The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Zardoz 'Security Digest' - Resources
DOCUMENT: Dialcom X.25 security discussion 1988/1989 (1 file, 41563 bytes)
SOURCE: http://securitydigest.org/exec/display?f=zardoz/resource/dialcom.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

     To:  M.ROSENBERG   (MICHAELR)
     Cc:  C.HAPANGAMA   (OTC264)
   From:  A.LOWTHER  (OTC157) Delivered:  Mon  8-Aug-88  9:32 AEST Sys 6007  (52)
Subject:  VMS HACKING
Mail Id:  IPM-6007-880808-085830292

Dick Weaver sent me this some time ago. It indicates that we really
do need to be on our mettle as far as VMS security is concerned. Dean
Gingell is a bit inclined to accept that VMS security is so good
that it is inpenetrable!!
		Tony.

   From:  R.WEAVER  (OTC248) Delivered:  Fri  11-Mar-88  16:38 AEST Sys 6008
Subject:  VMS Passwords:  Hackers' Attacks ? ?
Mail Id:  IPM-6008-880311-149750909
From: ecs140w020@deneb.ucdavis.edu
Subject:   VMS password hacker
           ===================

Date: 6 Mar 88 12:06:58 GMT
Sender: uucp@ucdavis.ucdavis.edu
Lines: 18

Bunkersoft of Mountain View has a VMS password hacker
available for $30 (source code) from

	Bunkersoft
PO Box 4436
Mountain View CA
94040-4436

The method used is a brute force attack. However, because of the
nature of the VMS password file, SYSPRV or CMKRNL is required for
a short window of time before running. I ran this program on my
installation at work;   it  found  35%  of  all  passwords.      ***  ***  ***
                                   ***
Since HPWD is a proprietary DEC code, a batch file is given to
extract this information from LOGINOUT.EXE. I believe this program
is aimed at security managers etc.
	
ecs140w020@deneb.ucdavis.edu
ucdavis!deneb!ecs140w020

	    ...    ...    ...    ...    ...    ...    ...    ...    ...


Well how about that then !    Will we need to worry about security
like Minerva worries?   Think we need a copy of this "hacking tool" ?


      Richard Weaver          Ext  5134

     (Manager, New Services Development)


         11 March 88
	
+


     To:  MICHAELR (6007:MICHAELR) 
     To:  STEVEB (6007:STEVEB) 
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Fri  19-Aug-88  10:09  Sys 6008  (36)
Subject:  Hello!
Mail Id:  IPM-6008-880819-09086021
Importance:  Normal



	
     To: MICHAELR
   From: A.TAYLOR  (6007:TUD001)
Subject: Hello!
 Posted: Thu 18-August-88 19:15 AEST
Delivered: Thu 18-August-88 19:12 AEST (27 lines)

	Hi this is The Phoenix (with The Force...) 
Umm... sorry - missed you by 2 mins... 
Hmm... Why not give us this account ? The real user never logs on... 
Just cancel his billing - set up 3 or so other accounts in the series TUD
(Now i knw thats possible!)
Take away netlink if you wish....
we only want it as a means of communication between our members and yourself.
The advantages of this are twofold...
1) You can keep an eye on us...
2) You get us off your back....
 
what do you say ?
 
Anyhow - ever considered taking up hacking ? 
 
Seeya L8er...
 
(-: Phoenix :-)
 
Catch Ya Later 
         ----====} THE FORCE {====---- 
 
P.S - Dont delete this account yet (please) - wait till we see the reply 
I guarantee that we will not use netlink (apart from the one short call to Alto
already made...) 
 
 


     To:  BTG082 (10080:BTG082)
     Cc:  S.BERLECKY   (STEVEB)
     Bc:  M.ROSENBERG   (MICHAELR)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Fri  19-Aug-88  12:09 AEST Sys 6007  (12)
Subject:  News of hackers
Mail Id:  IPM-6007-880819-109360302

Paul,
   Hi!  Michael Rosenberg here.  Those 2 numbers that you gave us
have been identified are being researhed at the moment to see if they
themselves were hacked. One of them is a tie line which is great because
	we should know from where the call was made, except that the address in the
database doesn't match the company that is there and the phone number doesn't
make sense and I cant even get a number for the company which it is registered.
    I have send this info to Telecom Aust. and will get back to you when they
get back to me.
   You will hear from me soon,
	Thanks,
Michael Rosenberg.


     To:  MICHAELR (6007:MICHAELR)
   From:  P.SWAAB  (BTG082)  Delivered:  Fri  19-Aug-88  19:23  Sys 10080  (15)
Subject:  Reply to:  News of hackers
Mail Id:  IPM-10080-880819-174580001

     Michael.
            Thanks for the infomation you sent. The
situation here is that he tried once again to access the
box. But was unable to as we have devalidated that box.
          Dialcom(US) have located the addresses he has
access us by telenet, and telenet and telecom Australia are
going to try and trace these routes and close them down.
	Telenet are keeping a close eye out for over active work on
those addresses.

	Again many thanks for the infomation i wll contact you if i
here any more,
 Hope to here from you soon

.


     Fo:  MICHAELR (6007:MICHAELR)
     To:  STEVEB (6007:STEVEB)
	     Fo:  S.BERLECKY (6008:STEVEB)
     Fo:  M.HULBERT   (MARK)
     Cc:  D.MCDONELL   (DM)
     Cc:  J.BRIGHT   (JACK)
   From:  R.BARNACK  (BERTA) Delivered:  Thu  25-Aug-88  21:27  Sys 198  (78)
Subject:  GREETINGS FROM AUS
Mail Id:  IPM-198-880825-193140001


Michael and STeve,

Vicky Lundberg has requested that I forward the message sent form
an ID in australia to some of the 'upper management' of Telecom Gold/BT.
Does the contents of this message indicate the same hacker that
Michael has been dealing with or is it a new one? Any information
would be appreciated.

Thanks,
Berta

   From:  V.LUNDBERG  (BTG072) Delivered:  Thu  25-Aug-88  4:58 EDT Sys 10080
Forward:  R.BARNACK  (BERTA)
Subject:  GREETINGS FROM AUS
	Mail Id:  IPM-10080-880825-044750001

	
Berta,

This is Vicky from Dialcom UK systems admin.... I am a
little worried about the content of this item (it seems
dubious) because of what was happening from Australia last
week, I feel it may be connected.  Please could you
investigate this user with Steve in Aussie land, and get
back to me as whether it should be looked into further.
This was sent to at least 2 BTG ids within a few minutes of
each other, exactly the same text.  Mine you see is entitled
Dear Steve, so they guy obviously either has the id
confused, or is just trying it on.  The other has been
	direct to the correct 'name' of the mailid though!

Your comments would be appreciated?

Thanks,
Vicky.

   From:  CAE007             Delivered:  Wed  24-Aug-88  1:16 BST Sys 6007
     To:  V.LUNDBERG  (BTG072)
Subject:  GREETINGS FROM AUS
Mail Id:  IPM-6007-880824-011490001

Dear Brian,

	

An 'electronic friend' of mine in the UK kindly forwarded to
me a list of UK e-mail users like yourself, but who are
involved primarily within the hierarchy of Telecom Gold
itself.  I am writing this brief note to you primarily to
seek your help. Having successfully 'broken through' into
the UK e-mail network, I am now trying to spread my wings a
little seek contact with other countries.  I particularly
wish to make contact with the USA and, in Europe, with
Greece [if Greece, indeed, has such a system]as well as
other participating countries in the international e-mail
network.  If you or one of your colleagues has any relevant
information, contact IDs or other helpful advice, I would be
most grateful.
	
As for me, my name is PAUL HELLANDER 6007:CAE007 and I am a
lecturer in Modern Greek at the South Australian College of
Advanced Education.  Like a small, but dedicated bunch of
like -minded computer users, I am very interested in
electronic telecommunications and in computers in general.
I actually teach multilingual word processing and page
processing [DTP] to my language students at the College and
have my own setup at home: a Macintosh SE, modem, printer
etc.

If you are not able to help me immediately, please forward
my message to somebody who may be able to suggest something.
But in any case, I would like to hear from you about your
own interests and role within the Telecom Gold system.

Best wishes from Australia!

Paul


     To:  M.ROSENBERG   (MICHAELR)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Thu  8-Sep-88  23:14 AEST Sys 6007  (1)
Subject:  force activity
Mail Id:  IPM-6007-880908-209140305

	force was on altos at 23:08 on 8/9/88.
	

     To:  JVE002 (6007:JVE002)
     Cc:  STEVEB 
     Cc:  MARSDEN-US (142:IMC002)
     Cc:  MICHAELR (6007:MICHAELR)
     Cc:  OTC519 (6007:OTC519)
     Cc:  MULHOLLAND-AA   (JND002)
   From:  MULHOLLAND-AA  (JND002) Delivered:  Mon  26-Sep-88  12:33  Sys 6009  (42)
Subject:  HACKING ON JND IDS
Mail Id:  IPM-6009-880926-112950001

To: Paul Heath         Keylink
CC  Ron Sinclair       OTC
    Steve Belecky      OTC
    Michael Rosenberg  OTC
	    Tim Marsden        ESI

Paul

As you are probably aware a hacker is active in Australia and has recently
gained access to a number of JND mailboxes. The hacker has run up considerable
time and probably a fair amount of international access.

Ron Sinclair on the advice of Michael Rosenberg alerted me to the problem and
Michael has also shut the IDs down when he has detected the illegal use. I've
spoken to the owners of these IDs and while their passwords were not obscure
they could only have been gained by a knowledge of our user directory.
	
Obviously there is going to be a problem when the bills for this illegal usage
are presented to the customers. They are already argueing that if I know the
	usage is not by them why should they have to pay for it.

	I see this incident as extremely damaging to the users perception of the
integrity of the email system and as such I'd like to put make some steps to
placate the users and to prevent a reoccurrence.

Firstly, will Keylink credit the illegal usage ?

Secondly, Tim Marsden our US system manager has suggested we set up and move
all our CPLs that use Netlink to, CMDJND. We would also need a copy of NETLINK
with a different name (say FRED) on CMDJND so that our use of the NETLINK
command, in the CPLs could change to FRED. This combination of a changed
command name and an ID that the hacker can't access would hopefully render JND
IDs useless to the hackers purpose.

	Further we would want a program called NETLINK.CPL on CMDJND. This will be a
hacker alert and would mail a message to an OTC ID that monitors for illegal
use.

I see a real urgency about this matter and would appreciate your early advice.

Best
David Mulholland


     To:  BERTA (198:BERTA)
     Cc:  S.BERLECKY   (STEVEB)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Thu  6-Oct-88  15:08 AEST Sys 6007  (18)
Subject:  Hackers
Mail Id:  IPM-6007-881006-136340371

Berta,
     I think that I have found evidence of a hacker on system 52, which
you should chase up.
	   On 10/3/88 (I even put the date in US format so you can read it) at
about 07:53 GMT , 08:10 GMT and 09:00 GMT , calls were made from
31033010000552 to 5053210106 which I have reason to believe is a hacker.
  If you find it to be so , I really need to know from what address he got into
system 52,as I am hoping he did it from Aust. somewhere.
  If it was not, and Dialcom trace it back further, could I be told the address
furtherest back that you find.
  I am having BIG problems with this guy or one of his friends, so speed will
help greatly.
I also have an account netlinking a LOT to sys41 (0311030100341) from 5053200000
He is in the billing as the United Nations.  Could you have a look at the
calls to 41 from 07 and see if he has hacked an account there or if he is
legal?
Thanking you,
Michael.


	     To:  MARK (198:MARK)
     Cc:  BERTA (198:BERTA)
     Cc:  S.BERLECKY   (STEVEB)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Fri  7-Oct-88  10:52 AEST Sys 6007  (25)
Subject:  Hacker mothods.
Mail Id:  IPM-6007-881007-097940230

Mark, Berta,
          Just a little background so that you know what brought on my
rush of hacker enquiries.  Chatting to my hackers on ALTOS in Germany,
they have been daunting me saying that they have developed a means of pw
interception and they indeed were getting a lot of OTC ids from somewhere.
        Finally, I found that the guy netlinks to our PADs and tielines and just
waits, and waits, until someone finally tries to use the terminal. In the case
of the NTN's that he uses, the vast majority of the calls are to system 07.
       Unfortunatly, most people think that 07 is broken in some way beacuse
it doesnt display the sign on banner and Password: etc, and just keep typing
	their id and password, which of course appear on the hacker's screen.  There
he goes.
       I have seen evidence of this from at least 52 and 41 which is why I
mentioned those two only.  Because our packet network is owned by OTC , I can
find out who attempted calls to any NTN, which is how I found 41.  I found 52
because when I was warning on of our people who use a tie line, the hacker
was trying it at that moment in time, and I identified the address.  Also,
I was talking to the hackers later that day on ALTOS and they tried to log into
07 from 52, so I logged into 98 and did an NSY on 52.  There they were.
       So, there you go.  I just thought you'd like to know how I came to know
about hackers on your system.  I am having that NUI killed, but I am sure that
he has more.

	Thanks for your help,
Michael.


     To:  BERTA (198:BERTA)
     To:  MARK (198:MARK)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Fri  7-Oct-88  11:19 AEST Sys 6007  (5)
Subject:  More times.
Mail Id:  IPM-6007-881007-101900857

Mark, more netlinking times as follows:
from 31033010000541 to 5053200024  (it may be 200056, but dont think so)
10/6 09:10,09:28,09:33 GMT
	
and from 31033010000552 on 10/6 at 07:43 GMT


     To:  MARK (198:MARK)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Sun  9-Oct-88  12:48 AEST Sys 6007  (11)
Subject:  hacker on 41
Mail Id:  IPM-6007-881009-115200647

Mark,
   I found that 41:TCN181 was hacking on 10/6 at 2:44 GMT netlinking to
altos.  He was one of my hackers (aust.) and came from 26245724740132.
If this guy, and/or any others have been netlinking back to aust, I could
really use that info because he is getting passwords from somewhere that I
havent found yet, presumably with his netlinking to pads/tielines trick.
  There was another TCN on at the same time as Phoenix (hacker's alias) netlink
ing to a telenet address.  Interestingg the way they have so many on the
one account group.  e.g. 52:scx.
Thanks,
Michael.


     To:  MARK (198:MARK)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Sun  9-Oct-88  18:12 AEST Sys 6007  (3)
Subject:  another one.
Mail Id:  IPM-6007-881009-163811023

Mark, that other suspect TCN was TCN177 on 41 and definetly was hacked.  Was
netlinking to altos 10/9 at 8:10 GMT from 31102050001801.
Mike.


     To:  MARK (198:MARK)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Thu  13-Oct-88  18:41 AEST Sys 6007  (7)
Subject:  TCN098
Mail Id:  IPM-6007-881013-168240539

was hacking this morning.  I informed ops via Lillian who clobbered him.
I copied some of his files before he deleted them (he was making files and
then deleting them) to otc-all>tcn098 but he no doubt had made more when
he was hit so you'll have them.  The hacker who called from the states
last night gave the name SAM MONICA who said he was from Dialcom, system 41.
Obviously not his real name but does it mean anything to you?
Michael


     To:  MARK (198:MARK)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Sat  15-Oct-88  20:42 AEST Sys 6007  (3)
Subject:  TCN051
Mail Id:  IPM-6007-881015-186400186

	On system 41 has been hacked.  If he has deleted the files on his account,
I copied them to 98:otc-all>tcn051.   I noticed him on at 6:43 am on 10/15.
Michael.


     To:  MARK (198:MARK)
     Cc:  OTC264 
     Cc:  S.BERLECKY   (STEVEB)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Mon  17-Oct-88  13:27 AEST Sys 6007  (38)
Subject:  TCN051
Mail Id:  IPM-6007-881017-121131069

Mark,
    Have you noticed the file called "DRAFT" in 41:tcn051.  Note in it how
he mentions the account MONICA, which I now know to be a seclev 5 on 98.
Recall how I said that the american hacker who called me gave the name SAM
MONICA...  Very unlikely to be the guy of course but you could very well
have a big security problem.
The force is also being investigated by Telecom Aust. for international
telephone fraud at the moment.  Also, when I saw tcn051 being used to hack
it appeared to be being used by Phoenix.


Dear Sir,

I am the hacker responsible for using TCNxxxx Accounts as well as others
on system 41, and after talking to the system manager I am really shocked
at the stand you have chosen to take.  I do not feel that the TCN USERS
SHOULD BE PENALISED FOR WEAKNESSES IN YOUR SYSTEM SECURITY, and this is
something I feel very strongly about. As I see it, it is your fault, and
you should take the responsibility.  Please forget this bulshit about the
users having weak passwords, since i can obtain the password for just about any
account, no matter what password is being used.

There are a lot of people like me that know about the dialcom weaknesses,
and are exploiting these account, and I really would like to see TCN
subscribers be re-funded any excesive costs due to their activities.
If you continue to exploit your users in this way, I will have to bring
this matter to the media, and demonstrate just how easy it is to gain
access to mail and private files of your government and other subscribers.

Again I urge you to do the right thing by your customers.
As an example I am bringing to your attention a certain account such as
MONICA and other inhouse system account.  What are they level 5?

Catch Ya Later
         ----====} THE FORCE {====----





     To:  MICHAELR (6007:MICHAELR)
     Cc:  M.HULBERT   (MARK)
   From:  M.HULBERT  (MARK)  Delivered:  Thu  20-Oct-88  6:38  Sys 198  (79)
	Subject:  Reply to:  TCN051
Mail Id:  IPM-198-881020-059720001

Mike,

I was noting the carrying ons as they were in progress
on Saturday. I copied the file as the Force was generating
it. The two individuals are coming in from the
Australian continent somewhere. They look to be coming in
via an US Telenet address but that is not the case. Both are
19 years old and are working on a special project to
document all of the NUAs  in the world.

An ambitious project at that.

Now you have really put these two individuals out! You had
promised them a free account and then took it away form them.
That made them mad hence the "mail barrage" from system 41.

These characters have more nerve than any I have seen so far.

They have no respect for the business people. In addition, they
are using the long distance phone system to make free
calls. They talked with our client here in the states for some
3 1/2 hours on Saturday morning - our time.

They apparently have the codes for gaining free access to
your phone systems.

Unfortunate that you do not have any legal alternatives
available to you in Australia. A couple of arrests
tends to inhibit such activity.

Thanks for the note and the interest. We have appraised Telenet
of the activity and they are looking into how what and
wherefore they are cheating on their network as well.

	Mark

   From:  M.ROSENBERG  (MICHAELR) Delivered:  Sun  16-Oct-88  23:29 EDT Sys 6007
     To:  M.HULBERT  (MARK)
Subject:  TCN051
Mail Id:  IPM-6007-881016-211400001

Mark,
    Have you noticed the file called "DRAFT" in 41:tcn051.  Note in it how
he mentions the account MONICA, which I now know to be a seclev 5 on 98.
Recall how I said that the american hacker who called me gave the name SAM
MONICA...  Very unlikely to be the guy of course but you could very well
	have a big security problem.
The force is also being investigated by Telecom Aust. for international
telephone fraud at the moment.  Also, when I saw tcn051 being used to hack
it appeared to be being used by Phoenix.
	

Dear Sir,

I am the hacker responsible for using TCNxxxx Accounts as well as others
on system 41, and after talking to the system manager I am really shocked
at the stand you have chosen to take.  I do not feel that the TCN USERS
SHOULD BE PENALISED FOR WEAKNESSES IN YOUR SYSTEM SECURITY, and this is
something I feel very strongly about. As I see it, it is your fault, and
you should take the responsibility.  Please forget this bulshit about the
users having weak passwords, since i can obtain the password for just about any
account, no matter what password is being used.

There are a lot of people like me that know about the dialcom weaknesses,
and are exploiting these account, and I really would like to see TCN
subscribers be re-funded any excesive costs due to their activities.
	If you continue to exploit your users in this way, I will have to bring
this matter to the media, and demonstrate just how easy it is to gain
access to mail and private files of your government and other subscribers.

	Again I urge you to do the right thing by your customers.
As an example I am bringing to your attention a certain account such as
MONICA and other inhouse system account.  What are they level 5?

Catch Ya Later
         ----====} THE FORCE {====----



	

     To:  EIM004 (10074:EIM004)
     To:  BTG-DIA (10080:BTG-DIA)
     To:  BTG005 (10080:BTG005)
     To:  BTG072 (10080:BTG072)
     To:  DKE237 (12271:DKE237)
     To:  DPT258 (12271:DPT258)
     To:  DPT999 (12271:DPT999)
     To:  MSE001 (12271:MSE001)
     To:  MNL012 (12427:MNL012)
     To:  SADM (12427:SADM)
     To:  JUKKAI (12762:JUKKAI)
     To:  LEENAS (12762:LEENAS)
     To:  MARKKUV (12762:MARKKUV)
     To:  ROM001 (13065:ROM001)
     To:  TLO202 (13065:TLO202)
     To:  TLO300 (13065:TLO300)
     To:  DAC100 (152:DAC100)
     To:  SEM012 (152:SEM012)
     To:  SEM015 (152:SEM015)
     To:  CROWE (198:CROWE)
     To:  JOEA (198:JOEA)
     To:  MARK (198:MARK)
     To:  TOMS (198:TOMS)
     To:  CNP007 (2022:CNP007)
     To:  CNP343 (2022:CNP343)
     To:  CNP365 (2022:CNP365)
     To:  CNP517 (2022:CNP517)
	     To:  FTZ007 (3015:FTZ007)
     To:  MNH001 (3015:MNH001)
     To:  RJS001 (3015:RJS001)
     To:  LADWIG (3069:LADWIG)
     To:  SEL008 (3069:SEL008)
	     To:  AMI (5006:AMI)
     To:  AMOS (5006:AMOS)
     To:  FIFI (5006:FIFI)
     To:  IPR013 (5825:IPR013)
     To:  IPR023 (5825:IPR023)
     To:  NZP019 (6009:NZP019)
     To:  KDM301 (7014:KDM301)
     To:  KDM404 (7014:KDM404)
     To:  CAW003 (8088:CAW003)
     To:  CAW065 (8088:CAW065)
     To:  HQT127 (8810:HQT127)
     To:  SVC004 (8810:SVC004)
     Bc:  MICHAELR 
   From:  C.HAPANGAMA  (OTC264) Delivered:  Tue  29-Mar-88  17:14 AEST Sys 6008  (33)
Subject:  Security threat : OTC
Mail Id:  IPM-6008-880329-155130552

To:  All Dialcom Licensees.


                             CONFIDENTIAL
                             ------------


  OTC has determined that the hacker which has delivered the threat to us
has been using a unique NTN ( 505235689996 ) for hacking when he does
not have access to a hacked account on OTC's Dialcom system.

  The hacker may have used this NTN in addition to netlinking from our systems
to access other Dialcom systems, which he has claimed.  If indeed the hacker
used this method of access, it will be easily identifiable through NUSAGE.
  OTC suggests that you determine if any accounts have been accessed from the
address 505235689996 by running NUSAGEs.  Any ids found will most likely have
been hacked.

	  Our systems' addresses are 5053200000, 5053200001 and 5053200050.  Most calls
made to ids from these addresses using netlink may of course be valid users.

	  The hacker could have accessed other systems from the many VAXs and PRIMEs
to which he supposedly has access, but these are of course unknown to us.

  If any ids on your systems are found to have been hacked from Australia could
you please supply to me, 6008:OTC264, any information which you would consider
helpful to OTC.

Regards,

Channa Hapangama
Technical Support Manager, Value Added Business.
OTC.

	
     To:  MARK (198:MARK)
     Cc:  EIM004 (10074:EIM004)
     Cc:  BTG-DIA (10080:BTG-DIA)
     Cc:  BTG005 (10080:BTG005)
     Cc:  BTG072 (10080:BTG072)
     Cc:  DKE237 (12271:DKE237)
     Cc:  DPT258 (12271:DPT258)
     Cc:  DPT999 (12271:DPT999)
     Cc:  MSE001 (12271:MSE001)
     Cc:  MNL012 (12427:MNL012)
     Cc:  SADM (12427:SADM)
     Cc:  JUKKAI (12762:JUKKAI)
     Cc:  LEENAS (12762:LEENAS)
     Cc:  MARKKUV (12762:MARKKUV)
     Cc:  ROM001 (13065:ROM001)
     Cc:  TLO202 (13065:TLO202)
     Cc:  TLO300 (13065:TLO300)
     Cc:  DAC100 (152:DAC100)
     Cc:  SEM012 (152:SEM012)
     Cc:  SEM015 (152:SEM015)
     Cc:  CROWE (198:CROWE)
     Cc:  JOEA (198:JOEA)
     Cc:  TOMS (198:TOMS)
     Cc:  CNP007 (2022:CNP007)
     Cc:  CNP343 (2022:CNP343)
     Cc:  CNP365 (2022:CNP365)
     Cc:  CNP517 (2022:CNP517)
     Cc:  FTZ007 (3015:FTZ007)
     Cc:  MNH001 (3015:MNH001)
     Cc:  RJS001 (3015:RJS001)
     Cc:  LADWIG (3069:LADWIG)
     Cc:  SEL008 (3069:SEL008)
     Cc:  AMI (5006:AMI)
     Cc:  AMOS (5006:AMOS)
     Cc:  FIFI (5006:FIFI)
	     Cc:  IPR013 (5825:IPR013)
     Cc:  IPR023 (5825:IPR023)
     Cc:  NZP019 (6009:NZP019)
     Cc:  KDM301 (7014:KDM301)
     Cc:  KDM404 (7014:KDM404)
	     Cc:  CAW003 (8088:CAW003)
     Cc:  CAW065 (8088:CAW065)
     Cc:  HQT127 (8810:HQT127)
     Cc:  SVC004 (8810:SVC004)
     Bc:  M.ROSENBERG   (MICHAELR)
   From:  STEVEB             Delivered:  Mon  28-Mar-88  15:57 AEST Sys 6008  (72)
Subject:  Reply to:  Security Threat to the Dialcom Community
Mail Id:  IPM-6008-880328-143680409
In Reply To:  IPM-198-880326-088730001


To: Dialcom Licensees



  On Friday 25 March, Dialcom U.S. advised you that OTC had experienced a
particular hacking problem and that further advice would be given as to OTC's
approach to this matter.

  OTC requests that all licensees, until further notified, please keep the
information concerning this particular hacking problem confidential and at the
hughest level in your organisations and, further, that no public statement be
made until OTC advises.

  The OTC contact point on this matter is:

Mr. C. Hapangama
Mail Box No. 6008:OTC264

Business Telephone: 61.2.287 5857
Home Telephone    : 61.2.481 8997

	
Regards,



D. BRAWN
Chief Manager - Products Business
OTC

P.S.  Would all licensees please mail a contact name and telephone number
to Mr. Hapangama so that you may be contacted if the need arises due to an
emergency situation.
	

   From:  M.HULBERT  (MARK)  Delivered:  Sat  26-Mar-88  9:51  Sys 198
     To:  STEVEB
Subject:  Security Threat to the Dialcom Community
Mail Id:  IPM-198-880326-088730001



Our licensee in Australia, OTC, has been penetrated by
a hacker who claims to have access to about 100
Dialcom accounts on systems such as BT Gold, Primecom,
Telebox, Goldnet, Dialcom and so forth.

Interestingly enough, the hacker claims that he has additional
access to both Prime and Vax systems which he can program
to commence sending thousands of mail messages to every
customer account that he knows about.

His request is that OTC give him six free mailboxes or he
will launch his mail inundation upon the Dialcom community.

We do not know the degree of capability to carryout such a
threat but certainly, if perpetrated, it could have significant
implications on each of us. From a security viewpoint, we
should expect that the messages will show hostility and operationally,
they could clog our networks and systems and increase our network
expense and response times.

We are pursuing this issue with OTC and will inform each of you as
additional information develops. If you note any problems of
a similar nature, please inform all addressees as to your findings.

We are developing defense strategies in conjunction with OTC and
will keep you abreast of the activities as they are unfolding.

Mark Hulbert
Director, Operations Planning


     Fo:  MICHAELR 
     Fo:  STEVEB 
   From:  C.HAPANGAMA  (OTC264) Delivered:  Mon  28-Mar-88  11:02 AEST Sys 6008  (107)
Subject:  Reply to:  Hacker threat to Keylink-Dialcom.
	Mail Id:  IPM-6008-880328-099350092


	   From:  M.HULBERT  (MARK)  Delivered:  Sat  26-Mar-88  4:41  Sys 198
     To:  C.HAPANGAMA  (OTC264)
Subject:  Reply to:  Hacker threat to Keylink-Dialcom.
	Mail Id:  IPM-198-880326-042280001


	Channa,

I will look into the source of the hacking from our end here
to determine if we can isolate the hacker on our end.

The real concern is whether or not you may bring the
resources of the local law enforcement authorities
to bear on this issue to assist you. The biggest problem
is the tracking of the source . If the access is from
a dialup rotor in your network, the capability to trace
the calls may be oyyour best capability to identify the
source of your hacking.  I have worked very closely with
the US Secret Service on just such an instance and have
recently concluded the effort with the arrest of the
hacker.  by the Secret Service. I suggest that is the laws
of your country support your  a make electronic data theft a crime,
you should dpursue a d spusrsue this with the authorities. If that
is not a crime, then the possibility of extortion may be a means that
law that you may em,ploy to ploy to grab gain the assiststance of the
law enforcement authorities.

In addition, depending on your relationship with the local
telephone company, we you may be able to initiate a trace
without the benefit of the laaw ebnforcement folks.olks. that
would allow you to monitor the particular IDs that
the user hacks and start the trace based upon the
access loine (or Pad port) that the call ame in oncame in on.

I also suggest that you identify the hacker's profile. Most have a
a particular characteristic that you can use to track and
trace the users activity. It may be time of cday that the
accesses occur, particular accounts, the network address from
which the accesses occur, particular commands not normally
used by clients etc. I have found that net-talk is one that
the hackers on our end like. They also like to upload and
download files of software to each other. In addition, they
set up sub directories which have the latestand greatest of
information on the hacking community activities and
at least in my experience, we have seen them solicit
others to join them in sessions on the hacked ID.

I found that it was better to move the user from the
hacked ID to a new ID and leave the old ID in place to
track the activity of the hacker. It provided data on what other
IDs he/she may have hacked since they tended to connect to other
IDs from a central ID.

We will be glad to assist you as you move on this problem.
Please provide any information or questions that you may
have to me with a copy to Gideon Amir, 98:Gideon.

   From:  C.HAPANGAMA  (OTC264) Delivered:  Fri  25-Mar-88  0:40 EST Sys 6008
     To:  M.HULBERT  (MARK)
Subject:  Hacker threat to Keylink-Dialcom.
Mail Id:  IPM-6008-880325-006130001

Mr. Joe Antonellis
Division Vice President,
	Dialcom International.

           ANALYSIS OF HACKER'S THREAT TO KEYLINK-D
           ----------------------------------------

   On the 25th March 1988, 11:45 AEST, Mr J. Antonellis of Dialcom
	was advised that OTC had received a threat from a hacker
   This message is to formally advise Dialcom of the nature of the
threat in which the hacker claimed:

1) The hacker claims to have access to about 100 Dialcom accounts on BT GOLD,
PRIMECOM, TELEBOX, GOLDNET etc.

2) The hacker intends using these accounts to send thousands of mail
to all of the customer accounts on our systems of which he is aware and
which OTC believes is quite extensive.
  The hacker threatens to do this for as many weeks as required
until OTC succumbs and delivers the hacker six free mailboxes.

3) The hacker claims to have access to other PRIMEs and VAXs which he can
program to do this feat without his intervention, which we believe.
   The hacker accesses the OTC Dialcom system by using Austpac dial-up
and less frequently, from OTC Data Access dial-up.  The hacker uses a common
	NUI which is used for access by all our dial-up customers.
	   This message was sent to OTC from 157:AGS325 at 22:13 3/24/88 AEST, which we
believe has been hacked.

  OTC and Telecom (Aust.) are reviewing this situation and expect
to further advise Dialcom Inc. of our intentions by Monday 3/28/88.

   Please note these contacts in OTC re this situation:

Legal : Ros Robertson     Aust  2-287 5204 6008:OTC383
System : Channa Hapangama       2-287 5857 6008:OTC264
Commercial : David Brawn        2-287 5960 6008:OTC033
             Gary Donald        2-287 5990 6008:OTC003
Facsimile  :                    2-287 4435


Channa Hapangama
Technical Support Manager, Value Added Business.
OTC


     To:  JOEA (198:JOEA)
     Cc:  DM (198:DM)
     Cc:  MARK (198:MARK)
     Bc:  MICHAELR 
   From:  C.HAPANGAMA  (OTC264) Delivered:  Fri  25-Mar-88  15:39 AEST Sys 6008  (44)
Subject:  Hacker threat to Keylink-Dialcom.
Mail Id:  IPM-6008-880325-140990869

Mr. Joe Antonellis
Division Vice President,
Dialcom International.

           ANALYSIS OF HACKER'S THREAT TO KEYLINK-D
           ----------------------------------------

   On the 25th March 1988, 11:45 AEST, Mr J. Antonellis of Dialcom
was advised that OTC had received a threat from a hacker
   This message is to formally advise Dialcom of the nature of the
threat in which the hacker claimed:

1) The hacker claims to have access to about 100 Dialcom accounts on BT GOLD,
PRIMECOM, TELEBOX, GOLDNET etc.

2) The hacker intends using these accounts to send thousands of mail
to all of the customer accounts on our systems of which he is aware and
which OTC believes is quite extensive.
  The hacker threatens to do this for as many weeks as required
until OTC succumbs and delivers the hacker six free mailboxes.

3) The hacker claims to have access to other PRIMEs and VAXs which he can
program to do this feat without his intervention, which we believe.
   The hacker accesses the OTC Dialcom system by using Austpac dial-up
	and less frequently, from OTC Data Access dial-up.  The hacker uses a common
NUI which is used for access by all our dial-up customers.
   This message was sent to OTC from 157:AGS325 at 22:13 3/24/88 AEST, which we
believe has been hacked.

  OTC and Telecom (Aust.) are reviewing this situation and expect
to further advise Dialcom Inc. of our intentions by Monday 3/28/88.

   Please note these contacts in OTC re this situation:

	Legal : Ros Robertson     Aust  2-287 5204 6008:OTC383
System : Channa Hapangama       2-287 5857 6008:OTC264
Commercial : David Brawn        2-287 5960 6008:OTC033
             Gary Donald        2-287 5990 6008:OTC003
Facsimile  :                    2-287 4435


Channa Hapangama
Technical Support Manager, Value Added Business.
	OTC


     To:  BERTA (198:BERTA)
     To:  MARK (198:MARK)
     Cc:  S.BERLECKY   (STEVEB)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Mon  31-Oct-88  11:37 AEDT Sys 6007  (57)
Subject:  UK security
Mail Id:  IPM-6007-881031-104601171

Berta, Mark,
          While watching another German chat host, i observed the following
conversation:

 1          0 Hp3000's         guest    Saber's.Edge
 4          0 023427730040500  shatter  shatter
 5          0 uucpland         guest    uucico
 6          0                  guest
<4> shatter says: saber: i need the proper nua -- i will swop 4 full access to s
ystem 72
<1> Saber's.Edge says: well thats the proper nua..
	<1> Saber's.Edge says: or if your in the usa its 301346
<4> shatter says: ghal: thnx -- the  system 72 is 023421920100472
<4> shatter says: id mag33023 neemg23
<1> Saber's.Edge says: thanks ..
<1> Saber's.Edge says: what id do you have on the d46?
<4> shatter says: saber: none yet -- i am going to hack it l8er
<1> Saber's.Edge says: not the pw but the Z{d..
<1> Saber's.Edge says: not that great of a system.. i have a few accounts on it
now..
<4> shatter says: saber: i have hacked the uk dialcoms and now working on the ot
hers
.sx
<1> Saber's.Edge says: well don't fuck up all the dialcoms..
<4> shatter says: saber: am turning system 72 in2 a pad
No Chan       From             User     Called
 1          0 Hp3000's         guest    Saber's.Edge
	 4          0 023427730040500  shatter  shatter
 5          0 uucpland         guest    uucico
 6          0                  guest
<1> Saber's.Edge says: also don't tell ANYONE how to hack them..
	<1> Saber's.Edge says: i've heard about the Australian's problems once people fo
und out how to hack Dialcom's..
<4> shatter says: saber: i won't -- but just need to attach them all from the uk
 4 a major hack l8er
<1> Saber's.Edge says: don't fuck up the USA's Dialcom's..
+++ <0> molinari +++
	<4> shatter says: saber: i won't -- don't worry -- just wanna nick some sw
<0> molinari says: puach..
--- <0> molinari ---
--- <4> shatter ---
--- <4> shatter ---
--- <5> uucico ---
.sx
No Chan       From             User     Called
 1          0 Hp3000's         guest    Saber's.Edge
 6          0                  guest

The id given on 72 is valid, I tried it.  Please ignore any accesses from
5053200000 between 00:00 and 01:00 GMT on 31/10 because that was me checking
if it was true.   I dont know where that NTN 023427730040500 is, I get invalid
address when I call it.  I could well be an NUI that he has.  That number
can be changed by the user so it may not be a valid address at all.  I have
heard claims from other hackers that they have accessed source code from US
dialcoms when they didn't know who I was.
Regards,
Michael.


     Fo:  M.ROSENBERG   (MICHAELR)
     Fo:  OTC264 
   From:  S.BERLECKY  (STEVEB) Delivered:  Tue  18-Oct-88  15:12 AEST Sys 6007  (58)
Subject:  SWISS PAVILION EXPO HACKER PROBLEM
Mail Id:  IPM-6007-881018-136940425

	for your perousal, steve
mike, do not ring the swiss guy until you talk to channa or me.

   From:  J.PURDY  (OTC288)  Delivered:  Tue  18-Oct-88  14:57 AEST Sys 6007
     To:  S.BERLECKY  (STEVEB)
Subject:  SWISS PAVILION EXPO HACKER PROBLEM
Mail Id:  IPM-6007-881018-134620160

STEVE,
THE X121 CALLED WAS 026245911010290
ITS SOME SORT OF BULLETIN BOARD WITH PEOPLE CHATTING ON IT IN NUREMBURG IN
GERMANY . IF U WANT TO LOG ON  USE THE PASSWORD  "GAST" (MEANS GUEST IN GERMAN
SO PETER MOLL (THE EXPO SWISS PAVILION ASSISTANT MANAGER) TELLS ME

SHORTLY AFTER HE LOGGED ON HE RECEIVED THE FOLLOWING
"AUSTPAC SECURITY
YOU SHOULD HAVE ENTERED
-?N AND 12 CHARACTERS"
THEN FOLLOWED MORE PEOPLE CHATTING.
THEN AGAIN
"AUSTPAC SECURITY
WOT WERE THE EXACT 12 CHARACTERS YOU TYPED"
PETER MOLL THEN SED
"PLS IDENTIFY YOURSELF "
RESPONSE WAS
"AUSTPAC SECURITY
WOT ACCOUNT CODE EXACTLY DID YOU ENTER"
PETER MOLL RESPONSE
"PLSE IDENTIFY YOURSELF"
RESPONSE WAS
"MICHAEL ROSENBURG"
PETER MOLL SED
	"WHAT IS PROBLEM"
RESPONSE WAS
"AUSTPAC - OTC SECURITY
TO WHISPER IT TO ME "
(APPRS USING THIS BULLETING BOARD BY HITTING A FUNCTION KEY OR SOMETHING
THEY CAN SEND TO ANOTHER PERSON WHITHOUT THE OTHER USERS SEEING IT
	(I.E. WHISPERING IT)
PETER MOLLS RESPONSE WAS
"PLSE CALL ME ON 846-4017"
THE SYSTEM THEN LOCKED UP
AND THAT WAS THE END OF IT.

OPE ITS OF SOME ASSISTANCE
	TO YOU.....
I THORT PETER MOLL WAS SOMEWHAT ASTUTE IN NOT DIVULGING HIS NUI (HE HAS
AN ADDITIONAL DIAL UP NUI TO HIS X28 LINK)
IF U OR MICHAEL NEED TO CONTACT HIM HIS NBR IS
PETER MOLL SWISS PAVILION EXPO 88  07 8464017. HE IS A VERY APPROACHABLE GUY
AND WE HAVE WORKED CLOSELY WITH HIM AT EXPO, HOLDING DATA ACCESS SEMINARS
ETC AT THE SWISS PAVILION
I AM QUITE SURE HE WOULD NOT BE A PARTY TO ANY HACKING ACTIVITIES HIMSELF.

GIVE MY REGARDS TO MICHAEL HOPE HE IS FEELING BIT BETR
RGDS
   JOHN PURDY BRISBANE OFFICE



     To:  MARK (198:MARK)
     Cc:  BERTA (198:BERTA)
     Cc:  DM (198:DM)
     Bc:  M.ROSENBERG   (MICHAELR)
   From:  S.BERLECKY  (STEVEB) Delivered:  Mon  10-Oct-88  18:52 AEST Sys 6007  (20)
Subject:  HACKING
Mail Id:  IPM-6007-881010-169901197

Mark,
 Thankyou for your help this morning concerning the id UDP081. We decided
to allow system 141 to talk to system 6007 again this afternoon, as soon
as we re-opened this path the letters started flowing in again except this
time they were from UDP080. We have closed this path again. Could i ask
you to scan the whole UDP account and possibly the whole TCN account
on system 141 as these seem to be a source of illegal use. Michael rosenberg
detected TCN178 and UDP080 being used from the address 31102050001801.
You may want to scan on this address as well.
 As far as  the last few days effort goes there was 4339 messages sent
from UDP081 to our systems, only about 160 hit real accounts on our systems
and only 13 out of these 160 actually read the item. We have deleted the other
	147 letters off our system. We are also contacting the 13 that have read
this item.


Thanks again for your help and waiting ti hear from you if you come up
with anything.

	Regards Steve Berlecky  (6007:steveb)

	
     To:  MICHAELR (6007:MICHAELR)
     Cc:  R.BARNACK   (BERTA)
   From:  M.HULBERT  (MARK)  Delivered:  Mon  31-Oct-88  11:48  Sys 198  (69)
Subject:  Reply to:  UK security
	Mail Id:  IPM-198-881031-106230001

Thanks much Mike. I will get this to the UK for them to act on
it in the morning.

I will review it a bit more then as well.

Mark

   From:  M.ROSENBERG  (MICHAELR) Delivered:  Sun  30-Oct-88  19:37 EST Sys 6007
     To:  M.HULBERT  (MARK)
Subject:  UK security
Mail Id:  IPM-6007-881030-176580001

Berta, Mark,
	          While watching another German chat host, i observed the following
conversation:

 1          0 Hp3000's         guest    Saber's.Edge
 4          0 023427730040500  shatter  shatter
 5          0 uucpland         guest    uucico
 6          0                  guest
	<4> shatter says: saber: i need the proper nua -- i will swop 4 full access to s
ystem 72
<1> Saber's.Edge says: well thats the proper nua..
<1> Saber's.Edge says: or if your in the usa its 301346
<4> shatter says: ghal: thnx -- the  system 72 is 023421920100472
<4> shatter says: id mag33023 neemg23
<1> Saber's.Edge says: thanks ..
<1> Saber's.Edge says: what id do you have on the d46?
<4> shatter says: saber: none yet -- i am going to hack it l8er
<1> Saber's.Edge says: not the pw but the Z{d..
<1> Saber's.Edge says: not that great of a system.. i have a few accounts on it
now..
<4> shatter says: saber: i have hacked the uk dialcoms and now working on the ot
hers
	.sx
<1> Saber's.Edge says: well don't fuck up all the dialcoms..
<4> shatter says: saber: am turning system 72 in2 a pad
No Chan       From             User     Called
 1          0 Hp3000's         guest    Saber's.Edge
 4          0 023427730040500  shatter  shatter
 5          0 uucpland         guest    uucico
	 6          0                  guest
<1> Saber's.Edge says: also don't tell ANYONE how to hack them..
<1> Saber's.Edge says: i've heard about the Australian's problems once people fo
und out how to hack Dialcom's..
<4> shatter says: saber: i won't -- but just need to attach them all from the uk
	 4 a major hack l8er
<1> Saber's.Edge says: don't fuck up the USA's Dialcom's..
+++ <0> molinari +++
<4> shatter says: saber: i won't -- don't worry -- just wanna nick some sw
	<0> molinari says: puach..
--- <0> molinari ---
--- <4> shatter ---
--- <4> shatter ---
--- <5> uucico ---
.sx
No Chan       From             User     Called
 1          0 Hp3000's         guest    Saber's.Edge
 6          0                  guest

The id given on 72 is valid, I tried it.  Please ignore any accesses from
5053200000 between 00:00 and 01:00 GMT on 31/10 because that was me checking
if it was true.   I dont know where that NTN 023427730040500 is, I get invalid
address when I call it.  I could well be an NUI that he has.  That number
can be changed by the user so it may not be a valid address at all.  I have
heard claims from other hackers that they have accessed source code from US
dialcoms when they didn't know who I was.
Regards,
Michael.


	     To:  MICHAELR (6007:MICHAELR)
   From:  M.HULBERT  (MARK)  Delivered:  Sun  16-Oct-88  1:38  Sys 198  (22)
Subject:  Reply to:  TCN051
Mail Id:  IPM-198-881016-014820001

	MIKE<

Thanks for the info. I have had Operations watching for
any activity and I did get on and check on what was going
on as well at about 06:50 our time this morning.

I had a brief chat session with him on line but he was
very cautious. It was THE FORCE and he didn't open up
too much.

I will look at the files shortly.

Mark

	   From:  M.ROSENBERG  (MICHAELR) Delivered:  Sat  15-Oct-88  6:44 EDT Sys 6007
     To:  M.HULBERT  (MARK)
Subject:  TCN051
Mail Id:  IPM-6007-881015-060630001

On system 41 has been hacked.  If he has deleted the files on his account,
	I copied them to 98:otc-all>tcn051.   I noticed him on at 6:43 am on 10/15.
Michael.


     To:  MICHAELR (6007:MICHAELR)
   From:  M.HULBERT  (MARK)  Delivered:  Fri  14-Oct-88  0:39  Sys 198  (22)
Subject:  Reply to:  TCN098
Mail Id:  IPM-198-881014-005910001

Alan,

The number of minutes was for a one week extract of our bill since
it was too time consuming to perform a full month's review.

If you expand them by about 4.33 - you should be close. Our international
traffic minutes for the August timeframe was about 38K minutes

Mark

   From:  M.ROSENBERG  (MICHAELR) Delivered:  Thu  13-Oct-88  4:42 EDT Sys 6007
     To:  M.HULBERT  (MARK)
Subject:  TCN098
Mail Id:  IPM-6007-881013-042410001

	was hacking this morning.  I informed ops via Lillian who clobbered him.
I copied some of his files before he deleted them (he was making files and
then deleting them) to otc-all>tcn098 but he no doubt had made more when
he was hit so you'll have them.  The hacker who called from the states
last night gave the name SAM MONICA who said he was from Dialcom, system 41.
Obviously not his real name but does it mean anything to you?
Michael


     To:  MICHAELR (6007:MICHAELR)
     Cc:  STEVEB (6007:STEVEB)
     Cc:  M.HULBERT   (MARK)
   From:  M.HULBERT  (MARK)  Delivered:  Mon  10-Oct-88  22:29  Sys 198  (37)
Subject:  Reply to:  hacker on 41
Mail Id:  IPM-198-881010-202440001

Mike,

I note a pattern with the hackers. I shut down the SCX account
access on Saturday since I noted the activity there.

If a hacker breaks into an account, they use the directory for
the account to:

    a. Get a list of the approved accounts on the systems

    b. Use the directory as a source of passwords. I have noted
that names organizational abbreviations etc do map to the
user's passwords.

Once they are into an account prefix, they usually find several
easily accessed accounts. In addition, they do not bang on an
ID more than a couple or three times so as to not raise our
Operations folks awareness of an attempt to penetrate.

Mark

	   From:  M.ROSENBERG  (MICHAELR) Delivered:  Sat  8-Oct-88  22:49 EDT Sys 6007
     To:  M.HULBERT  (MARK)
Subject:  hacker on 41
Mail Id:  IPM-6007-881008-205390001

Mark,
   I found that 41:TCN181 was hacking on 10/6 at 2:44 GMT netlinking to
altos.  He was one of my hackers (aust.) and came from 26245724740132.
	If this guy, and/or any others have been netlinking back to aust, I could
really use that info because he is getting passwords from somewhere that I
havent found yet, presumably with his netlinking to pads/tielines trick.
  There was another TCN on at the same time as Phoenix (hacker's alias) netlink
ing to a telenet address.  Interestingg the way they have so many on the
one account group.  e.g. 52:scx.
Thanks,
Michael.


     To:  MICHAELR (6007:MICHAELR)
   From:  M.HULBERT  (MARK)  Delivered:  Sat  8-Oct-88  11:20  Sys 198  (52)
Subject:  Reply to:  Reply to:  not him again
Mail Id:  IPM-198-881008-102090001

Mike,

	The crew is not just your barea - I have seen them coming in from
the West Coast area of the US as well.

Will be sorting it out this weekend and will advise you more.

Mark

	   From:  M.ROSENBERG  (MICHAELR) Delivered:  Thu  6-Oct-88  19:31 EDT Sys 6007
     To:  M.HULBERT  (MARK)
Subject:  Reply to:  not him again
Mail Id:  IPM-6007-881006-175700001

Mark,
   The address is stated in this is not quite correct, i was quoting it from memory.
The address was 505233589998 (not 9996). but you would have found that from
one nusage anyway.
Michael.
	
   From:  M.HULBERT  (MARK)  Delivered:  Fri  7-Oct-88  3:20  Sys 198
Forward:  M.ROSENBERG  (MICHAELR)
Subject:  not him again
Mail Id:  IPM-198-881007-030120001

Mike,

Thanks for the warning. I will get back to you later
this evening.

Mark

   From:  R.BARNACK  (BERTA) Delivered:  Thu  6-Oct-88  13:02 EDT Sys 198
Forward:  M.HULBERT  (MARK)
Subject:  not him again
Mail Id:  IPM-198-881006-117340135

this should be it.

	berta

   From:  M.ROSENBERG  (MICHAELR) Delivered:  Thu  6-Oct-88  8:54 EDT Sys 6007
     To:  R.BARNACK  (BERTA)
Subject:  not him again
Berta,

    I identified some hacked accounts as (52)scx027 coming from 505233589996,
and i called dialcom operations and notified them of same.  I still don't
know if there are more on 52 (they certainly claim to have lots more).
I would certainly look for any access by that address. I didnt find out about
any on 41.
Michael


     Fo:  MICHAELR (6007:MICHAELR)
     Cc:  M.HULBERT   (MARK)
   From:  M.HULBERT  (MARK)  Delivered:  Fri  7-Oct-88  3:20  Sys 198  (27)
Subject:  not him again
Mail Id:  IPM-198-881007-030120001
	
Mike,

Thanks for the warning. I will get back to you later
this evening.

	Mark

   From:  R.BARNACK  (BERTA) Delivered:  Thu  6-Oct-88  13:02 EDT Sys 198
Forward:  M.HULBERT  (MARK)
Subject:  not him again
Mail Id:  IPM-198-881006-117340135

this should be it.

berta

   From:  M.ROSENBERG  (MICHAELR) Delivered:  Thu  6-Oct-88  8:54 EDT Sys 6007
     To:  R.BARNACK  (BERTA)
Subject:  not him again
Berta,

    I identified some hacked accounts as (52)scx027 coming from 505233589996,
and i called dialcom operations and notified them of same.  I still don't
know if there are more on 52 (they certainly claim to have lots more).
I would certainly look for any access by that address. I didnt find out about
any on 41.
	Michael


     To:  MARK (198:MARK)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Tue  22-Nov-88  17:49 AEDT Sys 6007  (17)
Subject:  Hackers on 46
Mail Id:  IPM-6007-881122-160360329

Mark,
   I think that you will find that 46:ltl492 and 46:fmt004 have been hacking
furiously lately.  If you can wait a couple of days before killing them, it
would be better for me because I think the guy knows that I saw him on
	altos and if the account is killed straight away he will know that it was me.

	I think that the hacer is the one who knows my home number/address etc and
don't wabt to get him upset with me.  I am trying to make him think that
I have stopped chasing hackers.  Are the network addresses from which he
comes (not the australian ones)  telenet dial-up ports?  If they are, then
	it would be nice if Telenet could get in touch with Telecom Aust. here
because I know a guy in Telecom who wants to bust these guys for telephone
fraud, because they are getting free phone calls to the states!!! Would Telenet
be interested??
Let me know what you find?
Thanks,
Michael.


     To:  MARK (198:MARK)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Sat  3-Dec-88  9:55 AEDT Sys 6007  (7)
Subject:  Hacker? on 78
Mail Id:  IPM-6007-881203-089380919

Mark,
      on the 11/30 or 12/1 ( I can't remember ) I saw someone on altos
coming from 23421920100478, which is sys 78.  I can't remember the times
	or dates but they more than likely would have been netlinking to
26245890040004.  Would you forward this message to BT?
Thanks,
Michael.
	

     To:  BERTA (198:BERTA)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Fri  9-Dec-88  11:25 AEDT Sys 6007  (30)
	Subject:  Security
	Mail Id:  IPM-6007-881209-102761316

Berta,
     I managed to use network_define to effectively disable a terminal by
setting the PAD parameters to appropriate values. A very messy solution but
effective in the interim.

The security problem which I was trying to to tell you was this one:

At the moment, the OS will look in login>sons for the ufd name of a user logging
in.  If found, it will execute the specified command, which is the way AOSLOGIN
is run.  I have been using that means to enforce other restrictions on our
inhouse users and certain hacked accounts.  However , the problem is that
if the user strikes BREAK as he logs in, the OS does not look in SONS but
goes into command mode, thus avoiding any security that should  be applied to
that account. This includes any menu.ctl settings which AOSLOGIN would set
on a user.

I suggest that the OS not be allowed to be interrupted during the login phase
until after a command file in SONS has been executed.   Generally, I mean
that we should be able to force a user to execute an external command that we
may wish him to, even if he tries to avoid this by breaking out of the
login procedure.

This would be very handy to me to enforce extra security restrictions on
inhouse accounts.  It works fine for normal users, but my hackers know about this
window, and I can't put any more security on them except seclevs.

Is this possible?  What does Fritz say?

Thanks,
Michael.




   From:  R.MYERS  (BERTA)   Delivered:  Thu  22-Dec-88  6:00  Sys 198
Forward:  S.BERLECKY  (STEVEB)
	Subject:  Reply to:  trace facilities
Mail Id:  IPM-198-881222-054030001

Here you go... words of Fritz..

berta.

	   From:  F.THANE  (FRITZ)   Delivered:  Wed  21-Dec-88  11:51 EST Sys 198
     To:  R.MYERS  (BERTA)
Subject:  Reply to:  trace facilities
Mail Id:  IPM-198-881221-106700986
In Reply To:  IPM-198-881221-081340993

	While such trace facilities would be nice, they do not exist in
the present version of the O/S. In fact, they never have existed
because of memory requirements. I had a trace function in rev 18
at one point that only saved the frame/packet header information.
In order for the system to be able to retrieve that info, approximately
256 frames had to be saved because of the speed with which they
would arrive.

   From:  R.MYERS  (BERTA)   Delivered:  Wed  21-Dec-88  9:02 EST Sys 198
Forward:  F.THANE  (FRITZ)
Subject:  trace facilities
Can we help these hacked souls......

tks,
berta

   From:  S.BERLECKY  (STEVEB) Delivered:  Wed  21-Dec-88  0:58 EST Sys 6007
     To:  R.MYERS  (BERTA)
Subject:  trace facilities
Berta,
 here is a different question from the usual fax questions....
 Michael is trying to track Hackers and has come up with some useful tools
however, we have found a rather large hole in his program and with no way
of remeding it. What i would like to find out from Dialcom and in this
	case i probably mean Fritz or Pat is whether there are anyways of tracing
or tapping into (software wise) the x25 or virtual circuit connections.
 To put it simply we need to monitor what is happening on the lines and
ports.
 I know Dialcom may not want to give this sort of info out or release this
sort of trace facilities, but could i get an answer of whether it can be done
  We are talking desperate times here, either Dialcom gives me something
or i may have to gag michael from asking me this question 20 times a day.

 help needed and wanted, steve


     To:  OTC264 
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Thu  29-Dec-88  22:44 AEDT Sys 6007  (5)
Subject:  HACKER
Mail Id:  IPM-6007-881229-204630463

I DETETCTED CEG002 HACKING TONITE, ALTHOUGH HE WAS HACKING ON
IT LAST NITE TOO.  I DONT THINK THAT HE
HAS THE 001 ACCOUNT.  I HAVE KILLED CEG002 AFTER KNOCKING HIM OFF..

	MIKE..


     Fo:  MICHAELR (6007:MICHAELR)
     Cc:  M.HULBERT   (MARK)
     Cc:  R.RUSSIN   (ROBERT)
   From:  M.HULBERT  (MARK)  Delivered:  Wed  23-Nov-88  4:17  Sys 198  (54)
Subject:  Reply to:  Hackers on 46
Mail Id:  IPM-198-881123-038550001

	Michael,

We have two addresses in Australia that indicate that
our "friends" are using your network to access our
IDs on the systems here. Here are a couple of numbers to
run against the network addresses and maybe we
can begin to "smoke out" our friends!

505222389941 ( two accesses)

Mark

   From:  M.HULBERT  (MARK)  Delivered:  Tue  22-Nov-88  8:26 EST Sys 198
     To:  M.HULBERT  (MARK)
Subject:  Reply to:  Hackers on 46
Mail Id:  IPM-198-881122-075980904
In Reply To:  IPM-6007-881122-016040001

	Thanks - Mike. I have noted the hacking on the FMT account
	for the last three weeks but the client is unable to
react to changing the password. We have advised the
sales folks but the PCs associated with the account seem
to be difficult to change the password.

We have advised Telenet and as I indicated before - the FORCE is
entering Telenet via the Birmingham Alabama node in the
US and D>J> Chronos is entering normally via the Santa Barbara
California Telenet node. However, we have yet been able to
determine how they are doing it. I do suspect that they have
access to a credit card authorization number and may be
using that to reach us.

Mark

   From:  M.ROSENBERG  (MICHAELR) Delivered:  Tue  22-Nov-88  1:46 EST Sys 6007
     To:  M.HULBERT  (MARK)
Subject:  Hackers on 46
Mark,
   I think that you will find that 46:ltl492 and 46:fmt004 have been hacking
	furiously lately.  If you can wait a couple of days before killing them, it
would be better for me because I think the guy knows that I saw him on
altos and if the account is killed straight away he will know that it was me.

I think that the hacer is the one who knows my home number/address etc and
don't wabt to get him upset with me.  I am trying to make him think that
I have stopped chasing hackers.  Are the network addresses from which he
comes (not the australian ones)  telenet dial-up ports?  If they are, then
it would be nice if Telenet could get in touch with Telecom Aust. here
	because I know a guy in Telecom who wants to bust these guys for telephone
fraud, because they are getting free phone calls to the states!!! Would Telenet
be interested??
Let me know what you find?
	Thanks,
Michael.

	
     To:  MICHAELR (6007:MICHAELR)
     Cc:  R.RUSSIN   (ROBERT)
   From:  M.HULBERT  (MARK)  Delivered:  Thu  23-Mar-89  4:40  Sys 198  (30)
Subject:  Reply to:  FORCE
Mail Id:  IPM-198-890322-122881269
In Reply To:  IPM-6007-890321-174760001

Mike,

	I haven't seen hide nor har of the Force or D.J. Chronos.

	We continue to sweep the systems on a weekly basis but no
signs of the buggers.

I sense that there are more active police activities in this
area in Australia since there seemed to be a rather active
group attacking credit computers etc as I saw in a US newspaper.

Mark

	   From:  M.ROSENBERG  (MICHAELR) Delivered:  Tue  21-Mar-89  19:25 EST Sys 6007
     To:  M.HULBERT  (MARK)
Subject:  FORCE
Mail Id:  IPM-6007-890321-174760001

Mark,
    there has been a falling out amongst hackers in Australia, what with
the Federal police chasing after them and I had one telephone me yesterday
	with some information.
    He told me that the FORCE has now retired due to various reasons.

    Have you noticed that the FORCE has stopped??  He hasn't annoyed me for
many months so I don't know.  I do believe this guy so I though that you might
like to know.

Regards,
Michael


     To:  MARK (198:MARK)
     To:  ROBERT (198:ROBERT)
     Bc:  BERTA (135:BERTA)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Wed  9-Aug-89  17:13 AEST Sys 6007  (1016)
Subject:  Reply to:  Reply to:  Reply to:  Intruder
Mail Id:  IPM-6007-890809-154990609
In Reply To:  IPM-198-890808-130321279

   I might regret saying this, but what would you say if I said that
I knew who this Australian hacker was, down to address and phone number,
and at one stage had the federal police looking into him, bu
	  There was much activity about 3-4 months with this guy and variuos authorities
and he got scared and stopped for a while and I haven't seen hide nor hair
of him on my system since.  However, the guys in our packet switching
in whom I provoked much interest have been aware of the above Australian
NTN and when I talked to then today, they were aware that Goldnet has been
suspect for the last 2 months.
   I do not know what the status of this guy is with the law here, but if you
express interest (stupid question, but I'll have to ask it) in this guy
from an official position, I will do what I can.
   We managed to forget about him because he avoids 6007,6008 and 6009
like the plague because I have recorded his activities so often.

  anyway, let me know.
  Regards,
  Michael Rosenberg.
  OTC Australia / Network Innovations


   From:  R.RUSSIN  (ROBERT) Delivered:  Wed  9-Aug-89  4:48  Sys 198
     To:  M.ROSENBERG  (MICHAELR)
Subject:  Reply to:  Reply to:  Intruder
Mail Id:  IPM-198-890808-130321279
In Reply To:  IPM-198-890807-071231114

     Hacker Report Summary for May/June/July 1989
    ------------------------------------------

U.S Dialcom accounts hit.

50: SIE134 May 3, 7, 15, 23, 29 & 31 penetrated via network address
    311080500018xx Telenet Santa Barbara California.

50: SIE169 May 1, 2, 3, 7, 8, 9, 10, 11, 12, 14, 15, 16, 17, 18, 19
    21, 22, 24, 25, 27, 29, 30 & 31 penetrated via network address
    311080500018xx Telenet Santa Barbara California.

50: SIE110 May 1, 2, 5, 7, 10, 16 - June 1, 2, 3, 4 & 5 penetrated via
    network address 311080500018xx Telenet Santa Barbara California and
    311080400009xx, 311080400019xx Telenet Richmond Virginia.

The entire account group SIE had their passwords changed on June 6th
by my request to the System Administrator thru the Dialcom Support Rep.
The passwords were changed to 6 character using it least one special
character and not using a common name. The account hasn't been penetrated
since then.

42: IMC096 June 10, 11, 12 penetrated via network address 311080500018xx
	    Telenet Santa Barbara California, 31102336010404 Telenet Host Computer
    unknown. Telenet wouldn't disclose what kind of system it was to Dialcom.
    The password was changed on June 12.

42:IMC2371 June 21, 22 & 23 penetrated via network address 311080500018xx
   and 31102336010404. The password was changed on June 23.

42:IMC2816 June 23, 24, 25, 26, 27, 28 penetrated via network address
   311080500018xx and 31102336010404. The password was changed on June 28.
	
-------------------------------------------------------------------------------
>From the NUSAGE report provided by Ami Hadas 5006:AMI I see that the hacker
launched from 50:SIE110 on June 3, 4 and 5 and gained access to system 05
AIT001. On the U.S side the hacker passed thru this account from the
network address 311080500018xx.

Again from the report I see that the hacker launched from 42:IMC096 on June
11 and 12 and gained access to system 05 AIT001. On the U.S. side the hacker
passed thru this account via the network address 311080500018xx on June 10
to unknown address around the world and to 05 AIT001 on June 11 and 12 via
the network address 31102336010404.

	This explains the access to system 05 from both system 50 and 42. However the
main launching pad to system 05 has been via the Telenet network address
311080500018xx in Santa Barbara California and OTC address 505236189937 in
Australia.
	
Here are the country DNIC numbers the hacker(s) are going to from
the NUSAGE report Ami sent us from system 05 in Israel.
2624  Germany
5053  Australia
4872  Taiwan
2080  France
2284  Switzerland
2342  UK
2382  Denmark
4542  Hong Kong
5252  Singapore
2422  Norway
5052  Australia
2724  Ireland
5301  New Zealand
2322  Austria

-------------------------------------------------------------------------------
In general from my experience with this group of hackers is that they have
a PC setup to process an algorithm which tries to break a known account using
a database list of passwords from a dictionary and also slang words used in
this day and age. Once on they upload from the PC these same database's and other
Prime CPL's they have created to the host system and use this system to launch
their attack on other host systems via the netlink command. In the beginning
when I started working in this area (Sept 88) the hackers would have a habit
of leaving trails behind them example CPL's, input files, database's etc..

	In some cases they would create subufd's and keep a backup copy of their files
	there as well. They also used common file names such as DEF.CPL, PW.CPL, FILE
DATA, DEF03.CPL, DE3F.CPL, DEF3.CPL, (BACKUP = subufd) and many other ?.CPL
files. After scanning the systems and finding many back doors they had because
of the files they left there. It was easy at first to locate them, remove the
file and have the user change the password to a 6 character one using a special
character in it as well. After a couple months they learned to use different
names for their files since they were onto me locating them by their habit
of file names. Even after that they got smart and only left files penetrated
accounts that they needed.  Any account they needed as a back door they didn't
place any files on it.

Since September 1988 I have been investigating all systems on a weekly basis
for any kind of hacker activity. This was done by looking over unusual system
console readings, NUSAGE runs and of course notifications by support staff
and customers. The information gathered is then used for tracking hackers
such as adding new network address numbers to the nusage runs, examining
files found on penetrated accounts and getting an understanding for how
they think and what they are up to.

	Basically they use our systems to penetrate other computer systems and also
to move information around the world from intelligence gathered on those other
systems. This goes for the licensee community as well. I can stop them
from accessing an account of a U.S. Dialcom system and they will then go
to a licensee system or someone else for a while. They know who is the
most vulnerable and who isn't.

If you have any questions on any of this please let me know.

Thanks,
Robert Russin                Dialcom Systems Security

   From:  M.HULBERT  (MARK)  Delivered:  Mon  7-Aug-89  7:54 EDT Sys 198
     To:  R.RUSSIN  (ROBERT)
	Subject:  Reply to:  Intruder
Mail Id:  IPM-198-890807-071231114
In Reply To:  IPM-198-890807-059120949

Lillian, I have Robert investigating the details and we will
be looking at the circumstances surrounding it. We have seen
two individuals from Australia before - "The Force" and DJ Kronos
who have been active from Australia. Unfortunately, we have
not had great success in gaining cooperation from the Australian
law enforcement folks to track the soure there.

We will be reviewing our data tomorrow morning and will get back to you
after that review.

Mark

   From:  L.WACHBROIT  (LILLIANW) Delivered:  Mon  7-Aug-89  6:34 EDT Sys 198
Forward:  M.HULBERT  (MARK)
Subject:  Intruder
Mark,

     More on the Hacker incident(s) Zohar reported today -- looks very
very serious!
     Please let me, Zohar and Ami know how you wish to proceed.  (and
whether we need the Aussies involved as well).  If you need to
speak to either of them directly, Zohar's number is +972-3-7532418
and Ami's is +972-3-7532419.

Thanks,
Lillian

   From:  A.HADAS  (AMI)     Delivered:  Mon  7-Aug-89  6:03 EDT Sys 5006
     To:  L.WACHBROIT  (LILLIANW)
Subject:  Intruder
Hi,

Unfortunately we discovered only now an intruder who broke into our system
during June and July. The hacker is a pro who knows too much about Prime
Dialcom and DEC systems as well. Actually more then one person are involved
in that crime and as you can see from the nusage file below which contains
the calling address and the outgoing called address, these guys are spread
	around US, Europe and Australia.
From June 3rd and on they were using the ID of AIT001 to sign on system 05.
Some of the calls are coming from Dialcom system 150 and 142. I would like
you to ask these system administrators to run nusage and find the guys who
called system 5005 (at 425130000215 or 425130000215xx or 42513000013744)
on the appropriate days (note the 7 hours difference between us).
I am sending you the complete nusage out file which the complete list
of addresses and dates, this may give you further clues.
Aurec would like to get all of the details you can before we take further
steps.
I would also ask you to scan for calls to 425130000537 which is an Aurec
Information system located here, we suspect that the same guys accessed
that system illegally during that period.
Please assign top priority to that investigation. It looks like we have
professionals (who wrote CPL and BASIC procedures to scan addresses and
try to break into systems all over the world) who have a commercial
intelligence interest in our systems.
Another clue may be found in a *MAILSAVE* file which is signed by
David and mentions IND001 and IND003.

                        Regards, Ami.
------------------------------------------------------------------------------

Date    Time  VC Net Adr        Net Addr          Con Hrs          Chars I/O

06/03  11:22  26245890040004    31103010025350       0:05      567       309
06/03  11:27  3106004064        31103010025350       0:31     5728       198
06/03  14:02  26245890040004    31103010025350       0:18     2495       488
06/03  14:31  3106004064        31103010025350       0:03       25        96
06/04  16:30  26245890040004    31103010025350       0:01      429        74
06/04  16:39  26245300030056    31103010025350       0:02        0        54
06/04  16:51  26245890040004    31103010025350       0:01       54        54
06/04  16:53  26245890040004    31103010025350       0:01      425        51
	06/04  16:54  26245890040004    31103010025350       0:01      138        53
06/04  17:00  26245890040004    31103010025350       0:52     9077      1204
06/05  12:05  26245890040004    31103010025350       0:03      476        56
06/05  13:16  5053200000        31103010025350       0:01       61        13
06/05  18:50  26245890040004    31103010025350       0:01      500        53
06/05  18:51  26245890040004    31103010025350       0:01       96        13
06/06   7:05  26245890040004    31108050001803       0:01      481        65
06/06   9:00  26245890040004    31108050001803       0:02      519        63
06/07   7:36  26245400050570    31108050001806       0:04     2196       372
06/07   7:40  26245890040004    31108050001806       0:32      827        82


     To:  MARK (198:MARK)
     To:  OPER (198:OPER)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Fri  24-Nov-89  9:57 AEDT Sys 6007  (17)
Subject:  possible hacker
Mail Id:  IPM-6007-891124-089570784

	Mark, and the operations guys because I know Mark will be away until monday.

	I have a hacker here who a couple of nights ago made several calls to system 41
.  Last night, I had hacking attempts from this address:
031103010025341 which I am presuming is an outgoing address for system 41.  It
may not be, in which case please ignore this message.
  The calls would have been to 5053200001 or 505211114995 and were at
at 0649 on the 23/nov your time.  You might want to check to see if that account
has been hacked, I'd say that it has been.  I know that the guy is Australian.

If you find it to be hacked, could you please give me some details about
	his calling address etc, so that I may look around my systems further for
possible hacks.

Thanks,
Michael Rosenberg.
	OTC Australia.


	     To:  M.AUSCHWITZ   (MONICA)
     Cc:  M.HULBERT   (MARK)
     Cc:  R.RUSSIN   (ROBERT)
     Cc:  T.SCHUYLER   (TOMS)
     Bc:  MICHAELR (6007:MICHAELR)
	   From:  R.RUSSIN  (ROBERT) Delivered:  Tue  28-Nov-89  4:38  Sys 198  (18)
Subject:  HACKED Accounts on System 41
Mail Id:  IPM-198-891127-113090211

     Monica,
            Here are the ufd's we spoke about. Please have the passwords
on them changes asap. I also have the nusage access online if you want
to look at it as well.
	
ATN037 , EPI059 , EPI062 , EPI102 , EPI171 , EPI172 , EPI192 , PPX072 ,
TCN149 , TCN1608 , TCN266 , TCN3058 and UGA011.

The ufd TCN4019 was the first account penetrated and was were the launch
took place to get access to the other accounts. The incoming address for
TCN4019 was 505236189937 and 5053200001 which are both Australia DNIC's.

It looks like the FORCE is back.

The access started on November 20th and went through the 26th. Nothing
yet today so far.

Robert


     To:  MICHAELR (6007:MICHAELR)
   From:  M.HULBERT  (MARK)  Delivered:  Mon  27-Nov-89  5:39  Sys 198  (31)
Subject:  Reply to:  possible hacker
	Mail Id:  IPM-198-891126-122830523
In Reply To:  IPM-6007-891124-089570784

I have the note and will follow up on it today.

The address calling your system 031103010025341
is in fact our system 41. Good catch.

Thanks Mike.

Mark

	   From:  M.ROSENBERG  (MICHAELR) Delivered:  Thu  23-Nov-89  17:56 EST Sys 6007
     To:  M.HULBERT  (MARK)
Subject:  possible hacker
Mail Id:  IPM-6007-891124-089570784

Mark, and the operations guys because I know Mark will be away until monday.

I have a hacker here who a couple of nights ago made several calls to system 41
.  Last night, I had hacking attempts from this address:
031103010025341 which I am presuming is an outgoing address for system 41.  It
may not be, in which case please ignore this message.
  The calls would have been to 5053200001 or 505211114995 and were at
at 0649 on the 23/nov your time.  You might want to check to see if that account
has been hacked, I'd say that it has been.  I know that the guy is Australian.

	If you find it to be hacked, could you please give me some details about
his calling address etc, so that I may look around my systems further for
possible hacks.

Thanks,
Michael Rosenberg.
OTC Australia.


     To:  MICHAELR (6007:MICHAELR)
     Cc:  M.HULBERT   (MARK)
	   From:  R.RUSSIN  (ROBERT) Delivered:  Fri  27-Jan-89  1:40  Sys 198  (241)
Subject:  Reply to:  Reply to:  Reply to:  Tracking NUA's on systems.
Mail Id:  IPM-198-890126-086660371
In Reply To:  IPM-6007-890125-183020001

Yes I do work for Mark Hulbert and have been with Dialcom for almost nine years
now. Mark gave me your name as a contact for OTC Security and I wanted to include
you in on everything in this area.

I will keep you posted on the progress of the Committee membership and appreciate
all your feedback.

Robert

	   From:  M.ROSENBERG  (MICHAELR) Delivered:  Wed  25-Jan-89  20:20 EST Sys 6007
     To:  R.RUSSIN  (ROBERT)
Subject:  Reply to:  Reply to:  Tracking NUA's on systems.
Mail Id:  IPM-6007-890125-183020001

Robert,
      I haven't heard of you before this message but imagine you work
with Mark on at least security issues.
      I would encourage a licensee-wide security network whole
heartedly..

     It is my concerted opinion that THE FORCE was responsible for the
$500,000 Citibank fraud 2 weeks ago.  I am trying to cut through the
Red Tape and talk to my contact in Telecom Aust detective services who
	should be involved with this crime as he has been trying to catch
the force for international telephone fraud for quite some time.

     Force doesn't worry my system any more since he has found it easier
to go diretly to the US by Telenet Dialup..

Look forward to hearing more from you about this,
  Michael.

   From:  R.RUSSIN  (ROBERT) Delivered:  Thu  26-Jan-89  3:42  Sys 198
     To:  M.ROSENBERG  (MICHAELR)
Subject:  Reply to:  Tracking NUA's on systems.
Mail Id:  IPM-198-890125-104830689
In Reply To:  IPM-10080-890125-095210001

I will look into this and let you know what I find out.

I'm replying back to your message to both yourself and Michael Rosenberg
with OTC in Australia for his FYI as well.

I have some good news about NUSAGE that I found out about which
will help you in your investigating. I will load in the phantom
file I run and also the como output file it creates. I run this
on all our commercial systems each week and review it. The
network address being checked are the ones that have been used
by hackers. The option that I have now started using will report
two network addresses if the user is netlink out from the our/your
	host system. Th first one is the address where the user is coming
in from and the second is where the user is netlinking out to.

I need both of your help in developing and participating in a Dialcom
Licensee's Security Board to estabilish contacts with all our
Licensee's to pass hacker information and any other helpful tips
around to each other. This will require that a distibution list be created to
contain all representatives from each Licensee. I only have you (BT) and
Michael (OTC) so far as contacts. We could then use this list to circulate
information and keep well abreast of the International communities problems
with hackers and helpful tips learned. It would also serve as a means
to get better acquanted with our Licensee's and provide support and guidance
on problem solving in the area of system security. It may even help some
in other areas as well.

What I have done over her was establish the account on 98:SECURITY for reporting
suspicious activity from the field. I received positive results from this and
it has been a very helpful tool for me and also the field as having a focal point
for escallating problems. I sign onto this account every day and check for incoming
mail. It was easier for people to remember the ufd SECURITY than my account 98:ROBERT
when it came to reporting problems. I announced this to the field and it has become
standard for Dialcom US.

This same account could be established at each licensee's site on their designated
system and reviewed by their system security officer as well.

How do you both feel about this?


Anyway here is some information to pass along to you for now.

Robert Russin

I discovered the account 50:SIE147 was penetrated and checked
the addresses and found out the following:

	INCOMING ADDRESSES
	------------------
	311080500018       Santa Barbara California
311050100016       Little Rock Arkansas
311020600018       Seatle Washington
311020500018       Birmingham Alabama

OUTGOING ADDRESSES
------------------
26245400050233    Germany
23422351919169    UK
900041            System 41 Dialcom US
311022300096      TYMNET Accounting System
425130000215      Israel
	23422020010700    UK
30293800354       Canada
23422351919169    UK

The hacker is "The Force" again.

The following is the input stream to run as a phantom and the output
como file it creates.

COMO BERT
DATE
SYS
NUSAGE -U ? -D 01/04-01/16 -NET 311020500018&311080500018&311030100253&
311061500013&505222389941&4542000206&2222631060&31106170010301 &
	-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT
NUSAGE -U ? -D 01/04-01/16 -NET 311050100016&311020600018&26245400050&
2342235&311022300&425130000&30293800 &
-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT
COMO -E

>DATE

Tuesday, January 17, 1989 12:28:29 AM EST

>SYS

<S50-0>OPER  on system 50

>NUSAGE -U ? -D 01/04-01/16 -NET 311020500018&311080500018&311030100253&
NUSAGE 4.0b
More>311061500013&505222389941&4542000206&2222631060&31106170010301 &
More>-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT


User Name     Date Time  Net Addr          VC Net Adr        Baud  GW   Col  Con Hrs  
	
SIE147        06  10:25  31108050001802    26245400050233    1200   -   NC      0:22  
SIE147        06  10:26  31108050001802    425130000215      1200   -   NC      0:00  
SIE147        06  10:27  31108050001802    311022300002      1200   -   NC      0:01  
SIE147        06  10:29  31108050001802    311022300002      1200   -   NC      0:01  
SIE147        06  10:32  31108050001802    311022300010      1200   -   NC      0:00  
SIE147        06  10:34  31108050001802    311022300019      1200   -   NC      0:00  
SIE147        06  10:35  31108050001802    311022300096      1200   -   NC      0:01  
SIE147        06  10:36  31108050001802    900041            1200   -   NC      0:02  
SIE147        06  10:38  31108050001802    425130000215      1200   -   NC      0:03  
SIE147        06  10:50  31108050001805    26245400050233    1200   -   NC      0:02  
SIE147        06  11:15  31108050001805    26245400050233    1200   -   NC      0:20  
SIE147        06  11:20  31108050001805    425130000215      1200   -   NC      0:02  
SIE147        06  11:23  31108050001805    26245400050233    1200   -   NC      0:00  
SIE147        06  11:23  31108050001805    23422351919169    1200   -   NC      0:00  
SIE147        06  11:24  31108050001805    23422020010700    1200   -   NC      0:00  
SIE147        06  11:26  31108050001805    23422020010700    1200   -   NC      0:01  
SIE147        06  11:27  31108050001805    23422020010700    1200   -   NC      0:02  
SIE147        06                                                                0:57  
SIE147        13   6:36  31108050001801    26245400050233    1200   -   NC      0:05  
SIE147                                                                          1:03  
                                                                                1:03  



>NUSAGE -U ? -D 01/04-01/16 -NET 311050100016&311020600018&26245400050&
NUSAGE 4.0b
More>2342235&311022300&425130000&30293800 &
More>-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT


User Name     Date Time  Net Addr          VC Net Adr        Baud  GW   Col  Con Hrs  

NGM0910       11  11:53  31105010001603    90010789          2400   -   COL     0:11  
SIE147        04   0:42  31105010001601    311022300096      2400   -   NC      0:00  
SIE147        04   0:43  31105010001601    311022300094      2400   -   NC      0:00  
	SIE147        04   0:43  31105010001601    311022300095      2400   -   NC      0:02  
SIE147        04   0:44  31105010001601    311022300103      2400   -   NC      0:00  
SIE147        04   0:45  31105010001601    311022300103      2400   -   NC      0:00  
SIE147        04   0:46  31105010001601    31102230009202    2400   -   NC      0:00  
SIE147        04   0:47  31105010001601    31102230009203    2400   -   NC      0:00  
	SIE147        04   0:47  31105010001601    31102230009210    2400   -   NC      0:00  
SIE147        04   0:47  31105010001601    31102230009211    2400   -   NC      0:00  
SIE147        04   0:48  31105010001601    31102230009212    2400   -   NC      0:00  
SIE147        04   0:48  31105010001601    31102230009209    2400   -   NC      0:00  
SIE147        04   0:49  31105010001601    31102230009208    2400   -   NC      0:01  
	SIE147        04   0:51  31105010001601    26245400050233    2400   -   NC      0:01  
SIE147        04   0:52  31105010001601    31102230009201    2400   -   NC      0:00  
SIE147        04   0:53  31105010001601    31102230009202    2400   -   NC      0:00  
SIE147        04   0:54  31105010001601    311022300096      2400   -   NC      0:00  
SIE147        04   0:54  31105010001601    311022300094      2400   -   NC      0:00  
	SIE147        04   0:54  31105010001601    31102230009201    2400   -   NC      0:00  
SIE147        04   0:55  31105010001601    311022300179      2400   -   NC      0:01  
SIE147        04   0:55  31105010001601    31102230017901    2400   -   NC      0:01  
SIE147        04   0:55  31105010001601    31102230017901    2400   -   NC      0:00  
SIE147        04   0:55  31105010001601    31102230017901    2400   -   NC      0:00  
	SIE147        04   0:56  31105010001601    31102230017701    2400   -   NC      0:02  
SIE147        04   0:56  31105010001601    31102230017701    2400   -   NC      0:02  
SIE147        04   0:58  31105010001601    311022300103      2400   -   NC      0:00  
SIE147        04   0:59  31105010001601    31102230050001    2400   -   NC      0:01  
SIE147        04   0:59  31105010001601    31102230050001    2400   -   NC      0:01  
	SIE147        04   1:00  31105010001601    31102230019302    2400   -   NC      0:00  
SIE147        04   1:01  31105010001601    311022300188      2400   -   NC      0:01  
SIE147        04   1:01  31105010001601    31102230018801    2400   -   NC      0:00  
SIE147        04   1:01  31105010001601    31102230018801    2400   -   NC      0:00  
SIE147        04   1:02  31105010001601    31102230009201    2400   -   NC      0:00  
	SIE147        04   1:03  31105010001601    311022300050      2400   -   NC      0:00  
SIE147        04   1:04  31105010001601    31102230004901    2400   -   NC      0:00  
SIE147        04   1:04  31105010001601    31102230004901    2400   -   NC      0:04  
SIE147        04   1:09  31105010001601    311022300096      2400   -   NC      0:00  
SIE147        04   1:09  31105010001601    31102230009201    2400   -   NC      0:00  
	SIE147        04   1:10  31105010001601    31102230009202    2400   -   NC      0:03  
SIE147        04   1:12  31105010001601    31102230009201    2400   -   NC      0:00  
SIE147        04   1:14  31105010001601    311022300047      2400   -   NC      0:09  
SIE147        04   1:23  31105010001601    31102230004703    2400   -   NC      0:00  
SIE147        04   1:24  31105010001601    31102230004703    2400   -   NC      0:02  
	SIE147        04   1:26  31105010001601    311022300096      2400   -   NC      0:01  
SIE147        04   1:26  31105010001601    31102230009201    2400   -   NC      0:00  
SIE147        04   1:27  31105010001601    31102230004706    2400   -   NC      0:02  
SIE147        04   1:32  31105010001601    311022300096      2400   -   NC      0:01  
SIE147        04   1:36  31105010001601    311022300096      2400   -   NC      0:00  
	SIE147        04                                                                0:42  
                                                                                0:53  


	
>COMO -E

   From:  V.LUNDBERG  (BTG072) Delivered:  Wed  25-Jan-89  10:34 EST Sys 10080
     To:  R.RUSSIN  (ROBERT)
Subject:  Tracking NUA's on systems.
Mail Id:  IPM-10080-890125-095210001
	

Robert,

 I have been talking with our networks team about a specific
NUA and tracking of access over this NUA, and we have a need
to track access AS IT HAPPENS as opposed to using NUSAGE to
track access AFTER is has happened.  Do you know of any way
we can track the access over the NUA as it happens, is there
	anything we can setup that will send a system alarm in some
sharp or form when any user accesses over this specific NUA.

Your thoughts would be greatly  appreciated on this one.
Cheers, Vicky.

	
     To:  BTG072 (10080:BTG072)
     To:  MICHAELR (6007:MICHAELR)
     Cc:  M.HULBERT   (MARK)
	     Cc:  R.RUSSIN   (ROBERT)
   From:  R.RUSSIN  (ROBERT) Delivered:  Thu  26-Jan-89  3:42  Sys 198  (203)
Subject:  Reply to:  Tracking NUA's on systems.
Mail Id:  IPM-198-890125-104830689
In Reply To:  IPM-10080-890125-095210001

I will look into this and let you know what I find out.

I'm replying back to your message to both yourself and Michael Rosenberg
with OTC in Australia for his FYI as well.

I have some good news about NUSAGE that I found out about which
will help you in your investigating. I will load in the phantom
file I run and also the como output file it creates. I run this
on all our commercial systems each week and review it. The
network address being checked are the ones that have been used
by hackers. The option that I have now started using will report
two network addresses if the user is netlink out from the our/your
host system. Th first one is the address where the user is coming
in from and the second is where the user is netlinking out to.

I need both of your help in developing and participating in a Dialcom
Licensee's Security Board to estabilish contacts with all our
Licensee's to pass hacker information and any other helpful tips
around to each other. This will require that a distibution list be created to
contain all representatives from each Licensee. I only have you (BT) and
Michael (OTC) so far as contacts. We could then use this list to circulate
information and keep well abreast of the International communities problems
with hackers and helpful tips learned. It would also serve as a means
to get better acquanted with our Licensee's and provide support and guidance
on problem solving in the area of system security. It may even help some
	in other areas as well.

What I have done over her was establish the account on 98:SECURITY for reporting
suspicious activity from the field. I received positive results from this and
it has been a very helpful tool for me and also the field as having a focal point
for escallating problems. I sign onto this account every day and check for incoming
mail. It was easier for people to remember the ufd SECURITY than my account 98:ROBERT
when it came to reporting problems. I announced this to the field and it has become
standard for Dialcom US.

This same account could be established at each licensee's site on their designated
system and reviewed by their system security officer as well.

How do you both feel about this?


Anyway here is some information to pass along to you for now.

	Robert Russin

I discovered the account 50:SIE147 was penetrated and checked
the addresses and found out the following:

INCOMING ADDRESSES
------------------
311080500018       Santa Barbara California
311050100016       Little Rock Arkansas
311020600018       Seatle Washington
311020500018       Birmingham Alabama

OUTGOING ADDRESSES
------------------
26245400050233    Germany
23422351919169    UK
900041            System 41 Dialcom US
311022300096      TYMNET Accounting System
425130000215      Israel
23422020010700    UK
30293800354       Canada
23422351919169    UK

The hacker is "The Force" again.

The following is the input stream to run as a phantom and the output
como file it creates.

COMO BERT
DATE
SYS
NUSAGE -U ? -D 01/04-01/16 -NET 311020500018&311080500018&311030100253&
311061500013&505222389941&4542000206&2222631060&31106170010301 &
-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT
NUSAGE -U ? -D 01/04-01/16 -NET 311050100016&311020600018&26245400050&
2342235&311022300&425130000&30293800 &
-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT
COMO -E

>DATE

Tuesday, January 17, 1989 12:28:29 AM EST

>SYS

<S50-0>OPER  on system 50

>NUSAGE -U ? -D 01/04-01/16 -NET 311020500018&311080500018&311030100253&
NUSAGE 4.0b
More>311061500013&505222389941&4542000206&2222631060&31106170010301 &
More>-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT


User Name     Date Time  Net Addr          VC Net Adr        Baud  GW   Col  Con Hrs  

SIE147        06  10:25  31108050001802    26245400050233    1200   -   NC      0:22  
SIE147        06  10:26  31108050001802    425130000215      1200   -   NC      0:00  
SIE147        06  10:27  31108050001802    311022300002      1200   -   NC      0:01  
SIE147        06  10:29  31108050001802    311022300002      1200   -   NC      0:01  
SIE147        06  10:32  31108050001802    311022300010      1200   -   NC      0:00  
SIE147        06  10:34  31108050001802    311022300019      1200   -   NC      0:00  
SIE147        06  10:35  31108050001802    311022300096      1200   -   NC      0:01  
SIE147        06  10:36  31108050001802    900041            1200   -   NC      0:02  
SIE147        06  10:38  31108050001802    425130000215      1200   -   NC      0:03  
SIE147        06  10:50  31108050001805    26245400050233    1200   -   NC      0:02  
SIE147        06  11:15  31108050001805    26245400050233    1200   -   NC      0:20  
SIE147        06  11:20  31108050001805    425130000215      1200   -   NC      0:02  
SIE147        06  11:23  31108050001805    26245400050233    1200   -   NC      0:00  
SIE147        06  11:23  31108050001805    23422351919169    1200   -   NC      0:00  
SIE147        06  11:24  31108050001805    23422020010700    1200   -   NC      0:00  
SIE147        06  11:26  31108050001805    23422020010700    1200   -   NC      0:01  
SIE147        06  11:27  31108050001805    23422020010700    1200   -   NC      0:02  
SIE147        06                                                                0:57  
SIE147        13   6:36  31108050001801    26245400050233    1200   -   NC      0:05  
SIE147                                                                          1:03  
                                                                                1:03  



	>NUSAGE -U ? -D 01/04-01/16 -NET 311050100016&311020600018&26245400050&
NUSAGE 4.0b
More>2342235&311022300&425130000&30293800 &
More>-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT


User Name     Date Time  Net Addr          VC Net Adr        Baud  GW   Col  Con Hrs  

	NGM0910       11  11:53  31105010001603    90010789          2400   -   COL     0:11  
SIE147        04   0:42  31105010001601    311022300096      2400   -   NC      0:00  
SIE147        04   0:43  31105010001601    311022300094      2400   -   NC      0:00  
SIE147        04   0:43  31105010001601    311022300095      2400   -   NC      0:02  
SIE147        04   0:44  31105010001601    311022300103      2400   -   NC      0:00  
	SIE147        04   0:45  31105010001601    311022300103      2400   -   NC      0:00  
SIE147        04   0:46  31105010001601    31102230009202    2400   -   NC      0:00  
SIE147        04   0:47  31105010001601    31102230009203    2400   -   NC      0:00  
SIE147        04   0:47  31105010001601    31102230009210    2400   -   NC      0:00  
SIE147        04   0:47  31105010001601    31102230009211    2400   -   NC      0:00  
	SIE147        04   0:48  31105010001601    31102230009212    2400   -   NC      0:00  
SIE147        04   0:48  31105010001601    31102230009209    2400   -   NC      0:00  
SIE147        04   0:49  31105010001601    31102230009208    2400   -   NC      0:01  
SIE147        04   0:51  31105010001601    26245400050233    2400   -   NC      0:01  
SIE147        04   0:52  31105010001601    31102230009201    2400   -   NC      0:00  
	SIE147        04   0:53  31105010001601    31102230009202    2400   -   NC      0:00  
SIE147        04   0:54  31105010001601    311022300096      2400   -   NC      0:00  
SIE147        04   0:54  31105010001601    311022300094      2400   -   NC      0:00  
SIE147        04   0:54  31105010001601    31102230009201    2400   -   NC      0:00  
SIE147        04   0:55  31105010001601    311022300179      2400   -   NC      0:01  
	SIE147        04   0:55  31105010001601    31102230017901    2400   -   NC      0:01  
SIE147        04   0:55  31105010001601    31102230017901    2400   -   NC      0:00  
SIE147        04   0:55  31105010001601    31102230017901    2400   -   NC      0:00  
SIE147        04   0:56  31105010001601    31102230017701    2400   -   NC      0:02  
SIE147        04   0:56  31105010001601    31102230017701    2400   -   NC      0:02  
	SIE147        04   0:58  31105010001601    311022300103      2400   -   NC      0:00  
SIE147        04   0:59  31105010001601    31102230050001    2400   -   NC      0:01  
SIE147        04   0:59  31105010001601    31102230050001    2400   -   NC      0:01  
SIE147        04   1:00  31105010001601    31102230019302    2400   -   NC      0:00  
SIE147        04   1:01  31105010001601    311022300188      2400   -   NC      0:01  
	SIE147        04   1:01  31105010001601    31102230018801    2400   -   NC      0:00  
SIE147        04   1:01  31105010001601    31102230018801    2400   -   NC      0:00  
SIE147        04   1:02  31105010001601    31102230009201    2400   -   NC      0:00  
SIE147        04   1:03  31105010001601    311022300050      2400   -   NC      0:00  
SIE147        04   1:04  31105010001601    31102230004901    2400   -   NC      0:00  
	SIE147        04   1:04  31105010001601    31102230004901    2400   -   NC      0:04  
SIE147        04   1:09  31105010001601    311022300096      2400   -   NC      0:00  
SIE147        04   1:09  31105010001601    31102230009201    2400   -   NC      0:00  
SIE147        04   1:10  31105010001601    31102230009202    2400   -   NC      0:03  
SIE147        04   1:12  31105010001601    31102230009201    2400   -   NC      0:00  
	SIE147        04   1:14  31105010001601    311022300047      2400   -   NC      0:09  
SIE147        04   1:23  31105010001601    31102230004703    2400   -   NC      0:00  
SIE147        04   1:24  31105010001601    31102230004703    2400   -   NC      0:02  
SIE147        04   1:26  31105010001601    311022300096      2400   -   NC      0:01  
SIE147        04   1:26  31105010001601    31102230009201    2400   -   NC      0:00  
	SIE147        04   1:27  31105010001601    31102230004706    2400   -   NC      0:02  
SIE147        04   1:32  31105010001601    311022300096      2400   -   NC      0:01  
SIE147        04   1:36  31105010001601    311022300096      2400   -   NC      0:00  
SIE147        04                                                                0:42  
                                                                                0:53  
	


>COMO -E

   From:  V.LUNDBERG  (BTG072) Delivered:  Wed  25-Jan-89  10:34 EST Sys 10080
     To:  R.RUSSIN  (ROBERT)
Subject:  Tracking NUA's on systems.
Mail Id:  IPM-10080-890125-095210001


Robert,

 I have been talking with our networks team about a specific
	NUA and tracking of access over this NUA, and we have a need
to track access AS IT HAPPENS as opposed to using NUSAGE to
track access AFTER is has happened.  Do you know of any way
we can track the access over the NUA as it happens, is there
anything we can setup that will send a system alarm in some
sharp or form when any user accesses over this specific NUA.

Your thoughts would be greatly  appreciated on this one.
Cheers, Vicky.


     To:  JOEA (198:JOEA)
     Cc:  DM (198:DM)
     Cc:  MARK (198:MARK)
     Bc:  MICHAELR 
   From:  C.HAPANGAMA  (OTC264) Delivered:  Fri  25-Mar-88  15:39 AEST Sys 6008  (44)
Subject:  Hacker threat to Keylink-Dialcom.
Mail Id:  IPM-6008-880325-140990869

Mr. Joe Antonellis
Division Vice President,
Dialcom International.

	           ANALYSIS OF HACKER'S THREAT TO KEYLINK-D
           ----------------------------------------

   On the 25th March 1988, 11:45 AEST, Mr J. Antonellis of Dialcom
was advised that OTC had received a threat from a hacker
   This message is to formally advise Dialcom of the nature of the
	threat in which the hacker claimed:

1) The hacker claims to have access to about 100 Dialcom accounts on BT GOLD,
PRIMECOM, TELEBOX, GOLDNET etc.

2) The hacker intends using these accounts to send thousands of mail
	to all of the customer accounts on our systems of which he is aware and
which OTC believes is quite extensive.
  The hacker threatens to do this for as many weeks as required
until OTC succumbs and delivers the hacker six free mailboxes.
	
3) The hacker claims to have access to other PRIMEs and VAXs which he can
program to do this feat without his intervention, which we believe.
   The hacker accesses the OTC Dialcom system by using Austpac dial-up
and less frequently, from OTC Data Access dial-up.  The hacker uses a common
NUI which is used for access by all our dial-up customers.
   This message was sent to OTC from 157:AGS325 at 22:13 3/24/88 AEST, which we
believe has been hacked.
	
  OTC and Telecom (Aust.) are reviewing this situation and expect
to further advise Dialcom Inc. of our intentions by Monday 3/28/88.

   Please note these contacts in OTC re this situation:

Legal : Ros Robertson     Aust  2-287 5204 6008:OTC383
System : Channa Hapangama       2-287 5857 6008:OTC264
Commercial : David Brawn        2-287 5960 6008:OTC033
             Gary Donald        2-287 5990 6008:OTC003
	Facsimile  :                    2-287 4435


Channa Hapangama
Technical Support Manager, Value Added Business.
OTC


     To:  MICHAELR (6008:MICHAELR)
	   From:  CA-EXT-DIR  (AGS325) Delivered:  Thu  24-Mar-88  22:13  Sys 157  (76)
Subject:  HACKING MINERVA
Mail Id:  IPM-157-880324-199990001

Hello Michael, it is time we had chat.

First of all, let me introduce myself.  I am force, a long time hacker
of
your dialcom system, since about 1984.
The reason for this message is to get you to set up some mailboxes on
keylink for me.  say RLM001 FORCER  or HCK001 FORCER if the first is taken.

I figure, why go on hacking users accounts which I am sure cause them and
you
a lot of problems.  This is a simple  solution.  If I had some mailboxes,
there would be
no need to have my team scanning your accounts al the time.  In any case
it would remove
a lot of your security problems, since there is only me and the electron.
We are the only two serious hackers as far as minerva goes.  I guess he
is
your problem, since I don't like him much either.  (oh dont forget his
sidekick
	THE POWERSPIKE.  He's rather useless if you would ask me).
	OH YES WITH THE RLM001 please set up 5 other accounts in the series for
possible later use.
Hacking minerva for over 4 years, one accumulates a lot of knowledge,
and I know trix you probably haven't though off.   You see, because of
your recent updates in security, it is becoming a pain to scan for4-5 hrs
to get an account which might last only that long, and then have NETLINK
barred for life, so I though that was a nice alternative.
here is what you will get in exchange..
1 - I will not hack any more real user accounts.
2 - There will be no scanning of accounts.
3 - And most importantly, your system will live.

Let me expand on #3.  You see, I pride myself in the fact that I have never
caused any damage to the system, to the users data. Only the use of
netlink, and the use of disused accounts to set up few trojans like the
one which mr CURTIS of sys 08 helped me out with.   I would like to keep

it that way, but really you have carried the security a little bit too
far. And some retaliation may be in order.
There is a number of things one can do. I will tell you about one, so that
if you decide to take precautions agains't one (if possible) I will still
have the other options open.

I have access to close to 100 accounts on dialcoms all over the world.

BT GOLD, PRIMECON, TELEBOX, GOLDNET etc, you name in.   I also have number
of VAX's which can be programmed to control these accounts 24 hrs a day
7 days a week.  Imaggine this....

one day you log on to your system, and find you have some mail.
Suddenly to your surprise, you find that you have 1000 duplicate coppies
of the same useless message, from all parts of the globe.
Suddenly, the phones at otc start to ring like crazy from users, who
	each have about 5000+ coppies of the same message.
You delete it and contact the other dialcoms to kill the accounts.
	You think the problem is gone, but next day newt new duplicates of the
same message are back.
well, with about 100 dialcoms to choose from it could be kept up for
weeks, making your system useless as far as mail goes.
Think about it... Only alternative is to restrict the mail to only about
5
per user comming from outside, or barr international mail alltogether.
Frightning thought isn't it.  The good thing is that I can get a system
such as a vax or another prime, to control all this for me, rather
randomply more or less.
This is just one of the things that can be done. Think about it.
	Please contact me on RLM001, or mail back to here, but the real user
may intercept it first, in which case. hmmm, I guess I will mail you
	again, and possibly send few duplicates to make sure the message get's
through.

HAVE A NICE DAY.

Oh yes, next time you break in for a chat, on keylink, please hang around
for a while.  I am sure we could find some interesting things to talk about.
Here it is again RLM001-RLM006 passwd FORCER


     Fo:  MICHAELR 
   From:  AFV001             Delivered:  Mon  10-Oct-88  13:06 AEST Sys 6007  (64)
Subject:  SYSTEM SECURITY
Mail Id:  IPM-6007-881010-118010370


   From:  HQ.RBLAC3  (UDP081) Delivered:  Sat  8-Oct-88  19:30  Sys 141
     To:  AFV001
Subject:  SYSTEM SECURITY
Mail Id:  IPM-141-881008-175500001

Dear Sir,

I am writing this letter to all Minerva And Keylink users, to inform you about
the practises which have been occuring quite recently, and which concern me
very much.   I have always been under the impression that Keylink had some
integrity, and was a secure system to use, but have found otherwise.

Minerva and Keylink operators, have the capability to monitor all use of the
system, which gives them access to your private mail, online files and
any information you gain through the use of the NETLINK facility.

Two people I know, make a regular use of this facility, to call a Unix System
in Germany.  Both of their accounts have been vioalated by the operator(s)
of Keylink.

 - THEY HAVE STOLEN PRIVATE INFORMATION WHICH MAY HAVE BEEN STORED THERE.
 - THEY HAVE GAINED FREE USE OF THE FACILITIES, EVEN THOUGH NOT AUTHORISED
   TO LEGALY ACCESS IT.
 - THEY HAVE IMPERSONATED THE REAL OWNERS OF THE ACCOUNTS, TO OBTAIN FURTHER
   INFORMATION FROM OTHER PEOPLE, AND TO DISCREDIT THEM BY OBUSING OTHER
   USERS UNDER THEIR ACCOUNTS.

There is proof beyond any shadow of the doubt that this took place, and there
are several witneses, who have seen this happen and even seen the person(s)
involed admit to it.  Under Victorian hacking laws, they would be liable for
upto $100000 and a maximum of ten years inprisonment. I am sure the German
	and other Australian States would have such laws, which I am not familiar
with at this time.

The person in question is an OTC Employee called MICHAEL ROSENBERG, who
currently still works as a person involved, or in charge of the system
	security. It's all rather ironical.

Their excuse is that it is being done to protect the integrity of the system
and its users, but I consider this to be inexcuseable behaviour, not justified
by any reasons.  In principle, they are worse than the hackers they are trying
to protect the system from.  Only difference, they can abuse their ability
to monitor the system activity and capture any information and accounts the
users type.

This is to let you know what sort of thing goes on quite frequently and is
tolerated on the Keylink and Minerva network. I will not let the matter rest
here, and the media will be informed about their actions.

From what i have been told, this thing is not restricted to keylink, since
the same people have got access to the entire MIDAS, now called OTC DATA
ACCESS Network. I have also spoken to AUSTPAC Representatives, and they have
informed me that all of their data traffic bound for
overseas is sent out through the OTC Network, Which in my view leaves all
data comming from austpac open to abuse as well.

AS FOR MYSELF, I NO LONGER USE KEYLINK, BUT ITS EQUIVALENT IN THE UNITED
STATES. I ASSUME THEY WILL TRY TO STOP THIS MESSAGE REACHING YOU, OR DENY
ALL THE DETAILS, BUT PLEASE I URGE YOU TO CONSIDER THE IMPLICATION AND TAKE
THE APPROPRIATE MEASURES, TO PREVENT THIS SORT OF THING HAPPENING.

Yours Faithfully
          Very Mad X-Keylink User


     To:  MARK (198:MARK)
     To:  ROBERT (198:ROBERT)
   From:  MIKE.ROSENBERG  (MICHAELR) Delivered:  Thu  8-Feb-90  10:35 AEDT Sys 6007  (21)
Subject:  Activity from Australia on System 41
Mail Id:  IPM-6007-900208-095270350

Dear Robert/Mark, assuming that you are both still emplyed by Dialcom....

  Our packet switch guys have informed me of much activity to system  41
over the last few days.

  I suggest you look for accesses from 505234289983 on :

2/7 0135 to 1811 UTC for a start.

Check for other accesses during feb. of course, but you should find accesses
on at least the 2nd and 6th as well.

You you also check an access from 505291989999 on 2/7 11:00 UTC please.  It
was only 4 minutes long so it is probably OK.

	This suspect NUI is not going be be blacklisted by OTC because furtive
investigations are under way into his activities.

Hear from you shortly,
Regards,
Michael.


     To:  DM (198:DM)
     Cc:  MARK (198:MARK)
     Cc:  ROBERT (198:ROBERT)
     Cc:  S.BERLECKY   (STEVEB)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Mon  12-Mar-90  14:54 AEST Sys 6007  (97)
Subject:  Reply to:  Reply to:  Hacker
Mail Id:  IPM-6007-900312-134220906
In Reply To:  IPM-198-900309-155230700

Dave,
    I have asked around OTC for how to help you.  Apparently OTC is still
bound ny legislation which prohibits it giving out trace information to any
one except to the customer to whom the info belongs.  This is being changed,
but cannot be changed until after our federal election on March 24.
  I any case, as far as official channels go, it would be better to speak
to the Australian Federal Police, who are investigating phoenix and electron
at the moment.  I believe that they know the identities of both these guys (
	even I know who electron is).

  Try calling Superintendent Ken Hunt,
              Currency Branch, AFP
              Melboune.
              Phone is +61 3 607 7777

  Melbourne has a public holiday today, so I couldn't call him to open the way
for you, but when you call him, you can mention that Brian Travis of OTC
gave you his number, through me. The super can call Brian about if he sees the
need.

  Let me know if you have trouble, and please let me if have success, as I'd
like to keep track of as much as legally possible and/or practical.

Hope this helps,
	Mike.

   From:  D.MCDONELL  (DM)   Delivered:  Sat  10-Mar-90  8:18  Sys 198
	     To:  M.ROSENBERG  (MICHAELR)
Subject:  Reply to:  Hacker
Mail Id:  IPM-198-900309-155230700

	Steve, please see Mark's comments below.  Is there an official
channel (network security types) on your domestic network side
that can be used to take formal action against this hacker?
Can you facilitate for us?

Thanks,
--Dave

   From:  M.HULBERT  (MARK)  Delivered:  Fri  9-Mar-90  12:23 EST Sys 198
     To:  D.MCDONELL  (DM)
Subject:  Reply to:  Hacker
Mail Id:  IPM-198-900309-111480354
In Reply To:  IPM-198-900309-084961263

I need alternative, official channels. We need to make some
provisions for tracing etc which will require some "official
blessings."

	Don't take me wrong, Mike has been an excellent asset but
we need to see if we might identify this hacker and
arrange for some apprehension if plausible.

Mark

   From:  D.MCDONELL  (DM)   Delivered:  Fri  9-Mar-90  9:26 EST Sys 198
Forward:  M.HULBERT  (MARK)
Subject:  Hacker
Mail Id:  IPM-198-900309-084961263
	
Mark, do want to continue going through Michael Rosenberg of OTC Dialcom,
or would you prefer alternative, official channels?

   From:  M.ROSENBERG  (MICHAELR) Delivered:  Fri  9-Mar-90  2:03 EST Sys 6007
Forward:  D.MCDONELL  (DM)
Subject:  Hacker
Mail Id:  IPM-6007-900309-153371098

Dvae
	   I have been helping Robert and Mark with tracing NUA's and in all
cases the NUI has been hacked and the customer name is useless.  It would
be much simpler if you could go through me because I should be able to get
	it all done through some channels.  More effort would be req'd to set up
official channels.
Let me know if this is ok.
Mike

   From:  S.BERLECKY  (STEVEB) Delivered:  Fri  9-Mar-90  14:13 AEST Sys 6007
Forward:  M.ROSENBERG  (MICHAELR)
Subject:  Hacker
	Mail Id:  IPM-6007-900309-128050426


	   From:  D.MCDONELL  (DM)   Delivered:  Fri  9-Mar-90  3:21  Sys 198
     To:  S.BERLECKY  (STEVEB)
Subject:  Hacker
	Mail Id:  IPM-198-900308-111400742

Steve, our security team needs assistance in tracking
a hacker who is giving us a lot of problems over here.
Can you advise a contact in your domestic networks side
that could aid us in identifying this Australian user?
	
Any tips you can provide are appreciated.

Thanks,
--Dave


     To:  ROBERT (198:ROBERT)
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Tue  13-Mar-90  17:48 AEST Sys 6007  (140)
Subject:  Reply to:  Reply to:  Reply to:  Reply to:  SYSTEM ACCESS VIOLATION
Mail Id:  IPM-6007-900313-160270263
In Reply To:  IPM-198-900312-085970211
	
Robert,
  I can tell you what cities the NUI belongs in ,m that is all.
Austpac NUI's/tie lines have a numbering convention based on where they are
registered, not from where the call is made.  Also, all the NUI's used are
stolen, the address provides no clue as to who is really using it.

anyway, this is the scheme.  Austpac is respresented b the 5052.  The next
1-3 digits are the telephone area code of the tie line or registered NUI
user.

so:

	 50522xxxxxxxxx is a sydney number
 50523xxxxxxxxx is a melbourne number
 50527xxxxxxxxx is a brisbane number
 50529xxxxxxxxx is perth
 505262xxxxxxxx is canberra

etc.

5053 numbers areotc data access and you will have to call me to findx out about
those because there is no such geographical relationship between the number
and the user.

Hope this helps,
Mike

   From:  R.RUSSIN  (ROBERT) Delivered:  Tue  13-Mar-90  0:33  Sys 198
orward:  M.ROSENBERG  (MICHAELR)
	Subject:  Reply to:  Reply to:  Reply to:  SYSTEM ACCESS VIOLATION
Mail Id:  IPM-198-900312-085970211

     Michael,
             Can you assist in this question.

Thanks,
Robert

   From:  M.HULBERT  (MARK)  Delivered:  Mon  12-Mar-90  8:09 EST Sys 198
     To:  R.RUSSIN  (ROBERT)
Subject:  Reply to:  Reply to:  Reply to:  SYSTEM ACCESS VIOLATION
Mail Id:  IPM-198-900312-073460945
In Reply To:  IPM-198-900311-202750722

Bert,

Please contact Mike Rosenberg in Australia and see if he can
determine the actual access city from the address through his channels
in Australia.

Looks like a busy weekend for you - thanks for the commitment.

	Mark

   From:  R.RUSSIN  (ROBERT) Delivered:  Sun  11-Mar-90  22:31 EST Sys 198
     To:  M.HULBERT  (MARK)
Subject:  Reply to:  Reply to:  SYSTEM ACCESS VIOLATION
Mail Id:  IPM-198-900311-202750722
In Reply To:  IPM-5006-900311-198930318

     Zohar,
           Yes I know. However they just started coming into the U.S. from the
425130000215 address over this weekend. Before that the hacker was coming straight
to the U.S. from the Austrakian CSC Infonet address 31370090059. Since January
he has come in from the following network addresses you may want to screen your
systems for. They are: 31370038209007, 505234289983, 505270589986 and the
31370090059 listed above. Most of February and March until this weekend he
was coming in only from 31370090059. Once on he would netlink out and attack
other accounts on the same system, other systems within the ringnet and out
into the Telenet and other public data networks globaly.

This hacker goes by the name Raster Biter and I have captured many of his
CPL's that you have seen him use to launch attacks at NUI's.

If you are the point of contact over their in Israel for our Licensee their
then, I will advise you of future activity as well.

Robert Russin     Deputy Security Officer BT TYMNET (Dialcom)

   From:  Z.LEVITAN  (ZOHAR) Delivered:  Sun  11-Mar-90  15:06 EST Sys 5006
     To:     R.RUSSIN  (ROBERT)
Subject:  Reply to:  SYSTEM ACCESS VIOLATION
Mail Id:  IPM-5006-900311-198930318
In Reply To:  IPM-198-900311-100590271


Robert,

Please note that although they are accessing your systems from
425130000215 they have been accessing Israel from the Australian
address in my original letter.

BTW have you advises TYMNET networks of the accesses to other
computers on their network.

Zohar

   From:  R.RUSSIN  (ROBERT) Delivered:  Sun  11-Mar-90  18:32  Sys 198
     To:  Z.LEVITAN  (ZOHAR)
Subject:  SYSTEM ACCESS VIOLATION
Mail Id:  IPM-198-900311-100590271

	    This hacker has been working all weekend around the Licensee Dialcom
systems. He has been netlinking to the U.S. from 425130000215 as well.
Just a heads up to everyone that we have heavy activity and to keep a close
watch on your systems.

Thanks Zohar for the heads up on your end.

Robert

   From:  R.MILLER  (RONM)   Delivered:  Sun  11-Mar-90  8:39 EST Sys 198
Forward:  R.RUSSIN  (ROBERT)
Subject:  SYSTEM ACCESS VIOLATION
Mail Id:  IPM-198-900311-077921232

	FYI...

   From:  Z.LEVITAN  (ZOHAR) Delivered:  Sun  11-Mar-90  8:38 EST Sys 5006
     To:  R.MILLER  (RONM)
Subject:  SYSTEM ACCESS VIOLATION
Hi,

This is to alert you to the fact that we are suffering a security
breach.

The party is accessing from X.121 address 5052 38189955

He has ben running a programme on our system that has been
scanning NUA on Telenet. He has been scanning the range
3106097285 to 3106159999.  We have found him NETLINKing to
3106003503 and 3106003525

Please advise your and TYMNET security people. We will pass on
further info if any comes to hand.

I an be reached by phone in Tel Aviv on 7532406 (+972 3 7532406)
	until 10:00 EST today or from 12:00 on 490498 (+972 3 490498).

Zohar


     To:  L.WACHBROIT   (LILLIANW)
     Cc:  M.HULBERT   (MARK)
     Bc:  MICHAELR (6007:MICHAELR)
   From:  R.RUSSIN  (ROBERT) Delivered:  Fri  16-Mar-90  0:55  Sys 198  (215)
Subject:  Reply to:  Reply to:  Reply to:  Reply to:  Reply to:  Reply to:  Reply to:  CATINF PROTECTION & ACCESS VIOLATION
Mail Id:  IPM-198-900315-088460610
In Reply To:  IPM-198-900315-041761057

     Lillain,
             Thanks for the info. I had the accounts on system 41
and 57 shutdown within a day or two after they cracked the accounts.
I have a COMIMPUT stream that I edit each week and change the date
range which checks for incoming and outgoing access on Network
	addresses that have been frequented by hackers. Now normal users
also use these same paths. I look for anything unusual and investigate
further in detail if something catches my eye. I will give you this
file but, remember it applies to the hacking we had in the U.S. It
can be used as a guide for other licenesee's who want to plug in
	the addresses they happen to be dealing with. Anyway here it is.

Robert

COMO BERT
DATE
SYS
/* INTERNATIONAL ACCESS CHECK INCOMING...
NUSAGE -U ? -D 03/11-03/14 -NET 5052&5053&31370038209007&31370090059 &
3106007028&208&425130000215 &
-NOMIN -I NA TR CON NET BAUD
DATE
SYS
/* INTERNATIONAL ACCESS CHECK OUTGOING...
NUSAGE -U ? -D 03/11-03/14 -NET 5052&5053&31370038209007&31370090059 &
3106007028&208&425130000215 &
-NOMIN -I NA TR CON NET VNET BAUD ISG VISC -VOUT
DATE
SYS
/* DOMESTIC ACESS CHECK INCOMING...
NUSAGE -U ? -D 03/11-03/14 -NET 311020500018&311030100254&311030100253 &
311080500018&3110617&3110422000&3110233&311031300062&311020100074 &
311080100054 &
	-NOMIN -I NA TR CON NET BAUD
DATE
SYS
/* DOMESTIC ACESS CHECK OUTGOING...
NUSAGE -U ? -D 03/11-03/14 -NET 311020500018&311030100254&311030100253 &
311080500018&3110617&3110422000&3110223&311031300062&311020100074 &
311080100054 &
-NOMIN -I NA TR CON NET VNET BAUD ISG VISC -VOUT
DATE
COMO -E

	This when run as a como during non-prime time hours will create
a file called BERT. I recommend that this phantom be run on all
systems in the ring and when they complete to load all the
como files into one file to be printed and reviewed.

I hope this helps you out.

Robert

   From:  L.WACHBROIT  (LILLIANW) Delivered:  Thu  15-Mar-90  4:38 EST Sys 198
Forward:  R.RUSSIN  (ROBERT)
Subject:  Reply to:  Reply to:  Reply to:  Reply to:  Reply to:  Reply to:  CATINF PROTECTION & ACCESS VIOLATION
Mail Id:  IPM-198-900315-041761057

More on our friendly hacker.  Note some of the addresses he came in on...

   From:  Z.LEVITAN  (ZOHAR) Delivered:  Thu  15-Mar-90  2:14 EST Sys 5006
     To:  L.WACHBROIT  (LILLIANW)
Subject:  Reply to:  Reply to:  Reply to:  Reply to:  Reply to:  Reply to:  CATINF PROTECTION & ACCESS VIOLATION
here you are:

User Name     Date Time  Net Addr          Con Hrs          Chars I/O

BIC011        07  14:18  31103010025357       0:01       63       440
BIC011        07  14:33  31103010025357       0:25     1127      7131
BIC011        08   6:15  31103010025357       6:08    18480    122105
BIC011        08  13:03  31103010025357       4:32     4613    134250
BIC011        09   0:13  31103010025357       0:00        0         0
BIC011        09   1:44  31103010025357       3:55      285      1076
BIC011        09   8:04  31103010025341       0:08      170      2408
BIC011        09   8:07  (local)              0:00        0         0
BIC011        09   8:11  505238189955         0:37      881      8842
BIC011        09   8:36  (local)              4:43        0         0
BIC011        09   8:42  (local)              0:00        0         0
BIC011        09   8:43  (local)              0:00        0         0
BIC011        09   8:44  (local)              0:00        0         0
BIC011        09   8:48  (local)              0:00        0         0
BIC011        10   6:35  31103010025341       0:05      224      1501
BIC011        10   7:18  505238189955        10:30    24677    317582
BIC011        10   7:24  (local)              0:00        0         0
BIC011        10   7:25  (local)              0:00        0         0
BIC011        10   7:26  (local)              0:00        0         0
BIC011        10   7:26  (local)              0:00        0         0
BIC011        10   7:27  (local)              0:00        0         0
BIC011        10   7:27  (local)              0:00        0         0
BIC011        10   7:27  (local)              0:00        0         0
BIC011        10   7:28  (local)              0:00        0         0
BIC011        10   7:28  (local)              0:00        0         0
BIC011        10   7:35  (local)              0:00        0         0
BIC011        10   8:11  (local)              0:00        0         0
BIC011        10   8:13  (local)              2:53        0         0
BIC011        10   9:24  (local)              3:10        0         0
BIC011        10  13:42  (local)              0:00        0         0
BIC011        10  13:43  (local)              6:17        0         0
BIC011        11   6:54  31103010025341       0:00        0         0
BIC011        11   8:59  505238189955         1:48     8643     38058
BIC011        11   9:04  (local)              3:46        0         0
BIC011        11  11:23  505238189955         1:27     6355     49422
BIC011        11  13:11  9000000904           0:07      384      4166
BIC011        11  13:24  505238189955         0:00        0         0
BIC011        11  15:12  505238189955         2:19    11576     60613
BIC011                                       53:04    93264    750175
BWC001        07  13:30  31103010025357       0:42     1057    143595
BWC001        11  23:48  505238189955        10:49    36273    834483
BWC001        12   2:08  (local)             37:19        0         0
BWC001                                       48:50    37330    978078
                                            101:54   130594   1728253

   From:  L.WACHBROIT  (LILLIANW) Delivered:  Wed  14-Mar-90  14:04  Sys 198
     To:  Z.LEVITAN  (ZOHAR)
Subject:  Reply to:  Reply to:  Reply to:  Reply to:  Reply to:  CATINF PROTECTION & ACCESS VIOLATION
Mail Id:  IPM-198-900314-063460362
In Reply To:  IPM-5006-900314-125770656

For the ids he broke into, include date, time and "NET" (we want to
see what address he came *from*...)

   From:  Z.LEVITAN  (ZOHAR) Delivered:  Wed  14-Mar-90  6:58 EST Sys 5006
     To:  L.WACHBROIT  (LILLIANW)
Subject:  Reply to:  Reply to:  Reply to:  Reply to:  CATINF PROTECTION & ACCESS VIOLATION
Mail Id:  IPM-5006-900314-125770656
In Reply To:  IPM-198-900314-037610725


Hi,

Please let me the nusage options that you would like us to run for you.

Zohar

	   From:  L.WACHBROIT  (LILLIANW) Delivered:  Wed  14-Mar-90  11:11  Sys 198
     To:  Z.LEVITAN  (ZOHAR)
Subject:  Reply to:  Reply to:  Reply to:  CATINF PROTECTION & ACCESS VIOLATION
Mail Id:  IPM-198-900314-037610725
In Reply To:  IPM-5006-900313-195330414

Ick!   Can you send us the NUSAGE files on this guy?
	
   From:  Z.LEVITAN  (ZOHAR) Delivered:  Tue  13-Mar-90  14:41 EST Sys 5006
     To:  L.WACHBROIT  (LILLIANW)
Subject:  Reply to:  Reply to:  CATINF PROTECTION & ACCESS VIOLATION
Mail Id:  IPM-5006-900313-195330414
In Reply To:  IPM-198-900313-099950306

	
HE
 Potentially an Australian who has been spending hours on Dialcom
  Systems.

He has written some CPL's, found a couple of 'undocumented'
commands and security weaknesses.

1.  The person found a command DOPH which was set in  1985 to
minimum seclev 0 that allows anyone to spawn a phantom.

2.  He found that on most systems any user can 'ATTACH' to CATINF
and gaily go about creating sufufds that he fills with CPL's, and
the result files of hundreds of search for computers on the PSS
networks and the attempts to 'access' these systems using files
of passwords.

The hacker has been fairly clever doing loop the loop.  It
appears from one listing we got running NUSAGE, that he arrived
from system 135 and went to visit system 135 and 163.  The latest
accesses have been from Australia and he has been running riot
with a CPL that does a loop from X to infinity with TYMNET NUA's.
If he gets a connected message he writes the result to a file etc
etc.

Hope this makes some sense - I have been up since 03:30 this
morning and logged to check if our guest got back passed the
doors we closed.

Zohar

   From:  L.WACHBROIT  (LILLIANW) Delivered:  Tue  13-Mar-90  18:07  Sys 198
     To:  Z.LEVITAN  (ZOHAR)
Subject:  Reply to:  CATINF PROTECTION & ACCESS VIOLATION
Mail Id:  IPM-198-900313-099950306
In Reply To:  IPM-5006-900313-150900268

Zohar,

     I feel like I came into the middle of a movie -- who is "he"?  And what
did "he" do?  How about explaining this from the beginning?

Confused of Camden

	   From:  Z.LEVITAN  (ZOHAR) Delivered:  Tue  13-Mar-90  9:45 EST Sys 5006
     To:  L.WACHBROIT  (LILLIANW)
Subject:  CATINF PROTECTION & ACCESS VIOLATION
Mail Id:  IPM-5006-900313-150900268


HI,

On our system he created the  a SUBUFD CATINF>POST>MAIL. We have attempted
	to reset protections for CATINF so that users with SECLEVS below 5 could
not attach, but without success.

Could you please let us know what needs to be done in order to protect
this UFD from 'attach'.

We have looked at his last CPL and found that he accessed your system
163 and was having a go at prefix EPX with passwords 'DIALCOM', 'QWERTY'
and 'TEST'. We would appreciate your letting us know this information
for our system if you find it in any of his files.

Many Thanks

Zohar


	     Fo:  MICHAELR (6007:MICHAELR)
     Cc:  M.HULBERT   (MARK)
   From:  R.RUSSIN  (ROBERT) Delivered:  Fri  16-Mar-90  0:32  Sys 198  (35)
Subject:  HACKERS POINT OF ORIGIN
Mail Id:  IPM-198-900315-085970463

     Mike,
          Our hacker is attacking the Israel Licensee now.
He comes in their system from 5005, 5052 and 38189955.
This morning around 5:30 AM U.S. time the hacker
was online using a hacked account netlinking out
to 3106 008510 which is a Tymnet address. Mark Hulbert will
advise Tymnet Network Security. I just wanted to pass
this information on to you in case it can help you.

Thanks,
Robert

   From:  M.HULBERT  (MARK)  Delivered:  Thu  15-Mar-90  7:14 EST Sys 198
Forward:  R.RUSSIN  (ROBERT)
Subject:  HACKERS POINT OF ORIGIN
Mail Id:  IPM-198-900315-065180725

Would you provide this information to Michael Rosenberg and see if
he might be able to add some further inromation to it?

Mark

	   From:  Z.LEVITAN  (ZOHAR) Delivered:  Thu  15-Mar-90  6:11 EST Sys 5006
     To:  M.HULBERT  (MARK)
Subject:  HACKERS POINT OF ORIGIN
Mail Id:  IPM-5006-900315-118820069


HI,

The blokes at our PSS service have determined that the hacker is
working from a line registered to a company called Austac with
phone number +61 2 233-3677 (i.e. somewhere in Sydney).

Zohar

	
     Fo:  BTG072 (10080:BTG072)
     Fo:  BTG109 (10080:BTG109)
     Fo:  MICHAELR (6007:MICHAELR)
     Fo:  E.LONG   (ELLEN)
     Fo:  M.HULBERT   (MARK)
	     Cc:  R.MYERS (159:BERTA)
     Cc:  ZOHAR (5006:ZOHAR)
     Cc:  R.RUSSIN   (ROBERT)
   From:  R.RUSSIN  (ROBERT) Delivered:  Mon  12-Mar-90  2:16  Sys 198  (40)
Subject:  SYSTEM ACCESS VIOLATION
Mail Id:  IPM-198-900311-100590271

	    This hacker has been working all weekend around the Licensee Dialcom
systems. He has been netlinking to the U.S. from 425130000215 as well.
Just a heads up to everyone that we have heavy activity and to keep a close
watch on your systems.

Thanks Zohar for the heads up on your end.

Robert

   From:  R.MILLER  (RONM)   Delivered:  Sun  11-Mar-90  8:39 EST Sys 198
Forward:  R.RUSSIN  (ROBERT)
Subject:  SYSTEM ACCESS VIOLATION
Mail Id:  IPM-198-900311-077921232

	FYI...

   From:  Z.LEVITAN  (ZOHAR) Delivered:  Sun  11-Mar-90  8:38 EST Sys 5006
     To:  R.MILLER  (RONM)
Subject:  SYSTEM ACCESS VIOLATION
Mail Id:  IPM-5006-900311-140840652

Hi,

This is to alert you to the fact that we are suffering a security
breach.

The party is accessing from X.121 address 5052 38189955

He has ben running a programme on our system that has been
scanning NUA on Telenet. He has been scanning the range
3106097285 to 3106159999.  We have found him NETLINKing to
3106003503 and 3106003525

Please advise your and TYMNET security people. We will pass on
further info if any comes to hand.

I an be reached by phone in Tel Aviv on 7532406 (+972 3 7532406)
until 10:00 EST today or from 12:00 on 490498 (+972 3 490498).

Zohar


     To:  MICHAELR (6007:MICHAELR)
     Cc:  M.HULBERT   (MARK)
	     Cc:  R.RUSSIN   (ROBERT)
   From:  M.HULBERT  (MARK)  Delivered:  Thu  22-Feb-90  23:46  Sys 198  (45)
Subject:  Reply to:  System 48
	Mail Id:  IPM-198-900222-069750143
In Reply To:  IPM-6007-900222-152690115

Michael,

The Westinghouse Wespac network is a private network owned and operated by Westinghouse. The addresses for
the network are 3110422.

Systems 48 and 49 are Westinghouse systems but we have not noted
any hacker activity of late but will recheck our most recent
series of scans of our systems.

I would appreciate any added information on what specifics the
individual you're talking to has on the possible penetrations.

Also, treat this information on Wespac with discretion.

Mark

   From:  M.ROSENBERG  (MICHAELR) Delivered:  Thu  22-Feb-90  1:56 EST Sys 6007
     To:  M.HULBERT  (MARK)
Subject:  System 48
Mail Id:  IPM-6007-900222-152690115

Robert, Mark,
      My contact in OTC's paket switching exchange has asked me if I knew
what 311042200048 was and if it was Dialcom or not.  After I told him
that it was system 48, he asked me if I could ask you some things..
  He doesn't have any firm evidence, but I know that he is asking questions
because he intercepted a coversation with electron during which he
	mentioned things about penetrating Westinghouse security.
  I think that system 48 is Westinghouse (y/n?) and, if so, is it known
amongst any one there by the name Westpac?  Do you know of any obvious
security breaches in 48 and 49 that concern Australia or you think come
from Australian hackers.
	
 I know that these are vague questions and the time scale that he is
speaking of is a couple of months ago.  Also, I understand that there
are things that I may not be privy to know, that is fine.  Basically, is there
anything that may interest Australia about security breaches on 48 and 49?
  I assure you of course that the person asking these questions spends most
of time tracking hackers that don't originate from my system and is asking
me these questions because he is trying to fill in holes in his intercepted
information.
	
Hope you can help,
Thanks,
Michael.
	

     Fo:  MICHAELR (6007:MICHAELR)
	     Cc:  M.HULBERT   (MARK)
   From:  R.RUSSIN  (ROBERT) Delivered:  Wed  21-Feb-90  1:43  Sys 198  (77)
Subject:  Suspect activity from sys 75
Mail Id:  IPM-198-900220-087370915

     Michael,
             Here is some additional info I received from BTGOLD
that may help you in your inquiry.

Robert

   From:  D.DOVEY-PRICE  (BTG300) Delivered:  Mon  19-Feb-90  7:09 EST Sys 10080
Forward:  R.RUSSIN  (ROBERT)
Subject:  Suspect activity from sys 75
Mail Id:  IPM-10080-900219-109471015

Robert,
   I 've done some investigating on this matter and have found one of our
customers accessing address 5053200000, but only on 22/1 and 26/1 and not
on 25/1. Enclosed are the times for you to compare.
   The company name is ARTSLINK.
Hope this info is of some use to you.
Diana.
User Name     Date Time  Net Addr

MUS074        22   3:36  5053200000
MUS074        22  18:02  5053200000
MUS074        22
	
User Name     Date Time  Net Addr

MUS074        26  12:40  5053200000


   From:  J.KENNEDY  (BTG109) Delivered:  Mon  19-Feb-90  10:33 GMT Sys 10080
Forward:  D.DOVEY-PRICE  (BTG300)
Subject:  Suspect activity from sys 75
Mail Id:  IPM-10080-900219-094970964

Diana

As Vicky isn't in, please could I ask you to have a look
at this suspect activity.  I have 2 requests from teh US, one from
Robert, the other from Mark Hulbert - so they are obviously
concerned!.

Thanks very much
Julie

   From:  R.RUSSIN  (ROBERT) Delivered:  Fri  16-Feb-90  16:52 GMT Sys 198
	orward:  J.KENNEDY  (BTG109)
Subject:  Suspect activity from sys 75
Mail Id:  IPM-198-900216-106761270

     Here is a question that could be better answered at your end.

Robert

   From:  M.ROSENBERG  (MICHAELR) Delivered:  Fri  16-Feb-90  0:35 EST Sys 6007
     To:  R.RUSSIN  (ROBERT)
Subject:  Suspect activity from sys 75
Mail Id:  IPM-6007-900216-149240236

Dear Berta,
         could you forward this message to the appropriate person in BT.

  A user on system 07 was accessed from system 75, and while I think
that the usage was not at all indicative of a hacker, she is adamant that noone
on BTG should know her password.
  Could you ask BTG to check for calls to system 07 (5053200000,5053200050
or 505211134999) from  023421920100475 on
22/1  1:17-11:40 UTC
17:40 25/1 - 05:34 26/1 UTC

and tell me (if possible) who the user was and if that account is suspect.
I'll say again that it looks to me as if the person knew the pw and
only used OTC Intelnet, but I must check it out.  I'd like to know who
the user was so that I may tell my user the name of the person/company to
see if I can jog her memory on someone who can use her account.

Thanks,
Michael


     To:  MICHAELR (6007:MICHAELR)
     Cc:  M.HULBERT   (MARK)
	     Cc:  R.RUSSIN   (ROBERT)
   From:  R.RUSSIN  (ROBERT) Delivered:  Thu  8-Feb-90  13:45  Sys 198  (58)
Subject:  Reply to:  Activity from Australia on System 41
Mail Id:  IPM-198-900207-195640975
In Reply To:  IPM-6007-900208-095270350

     Michael,
             Yes we know about the activity on 41. Thanks for advising us as well.
The hacker goes by the handle Raster Biter. They have been onto a few different
account on 41 since November. I discovered this afternoon after reviewing my weekly
nusage security check that they penetrated the account 41:UGA006 coming in from
CSC Infonet 31370090059 and AUSTPAC 505270589986. Once on they are then using our
Prime system to netlink back out into the Telenet world. I have been in contact
with Telenet Security and also the Royal Canadian Mounted Police since they were
beating on some Canadian systems from 41.

It appears the hacker(s) are establishing many points of entries on various PDN's
around the globe. They spend long hours on many of the systems they have netlinked
	out to from our systems. I feel that since all of their incoming addresses to U.S.
Dialcom are from the above two addresses I would tend to think that the hackers
are Australia based. The access is mostly late night too. There is one other
CSC Infonet address they come in from but, I am at home now and don't have it
written down with me. When I get in to work tomorrow I will send it to you.

Since November they have hit accounts on 41, 50, 52 and 57. We have curtailed
their access so far from all but 41. I find them on one account and have the
password changed then the next week they show up on another account. However
they are all accounts that were retrieved sometime from a directory listing
since they all belong to the same client who has many prefixes on 41. The
others on 50, 52 and 57 I believe were from accounts listed in another
captured directory. The system manager for the account still hasn't told
us if the passwords to the hacked accounts had any relation to entries
	in the mail directory.

Well I have to go now and finish some more of my end of month report.
Stay in touch and thanks for the heads up.
	Robert

   From:  MIKE.ROSENBERG  (MICHAELR) Delivered:  Wed  7-Feb-90  18:34 EST Sys 6007
     To:  R.RUSSIN  (ROBERT)
Subject:  Activity from Australia on System 41
Mail Id:  IPM-6007-900208-095270350

Dear Robert/Mark, assuming that you are both still emplyed by Dialcom....

  Our packet switch guys have informed me of much activity to system  41
	over the last few days.

  I suggest you look for accesses from 505234289983 on :

2/7 0135 to 1811 UTC for a start.

Check for other accesses during feb. of course, but you should find accesses
	on at least the 2nd and 6th as well.

	You you also check an access from 505291989999 on 2/7 11:00 UTC please.  It
was only 4 minutes long so it is probably OK.

This suspect NUI is not going be be blacklisted by OTC because furtive
investigations are under way into his activities.

Hear from you shortly,
Regards,
Michael.


     To:  E.LONG   (ELLEN)
     To:  M.AUSCHWITZ   (MONICA)
     Cc:  M.HULBERT   (MARK)
     Cc:  R.RUSSIN   (ROBERT)
     Bc:  MICHAELR (6007:MICHAELR)
   From:  R.RUSSIN  (ROBERT) Delivered:  Thu  1-Feb-90  6:05  Sys 198  (22)
Subject:  System 41 Hacker Penetration
Mail Id:  IPM-198-900131-126420709

     Monica,
            The account UGA024 on system 41 was penetrated
again. The last penetration was on January 11th which I discovered
and made notification. The account has since been penetrated
on January 29th 7 hrs & 7 min, 30th 7 hrs & 33 min and the 31st
4 hrs and 2 min.

After the last reported hit back on the 11th the password was
never changed and the hacker came back onto the account again.

I changed the password myself this morning after I discovered
the problem. The incoming network addresses are 31370090059 ,
31370038209007 which are CSC Infonet and 505234289983 which
is Australia Telecom AUSTPAC.

	You will need to notify TCN that there account was hit and
	since they never changed the password the last time I don't
know how you want to handle the credit part.

The password is NELLE

Robert
	

     To:  ROBERT (198:ROBERT)
     Cc:  MICHAELR (6007:MICHAELR)
     Cc:  S.PATEL   (BTG197)
	   From:  V.LUNDBERG  (BTG072) Delivered:  Wed  21-Feb-90  4:03  Sys 10080  (9)
Subject:  Security checks.
Mail Id:  IPM-10080-900220-153471089


Robert,
I am going on holiday for just over 2 weeks, therefore if you have any
urgent need for our help please could you contact in the first instance
Sandy, BTG197.
(Of course you also have Julies id if you need her too.)

Many thanks,
Vicky.
	

     To:  ROBERT (198:ROBERT)
     Cc:  MARK (198:MARK)
     Bc:  NET006 
   From:  M.ROSENBERG  (MICHAELR) Delivered:  Thu  29-Mar-90  18:28 AEST Sys 6007  (93)
Subject:  Reply to:  Suspect activity from sys 75
Mail Id:  IPM-6007-900329-166320230
In Reply To:  IPM-198-900220-087370915

Dear Robert,
        I have been checking this message and just realised that this
is a nusage of accesses of system 75 FROM system 07.  I needed to know
who on system 75 called either 5053200000 or 5053200050 or 505211134999 on
the times and dates specified below.  I know that no one should have
been able to do this without netlink but someone did, so could you ask
Dialcom UK to do an nusage of all OUTGOING calls to these addresses and tell
me who the customer was.
Thanks
	Michael

   From:  R.RUSSIN  (ROBERT) Delivered:  Wed  21-Feb-90  1:43  Sys 198
orward:  M.ROSENBERG  (MICHAELR)
Subject:  Suspect activity from sys 75
Mail Id:  IPM-198-900220-087370915

     Michael,
             Here is some additional info I received from BTGOLD
that may help you in your inquiry.

Robert
	
   From:  D.DOVEY-PRICE  (BTG300) Delivered:  Mon  19-Feb-90  7:09 EST Sys 10080
Forward:  R.RUSSIN  (ROBERT)
Subject:  Suspect activity from sys 75
Mail Id:  IPM-10080-900219-109471015

Robert,
   I 've done some investigating on this matter and have found one of our
customers accessing address 5053200000, but only on 22/1 and 26/1 and not
on 25/1. Enclosed are the times for you to compare.
   The company name is ARTSLINK.
Hope this info is of some use to you.
Diana.
User Name     Date Time  Net Addr

MUS074        22   3:36  5053200000
MUS074        22  18:02  5053200000
MUS074        22

User Name     Date Time  Net Addr

MUS074        26  12:40  5053200000


   From:  J.KENNEDY  (BTG109) Delivered:  Mon  19-Feb-90  10:33 GMT Sys 10080
Forward:  D.DOVEY-PRICE  (BTG300)
Subject:  Suspect activity from sys 75
Mail Id:  IPM-10080-900219-094970964

Diana

As Vicky isn't in, please could I ask you to have a look
at this suspect activity.  I have 2 requests from teh US, one from
Robert, the other from Mark Hulbert - so they are obviously
concerned!.

Thanks very much
Julie

   From:  R.RUSSIN  (ROBERT) Delivered:  Fri  16-Feb-90  16:52 GMT Sys 198
orward:  J.KENNEDY  (BTG109)
Subject:  Suspect activity from sys 75
Mail Id:  IPM-198-900216-106761270

     Here is a question that could be better answered at your end.

Robert

   From:  M.ROSENBERG  (MICHAELR) Delivered:  Fri  16-Feb-90  0:35 EST Sys 6007
     To:  R.RUSSIN  (ROBERT)
Subject:  Suspect activity from sys 75
Mail Id:  IPM-6007-900216-149240236

Dear Berta,
         could you forward this message to the appropriate person in BT.

  A user on system 07 was accessed from system 75, and while I think
that the usage was not at all indicative of a hacker, she is adamant that noone
on BTG should know her password.
  Could you ask BTG to check for calls to system 07 (5053200000,5053200050
or 505211134999) from  023421920100475 on
22/1  1:17-11:40 UTC
17:40 25/1 - 05:34 26/1 UTC

and tell me (if possible) who the user was and if that account is suspect.
I'll say again that it looks to me as if the person knew the pw and
only used OTC Intelnet, but I must check it out.  I'd like to know who
the user was so that I may tell my user the name of the person/company to
see if I can jog her memory on someone who can use her account.

Thanks,
Michael

	
     To:  M.ROSENBERG   (MICHAELR)
     Cc:  C.HAPANGAMA   (OTC264)
   From:  A.LOWTHER  (OTC157) Delivered:  Mon  8-Aug-88  9:32 AEST Sys 6007  (52)
Subject:  VMS HACKING
Mail Id:  IPM-6007-880808-085830292

Dick Weaver sent me this some time ago. It indicates that we really
do need to be on our mettle as far as VMS security is concerned. Dean
Gingell is a bit inclined to accept that VMS security is so good
that it is inpenetrable!!
		Tony.

   From:  R.WEAVER  (OTC248) Delivered:  Fri  11-Mar-88  16:38 AEST Sys 6008
Subject:  VMS Passwords:  Hackers' Attacks ? ?
	Mail Id:  IPM-6008-880311-149750909
From: ecs140w020@deneb.ucdavis.edu
Subject:   VMS password hacker
           ===================

Date: 6 Mar 88 12:06:58 GMT
Sender: uucp@ucdavis.ucdavis.edu
	Lines: 18

Bunkersoft of Mountain View has a VMS password hacker
available for $30 (source code) from

Bunkersoft
PO Box 4436
Mountain View CA
94040-4436
	
The method used is a brute force attack. However, because of the
nature of the VMS password file, SYSPRV or CMKRNL is required for
a short window of time before running. I ran this program on my
installation at work;   it  found  35%  of  all  passwords.      ***  ***  ***
                                   ***
Since HPWD is a proprietary DEC code, a batch file is given to
extract this information from LOGINOUT.EXE. I believe this program
is aimed at security managers etc.

ecs140w020@deneb.ucdavis.edu
ucdavis!deneb!ecs140w020

    ...    ...    ...    ...    ...    ...    ...    ...    ...


Well how about that then !    Will we need to worry about security
like Minerva worries?   Think we need a copy of this "hacking tool" ?


      Richard Weaver          Ext  5134

     (Manager, New Services Development)
	

         11 March 88

+


END OF DOCUMENT