dont return their
keys $65.00 to recore the lock (like they did at my old school...).  That,
combined with the fact that the keys were BEST blanks, stamped DO NOT
DUPLICATE, and the fact that we were stuck in Bumblef***-Egypt was enuf to
keep *MOST* students from duplicating their keys....

> the only way someone could use an old copy of a key is to try it in about
> half the locks...(with the code stamped on the inside of the core..)

well, with the way most institutions are, they dont want to go nutty pulling
and replacing cores every year, so they tend to stick to a standard coding
system, and a standard number of cores per floor (in the case of my university
I believe that they had 160 cores set up for each floor, and there were only
80 rooms...this gave them 80 cores to recore a door with, and over a period of
years, reusing a core to recore with was not a huge security problem...). The
code on the key corresponded to the floor you lived on (once you figured out
the positional code, it wasnt hard to break the code [i just compared about 5
keys...]), as well as the building.....another simple code told you the
room number on the floor.  Note that this was the KEY code so that the
public safety bozos could return lost keys....Stamped on the core was another
code which corresponded to the PINNING inside the lock.  That way you could
get 10 keys or so and compare the codes, but not break the great-grandmaster
pinning combination since it was stamped on the inside of the cores.

And the only people supposed to have control keys was Public Safety, and
the locksmiths.....'course you could always remove the entire lock cylinder
from the door and drill out the core retaining area, then deal with the core
...

Bye for now but not for long
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
MacNet: GREENY

-----------[000043][next][prev][last][first]----------------------------------------------------
Date:      12 Apr 90 02:12:58 GMT
From:      KINSLER@usmcp6.BITNET (MARK KINSLER)
To:        misc.security
Subject:   A source for alarm stuff

One good place is MCM Electronics in Dayton, Ohio.  The toll-free
number is 1 800 543 4330.  They are basically a TV repair supply
company, and their alarm stuff isn't all that sophisticated.  But
their prices are good and they have a good catalog.  Call them
and they'll send one out.
   Or get a big dog.
    Woof!

<kinsler@usmcp6.bitnet>, U of Southern Mississippi, Gulf Coast

-----------[000044][next][prev][last][first]----------------------------------------------------
Date:      Thu, 12 Apr 90 07:40:44 EDT
From:      Miguel_Cruz@ub.cc.umich.edu
To:        misc-security@rutgers.edu
>Best of all is if the cores are not stamped on the outside with
>a keying code but only on the inside
 
Key codes printed on the cores also make it really easy to isolate
the submaster zones and make it childishly simple to whip up a
grand master if you can get your hands on 2 or 3 keys from different
areas of the building.
 
Even dumber are the keys with the actual pin heights printed on
the key handle; I've seen people call a security guard to open a
door and catch the number on the guard's key, then turn around and
file a grand master from a blank in 10 or 15 minutes.
 
vig

-----------[000045][next][prev][last][first]----------------------------------------------------
Date:      12 Apr 90 09:02:00 GMT
From:      MISS026@ecncdc.BITNET
To:        misc.security
Subject:   re^2: Locks/Security in large institutions (e.g. Universities)

> Removable core systems make this ...easy and inexpensive...just permute
> the cores....

uh huh, why go to all that trouble and expense of paying the campus locksmiths
to permute the cores? Just charge any and all students that dont return their
keys $65.00 to recore the lock (like they did at my old school...).  That,
combined with the fact that the keys were BEST blanks, stamped DO NOT
DUPLICATE, and the fact that we were stuck in Bumblef***-Egypt was enuf to
keep *MOST* students from duplicating their keys....

> the only way someone could use an old copy of a key is to try it in about
> half the locks...(with the code stamped on the inside of the core..)

well, with the way most institutions are, they dont want to go nutty pulling
and replacing cores every year, so they tend to stick to a standard coding
system, and a standard number of cores per floor (in the case of my university
I believe that they had 160 cores set up for each floor, and there were only
80 rooms...this gave them 80 cores to recore a door with, and over a period of
years, reusing a core to recore with was not a huge security problem...). The
code on the key corresponded to the floor you lived on (once you figured out
the positional code, it wasnt hard to break the code [i just compared about 5
keys...]), as well as the building.....another simple code told you the
room number on the floor.  Note that this was the KEY code so that the
public safety bozos could return lost keys....Stamped on the core was another
code which corresponded to the PINNING inside the lock.  That way you could
get 10 keys or so and compare the codes, but not break the great-grandmaster
pinning combination since it was stamped on the inside of the cores.

And the only people supposed to have control keys was Public Safety, and
the locksmiths.....'course you could always remove the entire lock cylinder
from the door and drill out the core retaining area, then deal with the core
...

Bye for now but not for long
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
MacNet: GREENY

-----------[000046][next][prev][last][first]----------------------------------------------------
Date:      Thursday, 12 Apr 1990 17:01:24 EDT
From:      Mark Solsman <MHS108@psuvm.psu.edu>
To:        SECURITY@rutgers.edu
Subject:   Ink for Currency
Yep, it is true. When I was 10 I found about $20. We called a police officer to
check for funnys. He rubbed the bills on a white piece of paper and explained
that a real bill will smuge. Well, it did and I waited 3 weeks, so I wend and
got some matchbox cars!

 -----
 Mark Solsman, Pennsylvania State University, Scranton, Pennsylvania, USA

MHS108 @ PSUVM.BITNET                                MHS108 @ PSUVM.PSU.EDU

-----------[000047][next][prev][last][first]----------------------------------------------------
Date:      Fri, 13 Apr 90 01:02:25 EDT
From:      u3949@jsp.umontreal.ca (Touati Samy)
To:        gwyn@smoke.brl.mil, misc-security@rutgers.edu
Subject:   Re: New superhacker at work?
 Talking about superhacker and the worm, i read in Unix world that their next
issue will list the code of the worm and they will discuss whether the holes
have been patched. (june issue)

Samy Touati
u3949@jsp.montreal.ca

-----------[000048][next][prev][last][first]----------------------------------------------------
Date:      Fri, 13 Apr 90 09:11:29 -0700
From:      vancleef@fs01.nas.nasa.gov (Robert E. Van Cleef)
To:        robert@altitude.cam.org
Cc:        misc-security@uunet.uu.net
Subject:   Internet Security
The problem is much deeper than that. Even if you care about the
security of your systems, there is only so much that you can do...

   1 - selecting good passwords is a start, but why to
       so many systems enforce standards only so far?

       For example, BSD based systems will allow you to
       pick a stupid password by repeating it three times.

       Also, many systems enforce standards for everyone except root!

The real problem is the complexity envolved in "doing it right". You
can't simply take a system out of the box and plug it in. You have to
be an experienced "system administrator" to know the correct things to
do... And I'm not refering to just security oriented items.

    2 - How many systems are shipped by the manufacturer with
	dangerous defaults configured in?

	SGI 4D20's will automatically flood a network if they are
	placed on the same network as a diskless Sun. You could call
	this a "denial of service" attack.

	One vendor shipped their OS software update so that all system
	directories were configured 777. And, of course, the Emacs
	distribution tapes that were use to build the "Cookoo's Egg"
	was also set to 777.

	We had a disk partition rebuilt on one of our systems; an
	administrator used 'tar' to copy all of the files from one
	partition to another. It was a short time before we discovered
	that all directories were now 777...

Then there is the problem of learning what is "right". 

    3 - I have been working on system administration since version 7 and
	yet I had never heard of, or been told about, the "commonly
	known" hole in Sendmail that the Morris Worm used.

	Most small sites do not have a full time system administrator
	who can spend time monitoring all of the networks for the
	latest patches. In fact, many do not have network access beyond
	one or two UUCP links, if that much. How are they to even learn
	that there is a problem? (Gee: Maybe their vendor should tell
	them :-(

The biggest help we could get would be for the vendors to take system
configuration constraints seriously and insure that there systems are
shipped with a default configuration that makes sense! (Of course
keeping up with bug fixes would also be nice...)

Bob
__
Bob Van Cleef - vancleef@nas.nasa.gov

RNS Distributed Systems Team Leader
NASA Ames Research Center		(415) 604-4366
Mail Stop 258-6				 FTS  464-4366
Moffet Field, CA 94035-5000
__
"If you're not a liberal at 20, you have no heart, and 
 if you're not a conservative at 40, you have no head."
 Winston Churchill

-----------[000049][next][prev][last][first]----------------------------------------------------
Date:      Fri, 13 Apr 90 9:40:25 EDT
From:      Brinton Cooper <abc@brl.mil>
To:        sagpd1!jharkins@ncr-sd.sandiego.ncr.com
Cc:        security-request@rutgers.edu
Subject:   Re: Clearing a building nightly
To be sure that the building is clear, run the security system all the
time.  Many urban buildings to this.  It's not a problem.  You really have
no workable alternative.

_Brint

-----------[000050][next][prev][last][first]----------------------------------------------------
Date:      13 Apr 90 05:40:44 GMT
From:      Doug Gwyn <gwyn@smoke.brl.mil>
To:        misc-security@rutgers.edu
Subject:   Re:  Opening an old safe?
Reasonable security safes are constructed so that they are not dependent
on their hinges for security.  Typically the hinges are on the outside,
so they are an obvious point of attack.  The actual locking mechanism is
usually one or more metal bars that extend into holes in the door's
frame, with enough overlap that they cannot be "sprung".

The easiest ways I know of to open safes is to manipulate them (with the
aid of a special wheel-pack plotting machine, for higher-security safes)
or to drill a hole in the right spot so that a borescope can be used to
view the fence area while the wheels are dialed so that the gates line
up with the fence.  Of course both these methods require some special
knowledge, which is a good thing too!

-----------[000051][next][prev][last][first]----------------------------------------------------
Date:      Fri, 13 Apr 90 11:16:27 EDT
From:      hsu@eng.umd.edu (Dave "bd" Hsu)
To:        misc-security@uunet.uu.net
Subject:   Re: Locks/Security in large institutions (e.g. Universities)
>Removable-core systems make this relatively easy and inexpensive.
>In fact you can just permute the cores, no need to re-pin them.

One caveat: although the manufacturers go to some trouble to ensure
that "ordinary" keys will not operate as masters or submasters in
the same system, they don't necessarily take the same care with the
core-removal keys.  Without any markings on the cores themselves,
one unauthorized permutation could create total havoc.

On a related note, I have a question regarding the disposable punch-
card keys used in some hotels' electronic locks.  It seems to me that
the logical design would be to program the locks from a central
console, but I've heard that a few systems use a trap-door algorithm
in a fully independent self-powered lock; that is, the lock knows what
the code should be for the next key, and invalidates the current one
the first time it sees a new key.  No data is transmitted between the
lock and the key source.  Is this so?  How do they enforce things like
check-out time?  Are codes set aside for administrative use?

-dave

--
Dave Hsu	 Systems Research Center, Building 115    (301) 454 8867
hsu@eng.umd.edu  The Maryversity of Uniland, College Park, MD 20742-3311
"Idealism is fine, but as it approaches reality the cost becomes prohibitive"
						- William F. Buckley, Jr.

-----------[000052][next][prev][last][first]----------------------------------------------------
Date:      13 Apr 90 13:40:25 GMT
From:      abc@BRL.MIL (Brinton Cooper)
To:        misc.security
Subject:   Re: Clearing a building nightly

To be sure that the building is clear, run the security system all the
time.  Many urban buildings to this.  It's not a problem.  You really have
no workable alternative.

_Brint

-----------[000053][next][prev][last][first]----------------------------------------------------
Date:      13 Apr 90 16:11:29 GMT
From:      vancleef@FS01.NAS.NASA.GOV (Robert E. Van Cleef)
To:        misc.security
Subject:   Internet Security

The problem is much deeper than that. Even if you care about the
security of your systems, there is only so much that you can do...

   1 - selecting good passwords is a start, but why to
       so many systems enforce standards only so far?

       For example, BSD based systems will allow you to
       pick a stupid password by repeating it three times.

       Also, many systems enforce standards for everyone except root!

The real problem is the complexity envolved in "doing it right". You
can't simply take a system out of the box and plug it in. You have to
be an experienced "system administrator" to know the correct things to
do... And I'm not refering to just security oriented items.

    2 - How many systems are shipped by the manufacturer with
	dangerous defaults configured in?

	SGI 4D20's will automatically flood a network if they are
	placed on the same network as a diskless Sun. You could call
	this a "denial of service" attack.

	One vendor shipped their OS software update so that all system
	directories were configured 777. And, of course, the Emacs
	distribution tapes that were use to build the "Cookoo's Egg"
	was also set to 777.

	We had a disk partition rebuilt on one of our systems; an
	administrator used 'tar' to copy all of the files from one
	partition to another. It was a short time before we discovered
	that all directories were now 777...

Then there is the problem of learning what is "right". 

    3 - I have been working on system administration since version 7 and
	yet I had never heard of, or been told about, the "commonly
	known" hole in Sendmail that the Morris Worm used.

	Most small sites do not have a full time system administrator
	who can spend time monitoring all of the networks for the
	latest patches. In fact, many do not have network access beyond
	one or two UUCP links, if that much. How are they to even learn
	that there is a problem? (Gee: Maybe their vendor should tell
	them :-(

The biggest help we could get would be for the vendors to take system
configuration constraints seriously and insure that there systems are
shipped with a default configuration that makes sense! (Of course
keeping up with bug fixes would also be nice...)

Bob
__
Bob Van Cleef - vancleef@nas.nasa.gov

RNS Distributed Systems Team Leader
NASA Ames Research Center		(415) 604-4366
Mail Stop 258-6				 FTS  464-4366
Moffet Field, CA 94035-5000
__
"If you're not a liberal at 20, you have no heart, and 
 if you're not a conservative at 40, you have no head."
 Winston Churchill

-----------[000054][next][prev][last][first]----------------------------------------------------
Date:      13 Apr 90 21:07:14 GMT
From:      longstaf@pantera.llnl.gov (Tom Longstaff)
To:        uunet!misc-security@mcsun.eu.net
Subject:   INCIDENT HANDLING WORKSHOP
                 ANNOUNCEMENT OF PRE-WORKSHOP TUTORIAL
            
                            JUNE 19, 1990
__________________________________________________________________________

                 
                  AN INTRODUCTION TO INCIDENT HANDLING

The University of California-Davis Department of Applied Science is
offering a special tutorial one day before the CERT Workshop on
Computer Security Incident Handling.  This tutorial covers the
fundamentals of the rapidly emerging area of computer security incident
handling.  It presents a practical approach to basic problems
encountered in detecting and recovering from different types of
incidents found in organizations, agencies, and universities throughout
the United States. The tutorial covers the following major topics:

	o Incident handling teams/networks
	o A methodology for incident handling
	o Virus infections
	o Intruder/cracker attacks
 	o Worm attacks
	o Vulnerabilities
	o Current solutions/tools

The tutorial stresses the need for balance between technical skills,
proper incident handling procedures, and efficient organizational
structure.  Presentations are supplemented with demonstrations,
videotapes, and group exercises. The tutorial is best suited for people
needing a quick overview of computer security incident handling, and
for those who were unable to attend The Invitational Workshop on
Incident Responding last Summer.  This tutorial does not generally
cover detailed technical information, such as detailed analyses of
operating system vulnerabilities.  Examples and demonstrations focus
mainly on IBM PCs and PC clones, Macintosh computers, and UNIX and VMS
systems.

Instructors:  Dr. Eugene Schultz and Thomas A. Longstaff, both from 
              Lawrence Livermore National Laboratory and University  
              of California at Davis

Cost:         $175 per person.  Completed registration materials for
              this tutorial are due back to the University of California-
              Davis later than June 11, 1990.

Time/Date:    8:30 a.m. - 5:00 p.m., Tuesday, June 19, 1990

Place:	      Room 13 of Livermore Campus of U.C. Davis, approximately 
              10 minutes from the Pleasanton Hilton (site of of CERT 
              Workshop on Computer Security Incident Handling--
              directions will be provided to enrollees
 
Note:	      This tutorial is limited to 30 people on a first-come, 
              first-served basis.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ENROLLEE INFORMATION

Name ____________________________________________________________________
Title ___________________________________________________________________
Company _________________________________________________________________
Division ________________________________________________________________
Address _________________________________________________________________
_________________________________________________________________________
City ___________________________________________ State ____  Zip ________
Business Phone [   ]_______________________ Emergency Number[   ]________
E-Mail Address __________________________________________________________

RETURN THIS FORM AND A CHECK OR MONEY ORDER FOR $175 TO DONNA CLIFFORD,
DEPARTMENT OF APPLIED SCIENCE, U.C. DAVIS, P.O. BOX 808, L-794, LIVERMORE, 
CA 94550.  DEADLINE:  JUNE 11, 1990.  FOR QUESTIONS CALL (415) 422-9787.

Tom Longstaff					(FTS) 543-4416
Computer Incident Advisory Capability		(415) 423-4416
Lawrence Livermore National Laboratory		longstaf@pantera.llnl.gov
PO Box 808, L-619

-----------[000055][next][prev][last][first]----------------------------------------------------
Date:      15 Apr 90 03:22:17 GMT
From:      parker@epiwrl.epi.com (Alan Parker)
To:        misc-security@uunet.uu.net
Subject:   Re: National Security Agency
>     [The NSA] are more secretive than the CIA, and no research information
>     is available from them.

Not true.  They publish, and recently we sent them $175 and they sent
us a tape with some speech coding algorithms on it.   I doubt that this
was the first time they ever released anything like this.

-----------[000056][next][prev][last][first]----------------------------------------------------
Date:      Sun, 15 Apr 90 22:55:44 CST
From:      tar@ksuvax1.cis.ksu.edu (Tim Ramsey)
To:        misc-security@rutgers.edu
Subject:   Computer Security/Virus Conference Announcement
[ I am posting this on behalf of a faculty member who does not read USENET
  news.  Please direct all questions and comments to the address given
  below, not to me.  Thanks. ]

Nobol Computer Servicers, Inc. is presenting a seminar on Computer and
Information Security to be held at the Embassy Suites hotel at the Kansas
City International Airport, Kansas City, Missouri  July 11-13. 
The topics to be covered by experts from business, industry, government and
academia are: database security, network security, data center security,
risk management, contingency planning, EDP auditing, computer crime,
malicious code (viruses, trojan horses, worms, etc.) and the security and
integrity of data.  The seminar sessions will be grouped into three tracks
each day and participants are free to move from track to track. Panel
sessions will occupy the third day; discussion time will be allotted in
those sessions for attendees to raise questions requiring indepth answers.

Seminar speakers include Jay Bloombecker, Director of the National Center
for Computer Crime Data; Clay Hodson, Supervising investigator for the
Economic Crime Unit in Riverside California; Ed Devlin, Executive Vice
President of Harris, Devlin and Associates, consultants in disaster recovery
and business resumption planning; Carol Brown, Vice President of Winthrop,
Brown and Co., a former systems programming manager and author of books for
senior management on computing; and Computer Associates will discuss security
in the DB2 system.

For more information contact:
Nobol Computer Services, Inc.
Attn: David Spore
414 NW 66th Terrace #204
Kansas City, MO 64118

-----------[000057][next][prev][last][first]----------------------------------------------------
Date:      Mon, 16 Apr 90 19:53:44 PDT
From:      "J. Spencer Love; 237-2751; SHR1-3/E29  16-Apr-1990 2249" <jslove@starch.enet.dec.com>
To:        sagpd1!jharkins@ncr-sd.sandiego.ncr.com
Subject:   RE: Clearing a building nightly
Turn off the lights.  This is bound to produce complaints from anyone
in the building who is not actually asleep (or in a darkroom, if you
have one).  These complaints could take the form of a phone call, or
actually going to the front desk to check in.  If you have a well
publicized policy, then everyone will get the message eben if only some
complain.  Repeat as needed each time someone thinks they are the "last"
one on the way out.

Oh yes, a couple of emergency lights are needed to prevent total
darkness and the associated possibility of injury.  But they should be
too dim to enable someone to ignore the lights-out.

						-- Spencer

-----------[000058][next][prev][last][first]----------------------------------------------------
Date:      Mon, 16 Apr 90 17:55:45 EDT
From:      willner%cfashap@harvard.harvard.edu (Steve Willner)
To:        security@rutgers.edu
Subject:   Re: trashcan security
This became a matter of public interest in Tucson, Arizona.  The
explanation given in the newspapers was that as soon as you put your
trash out on the curb for collection, it becomes the city's property.
They can then do anything they want with it: bury it, burn it for
energy, recycle anything that looks good, look through it for
scientific research (the actual activity in question), or search it for
incriminating material (also apparently done in some cases).

My understanding was that the city's property rights derived from an
Arizona statute, but I might be wrong about that.  I suspect that common
law would dictate transfer of property rights anyway - after all, you
are in effect giving the stuff away - but I'm NOT a lawyer.

-----------[000059][next][prev][last][first]----------------------------------------------------
Date:      17 Apr 90 03:22:51 GMT
From:      humtech@ucschu.ucsc.edu (Mark Frost)
To:        misc-security@ames.arc.nasa.gov
Subject:   Re: National Security Agency
>     NSA is the National Security Agency. Located in Fort Meade, MD,
>     they are in charge of obtaining and analysing signals intelligence.
>     They are more secretive than the CIA, and no research information
>     is available from them.

Not so! Not so! An execellent book called "The Puzzle Palace" by James
Bamford (at least I think that was his name) talks extensively about the NSA
and what it seems to be all about (analyzing intelligence, cryptology, etc.).
Granted it doesn't tell you absolutely everything about such a secret
government agency, but it was VERY good reading.

Mark Frost
	Office of the the Computing Director
	Humanities Division
	University of California at Santa Cruz
	Santa Cruz, California 95064
	(408) 459-4603
Internet: humtech@ucschu.UCSC.EDU
Bitnet: humtech@ucschu.bitnet
Uucp: ...!ucbvax!ucscc!ucschu!humtech

-----------[000060][next][prev][last][first]----------------------------------------------------
Date:      Tue, 17 Apr 90 11:36:01 -0400
From:      "Frank Topper" <topper@a1.relay.upenn.edu>
To:        security@pyrite.rutgers.edu
Subject:   Free & Useful Publication
A new magazine titled "Contingency Journal" is available by calling (214) 
343-3717 for a registration card.

This quarter's issue contains stories on computer crime legislation, 
communicating during a crisis, recovery planning, and contingency 
management...plus 'true life' security & disaster cooperation stories.

It's also freebie.

Frank Topper
Information Analyst
University of Pennsylvania

-----------[000061][next][prev][last][first]----------------------------------------------------
Date:      17 Apr 90 15:36:01 GMT
From:      topper@a1.relay.upenn.edu ("Frank Topper")
To:        misc.security
Subject:   Free & Useful Publication

A new magazine titled "Contingency Journal" is available by calling (214) 
343-3717 for a registration card.

This quarter's issue contains stories on computer crime legislation, 
communicating during a crisis, recovery planning, and contingency 
management...plus 'true life' security & disaster cooperation stories.

It's also freebie.

Frank Topper
Information Analyst
University of Pennsylvania

-----------[000062][next][prev][last][first]----------------------------------------------------
Date:      Thu, 19 Apr 90 00:36 CST
From:      <MISS026@ecncdc.bitnet>
To:        <security@pyrite.rutgers.edu>
Subject:   re^2: them locks are easy
> ...in between that plastic cover and the metal...

I've got news for you -- that's basically all there is to it for just about
any car which has the "button" on the side of the door near the door handle...

I got locked out of my VW rabbit once, and since I didn't want to call a
locksmith (because I am one...and would never live the jeering down...:-> )
I just ripped the plastic $15.00 door handle off the door, and "poped" the
door open with my finger.

Also, listed in my "bible" of car opening how-to's is that very same method
of just putting something underneath the handle and feeling around with a
special tool till you hit the button linkage....'course a screwdriver works,
bbut it does scratch things up....

Moral: Get an alarm, and a pull out stereo, and maybe a car safe to store the
       pull out in...

Bye for now but not for long
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
MacNet: GREENY

-----------[000063][next][prev][last][first]----------------------------------------------------
Date:      Thu, 19 Apr 90 08:28:16 EDT
From:      "The HOBBIT, Victor Bagley, IRM 1-8818" <BAGLEY@vtvm2.bitnet>
To:        security@pyrite.rutgers.edu
Subject:   Re: Reading list wanted
[Moderator injection: No relation...]

We have in our office a book called COMPUTER SECURITY by John M. Carroll.
It gets into the essentials of computer security, organizing for EDP
security, protection of information to mention a few of the chapters.  It also
covers communcation security systems security and threat evaluation.

There are also periodicals that can be subscribed to...
COMPUTER SECURITY from CSI 360 Church Street Northborough MA 01532
   (508)-393-2600

CSI (COMPUTER SECURITY INSTITUTE) also has a Computer Security Handbook
that contains a lot of usefull information.

-----------[000064][next][prev][last][first]----------------------------------------------------
Date:      19 Apr 90 06:36:00 GMT
From:      MISS026@ecncdc.BITNET
To:        misc.security
Subject:   re^2: them locks are easy

> ...in between that plastic cover and the metal...

I've got news for you -- that's basically all there is to it for just about
any car which has the "button" on the side of the door near the door handle...

I got locked out of my VW rabbit once, and since I didn't want to call a
locksmith (because I am one...and would never live the jeering down...:-> )
I just ripped the plastic $15.00 door handle off the door, and "poped" the
door open with my finger.

Also, listed in my "bible" of car opening how-to's is that very same method
of just putting something underneath the handle and feeling around with a
special tool till you hit the button linkage....'course a screwdriver works,
bbut it does scratch things up....

Moral: Get an alarm, and a pull out stereo, and maybe a car safe to store the
       pull out in...

Bye for now but not for long
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
MacNet: GREENY

-----------[000065][next][prev][last][first]----------------------------------------------------
Date:      Thu, 19 Apr 90 12:39 CST
From:      <MISS026@ecncdc.bitnet>
To:        <security@pyrite.rutgers.edu>
Subject:   re: Late model mercedes locks...
> Ever see a key for a late model Mercedes?

yeah, and while they are "neat", they are a real pain to duplicate.  Where I
do some part-time locksmith work, I have grown to hate cutting those keys.  We
charge about $40.00 per key due to the fact that the blanks cost us about $2.00
each, and because it is very tricky.  You have to use both hands at once (one
handle controls the fwd/backward movement of the cutter, the other the
left/right...), and we always require that the car be outside our shop to
test the new key blank if the customer wants a guarantee....

> ...can set the alarm off by inserting the wrong key or trying to pick the
> lock.....

nope.....trying to pick it will get you basically nowhere, it's pretty
difficult and most locksmiths just drill it out, and shove a new lockset in
there....About the only thing that even resembles an "alarm" are cars equipped
with VATS, which simply checks that the value of the resistor pellet in a key
matches the authorized value in the VATS computer.  If so, and the key turns
the lock, then the car will start.  If not, and the key turns the lock, then
the car will not start, and the whole system is dead for 4 minutes.  This is
a pain for locksmiths trying to determine the proper vats key to use (there
are about 16 of them...), but at least it's a deterrant to crooks trying to
steal the car....

Bye for now but not for long
Greeny
BITNET: MISS026@ECNCDC
Internet: MISS026%ECNCDC.BITNET@CUNYVM.CUNY.EDU
GEnie: GREENY
MacNet: GREENY

-----------[000066][next][prev][last][first]----------------------------------------------------
Date:      Thu, 19 Apr 90 8:52:01 MESZ
From:      Joseph C. Pistritto <chx400!cgch!jcp@mcsun.eu.net>
To:        karkania@aecom.yu.edu (George Karkanias) (George Karkanias)
Cc:        misc-security@uunet.uu.net
Subject:   Re: looking for inexpensive antitheft device for car.
you might consider wiring up a solenoid in the gas line.  The solenoid
would be cheap (~$30), and you just wire it to a hidden switch.

--
Joseph C. Pistritto (jcp@brl.mil -or- cgch!bpistr@mcsun.eu.net)
 Ciba Geigy AG, R1241.1.01, Postfach CH4002, Basel, Switzerland
 Tel: +41 61 697 6155 (work) +41 61 692 1728 (home)   GMT+2hrs!

-----------[000067][next][prev][last][first]----------------------------------------------------
Date:      20 Apr 90 23:17:54 GMT
From:      gmark@cbnewse.att.com (gilbert.m.stewart)
To:        misc.security
Subject:   Re: Car Locks -- They had great locks at Hertz in Belfast

> Ever see a key for a late model Mercedes? There are wiggily little

Doesn't really make a difference.  Take a look at many Ford locks, and you
find they're pin tumblers, and therefore very pickable.  Take a look at GM
locks and you find they're wafer tumblers with sidebars, making tensioning
difficult or impossible.  Kind of cute of Ford to make the key double
sided and look more formidable, but all it buys you is that you can put
it in the lock upside down (!).  The bottom line is that a slide-hammer
is all that's necessary to pull any of them out.  Assuming all they want to
do is enter the car and maybe bag a stereo.    Best protection against that
is still to have someone watch it, or weld sheet metal over the windows.

GMS

-----------[000068][next][prev][last][first]----------------------------------------------------
Date:      Sat, 21 Apr 90 13:53:15 EDT
From:      "Peter G. Rose" <LCO114@uriacc.bitnet>
To:        security@pyrite.rutgers.edu
Subject:   Re: Factoring Large Numbers
>Perhaps more important, the RSA system does not rely upon large products
>(say 2**32) or even upon astronomical numbers (say 2**56) but rather
>upon super large astronomical numbers on the order of 2**400-800. 

Storage is cheap.  Start your favorite CRAY Multiplying prime numbers,
store the results, indexed.  Come back in a year or so with the list
of astronomical numbers you want factored, and look them up...
(ok, so its not cheap compared to URI's budget...  it is, compared to
that of the US govt..)   How many 0s in 2^800, anyway?  790 or so?

              -Wish

-----------[000069][next][prev][last][first]----------------------------------------------------
Date:      23 Apr 90 09:35:21 PDT (Monday)
From:      "Russ_Housley.McLeanCSD"@xerox.com
To:        security-request@pyrite.rutgers.edu
Subject:   Re: Welcome banners
Rick:

I know of one system that uses the following greeting:

	You are connected to a U.S. Government computer system.  Any
	unauthorized ATTEMPT to gain access to this system may subject
	you to fine and/or imprisonment.

It might not be friendly, but the caller immediately understands the
security posture of the system administrators.

Russ

-----------[000070][next][prev][last][first]----------------------------------------------------
Date:      23 Apr 90 16:35:21 GMT
From:      "Russ_Housley.McLeanCSD"@XEROX.COM
To:        misc.security
Subject:   Re: Welcome banners

Rick:

I know of one system that uses the following greeting:

	You are connected to a U.S. Government computer system.  Any
	unauthorized ATTEMPT to gain access to this system may subject
	you to fine and/or imprisonment.

It might not be friendly, but the caller immediately understands the
security posture of the system administrators.

Russ

-----------[000071][next][prev][last][first]----------------------------------------------------
Date:      24 Apr 90 05:18:21 PDT (Tuesday)
From:      "chaz_heritage.WGC1RX"@xerox.com
To:        security-request@pyrite.rutgers.edu
Subject:   Method of opening office safes
1 Safe doors here are usually secured by huge bolts, racked in and out by a
handle or wheel in addition to the lock. If the lock is damaged the bolts
stay put.

2 Safe hinges here are usually huge castings or forgings, carrying the door
on pivot pins of similar diameter to the door bolts. Even if they are
smashed off with a sledgehammer, the door will still hold.

3 Safes, because of these measures, often weigh too much for a freight
elevator, and often have to be installed or removed with a crane. Ours in
this building are all on the ground floor (street level).

4 If a one-tonne safe is dropped 20 stories (60m) then its kinetic energy
on impact will be enormous; similar to that of a smallish artillery shell
(about 600kJ). I certainly wouldn't bet on being able to dig it up from the
pavement before everyone came back to the office the next morning!

If safes in the USA can be opened by dropping them like this then they must
be so light and weak that I'm surprised anyone bothers to put money in
them. Money, in such circumstances, is best kept in the teapot, where
nobody would think of looking for it.

Regards,

Chaz

-----------[000072][next][prev][last][first]----------------------------------------------------
Date:      25 Apr 90 06:21:43 GMT
From:      nagle@well.sf.ca.us (John Nagle)
To:        misc.security
Subject:   Re: Security Cameras


     Pulnix and Sony are two of the major manufacturers of security
cameras.  Both black and white and color are available.  Any of the
security trade journals will be filled with ads for these things.
Sony makes a line of VCRs that can record at rates down to one frame
every few seconds.  

     The robotics / computer vision community seems to like Pulnix
cameras.  I've seen them at MIT, Stanford, and CMU, and I have a
Pulnix TMC-50 color unit myself.  It's a good camera, but not suitable
for low-light operation.

     Camcorders today tend to be ahead, technologically, of security
cameras, in both lighting requirements and imaging speed.  This
reflects the market and where the development effort goes.

					John Nagle

-----------[000073][next][prev][last][first]----------------------------------------------------
Date:      25 Apr 90 08:16:10 GMT
From:      gwyn@SMOKE.BRL.MIL (Doug Gwyn)
To:        misc.security
Subject:   Re: trashcan security

>Once you place a trashbag on the street for municipal pickup it
>becomes public property.

The flip side of this coin is that anything investigators find in your
trash need not necessarily have been put there by you!

-----------[000074][next][prev][last][first]----------------------------------------------------
Date:      25 Apr 90 08:16:10 GMT
From:      Doug Gwyn <gwyn@smoke.brl.mil>
To:        misc-security@rutgers.edu
Subject:   Re: trashcan security
>Once you place a trashbag on the street for municipal pickup it
>becomes public property.

The flip side of this coin is that anything investigators find in your
trash need not necessarily have been put there by you!

-----------[000075][next][prev][last][first]----------------------------------------------------
Date:      Fri, 27 Apr 90 12:55:44 PDT
From:      blade@darkside.com (The Blade)
To:        misc-security@ucbvax.berkeley.edu
> I knows dozens of methods for breaking into computers.  But how do I
> know I can safely send them to you?

In the "hacker underground" there are numerous files on how to get into
almost any system ever made.  The most common are default pws that are
never taken out when the system is installed.  

The most common systems:

Unix, Zenex (pre-sys 5)
RSTS  (very easy)
VAX   (usually larger systems cannont be totally secure)

I dont think you need to worry about others obtaing the information
if you were to send it via mail.  This information is readily available
on hundreds of BBSs around the country.

Blade

-----------[000076][next][prev][last][first]----------------------------------------------------
Date:      27 Apr 90 06:06:37 GMT
From:      nagle@well.sf.ca.us (John Nagle)
To:        misc-security@uunet.uu.net
Subject:   A decent access control system?
     A UK company, Mastiff Electronics Systems, has announced a new
access control system.  This one has a proximity device which detects
a hands-free electronic token at 1m range and unlocks the door.  Nothing
unusual there.  But there's a new feature.  Supposedly, it 
also, somehow, detects if more than one person goes through the door
before it relatches.  This is new, and if it really works, is a major
advance in access control.  How do they do it, and does it work?

     It's mentioned in Airports International, January 1990, and they
claim it's going in at Amsterdam's Schiphol airport and at BAA.

					John Nagle

-----------[000077][next][prev][last][first]----------------------------------------------------
Date:      27 Apr 90 19:55:44 GMT
From:      blade@darkside.com (The Blade)
To:        misc.security
Subject:   (none)

> I knows dozens of methods for breaking into computers.  But how do I
> know I can safely send them to you?

In the "hacker underground" there are numerous files on how to get into
almost any system ever made.  The most common are default pws that are
never taken out when the system is installed.  

The most common systems:

Unix, Zenex (pre-sys 5)
RSTS  (very easy)
VAX   (usually larger systems cannont be totally secure)

I dont think you need to worry about others obtaing the information
if you were to send it via mail.  This information is readily available
on hundreds of BBSs around the country.

Blade

END OF DOCUMENT