|
|
ARCHIVE: Zardoz 'Security Digest' - Resources
DOCUMENT: Dialcom X.25 security discussion 1988/1989 (1 file, 41563 bytes)
SOURCE: http://securitydigest.org/exec/display?f=zardoz/resource/dialcom.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
To: M.ROSENBERG (MICHAELR)
Cc: C.HAPANGAMA (OTC264)
From: A.LOWTHER (OTC157) Delivered: Mon 8-Aug-88 9:32 AEST Sys 6007 (52)
Subject: VMS HACKING
Mail Id: IPM-6007-880808-085830292
Dick Weaver sent me this some time ago. It indicates that we really
do need to be on our mettle as far as VMS security is concerned. Dean
Gingell is a bit inclined to accept that VMS security is so good
that it is inpenetrable!!
Tony.
From: R.WEAVER (OTC248) Delivered: Fri 11-Mar-88 16:38 AEST Sys 6008
Subject: VMS Passwords: Hackers' Attacks ? ?
Mail Id: IPM-6008-880311-149750909
From: ecs140w020@deneb.ucdavis.edu
Subject: VMS password hacker
===================
Date: 6 Mar 88 12:06:58 GMT
Sender: uucp@ucdavis.ucdavis.edu
Lines: 18
Bunkersoft of Mountain View has a VMS password hacker
available for $30 (source code) from
Bunkersoft
PO Box 4436
Mountain View CA
94040-4436
The method used is a brute force attack. However, because of the
nature of the VMS password file, SYSPRV or CMKRNL is required for
a short window of time before running. I ran this program on my
installation at work; it found 35% of all passwords. *** *** ***
***
Since HPWD is a proprietary DEC code, a batch file is given to
extract this information from LOGINOUT.EXE. I believe this program
is aimed at security managers etc.
ecs140w020@deneb.ucdavis.edu
ucdavis!deneb!ecs140w020
... ... ... ... ... ... ... ... ...
Well how about that then ! Will we need to worry about security
like Minerva worries? Think we need a copy of this "hacking tool" ?
Richard Weaver Ext 5134
(Manager, New Services Development)
11 March 88
+
To: MICHAELR (6007:MICHAELR)
To: STEVEB (6007:STEVEB)
From: M.ROSENBERG (MICHAELR) Delivered: Fri 19-Aug-88 10:09 Sys 6008 (36)
Subject: Hello!
Mail Id: IPM-6008-880819-09086021
Importance: Normal
To: MICHAELR
From: A.TAYLOR (6007:TUD001)
Subject: Hello!
Posted: Thu 18-August-88 19:15 AEST
Delivered: Thu 18-August-88 19:12 AEST (27 lines)
Hi this is The Phoenix (with The Force...)
Umm... sorry - missed you by 2 mins...
Hmm... Why not give us this account ? The real user never logs on...
Just cancel his billing - set up 3 or so other accounts in the series TUD
(Now i knw thats possible!)
Take away netlink if you wish....
we only want it as a means of communication between our members and yourself.
The advantages of this are twofold...
1) You can keep an eye on us...
2) You get us off your back....
what do you say ?
Anyhow - ever considered taking up hacking ?
Seeya L8er...
(-: Phoenix :-)
Catch Ya Later
----====} THE FORCE {====----
P.S - Dont delete this account yet (please) - wait till we see the reply
I guarantee that we will not use netlink (apart from the one short call to Alto
already made...)
To: BTG082 (10080:BTG082)
Cc: S.BERLECKY (STEVEB)
Bc: M.ROSENBERG (MICHAELR)
From: M.ROSENBERG (MICHAELR) Delivered: Fri 19-Aug-88 12:09 AEST Sys 6007 (12)
Subject: News of hackers
Mail Id: IPM-6007-880819-109360302
Paul,
Hi! Michael Rosenberg here. Those 2 numbers that you gave us
have been identified are being researhed at the moment to see if they
themselves were hacked. One of them is a tie line which is great because
we should know from where the call was made, except that the address in the
database doesn't match the company that is there and the phone number doesn't
make sense and I cant even get a number for the company which it is registered.
I have send this info to Telecom Aust. and will get back to you when they
get back to me.
You will hear from me soon,
Thanks,
Michael Rosenberg.
To: MICHAELR (6007:MICHAELR)
From: P.SWAAB (BTG082) Delivered: Fri 19-Aug-88 19:23 Sys 10080 (15)
Subject: Reply to: News of hackers
Mail Id: IPM-10080-880819-174580001
Michael.
Thanks for the infomation you sent. The
situation here is that he tried once again to access the
box. But was unable to as we have devalidated that box.
Dialcom(US) have located the addresses he has
access us by telenet, and telenet and telecom Australia are
going to try and trace these routes and close them down.
Telenet are keeping a close eye out for over active work on
those addresses.
Again many thanks for the infomation i wll contact you if i
here any more,
Hope to here from you soon
.
Fo: MICHAELR (6007:MICHAELR)
To: STEVEB (6007:STEVEB)
Fo: S.BERLECKY (6008:STEVEB)
Fo: M.HULBERT (MARK)
Cc: D.MCDONELL (DM)
Cc: J.BRIGHT (JACK)
From: R.BARNACK (BERTA) Delivered: Thu 25-Aug-88 21:27 Sys 198 (78)
Subject: GREETINGS FROM AUS
Mail Id: IPM-198-880825-193140001
Michael and STeve,
Vicky Lundberg has requested that I forward the message sent form
an ID in australia to some of the 'upper management' of Telecom Gold/BT.
Does the contents of this message indicate the same hacker that
Michael has been dealing with or is it a new one? Any information
would be appreciated.
Thanks,
Berta
From: V.LUNDBERG (BTG072) Delivered: Thu 25-Aug-88 4:58 EDT Sys 10080
Forward: R.BARNACK (BERTA)
Subject: GREETINGS FROM AUS
Mail Id: IPM-10080-880825-044750001
Berta,
This is Vicky from Dialcom UK systems admin.... I am a
little worried about the content of this item (it seems
dubious) because of what was happening from Australia last
week, I feel it may be connected. Please could you
investigate this user with Steve in Aussie land, and get
back to me as whether it should be looked into further.
This was sent to at least 2 BTG ids within a few minutes of
each other, exactly the same text. Mine you see is entitled
Dear Steve, so they guy obviously either has the id
confused, or is just trying it on. The other has been
direct to the correct 'name' of the mailid though!
Your comments would be appreciated?
Thanks,
Vicky.
From: CAE007 Delivered: Wed 24-Aug-88 1:16 BST Sys 6007
To: V.LUNDBERG (BTG072)
Subject: GREETINGS FROM AUS
Mail Id: IPM-6007-880824-011490001
Dear Brian,
An 'electronic friend' of mine in the UK kindly forwarded to
me a list of UK e-mail users like yourself, but who are
involved primarily within the hierarchy of Telecom Gold
itself. I am writing this brief note to you primarily to
seek your help. Having successfully 'broken through' into
the UK e-mail network, I am now trying to spread my wings a
little seek contact with other countries. I particularly
wish to make contact with the USA and, in Europe, with
Greece [if Greece, indeed, has such a system]as well as
other participating countries in the international e-mail
network. If you or one of your colleagues has any relevant
information, contact IDs or other helpful advice, I would be
most grateful.
As for me, my name is PAUL HELLANDER 6007:CAE007 and I am a
lecturer in Modern Greek at the South Australian College of
Advanced Education. Like a small, but dedicated bunch of
like -minded computer users, I am very interested in
electronic telecommunications and in computers in general.
I actually teach multilingual word processing and page
processing [DTP] to my language students at the College and
have my own setup at home: a Macintosh SE, modem, printer
etc.
If you are not able to help me immediately, please forward
my message to somebody who may be able to suggest something.
But in any case, I would like to hear from you about your
own interests and role within the Telecom Gold system.
Best wishes from Australia!
Paul
To: M.ROSENBERG (MICHAELR)
From: M.ROSENBERG (MICHAELR) Delivered: Thu 8-Sep-88 23:14 AEST Sys 6007 (1)
Subject: force activity
Mail Id: IPM-6007-880908-209140305
force was on altos at 23:08 on 8/9/88.
To: JVE002 (6007:JVE002)
Cc: STEVEB
Cc: MARSDEN-US (142:IMC002)
Cc: MICHAELR (6007:MICHAELR)
Cc: OTC519 (6007:OTC519)
Cc: MULHOLLAND-AA (JND002)
From: MULHOLLAND-AA (JND002) Delivered: Mon 26-Sep-88 12:33 Sys 6009 (42)
Subject: HACKING ON JND IDS
Mail Id: IPM-6009-880926-112950001
To: Paul Heath Keylink
CC Ron Sinclair OTC
Steve Belecky OTC
Michael Rosenberg OTC
Tim Marsden ESI
Paul
As you are probably aware a hacker is active in Australia and has recently
gained access to a number of JND mailboxes. The hacker has run up considerable
time and probably a fair amount of international access.
Ron Sinclair on the advice of Michael Rosenberg alerted me to the problem and
Michael has also shut the IDs down when he has detected the illegal use. I've
spoken to the owners of these IDs and while their passwords were not obscure
they could only have been gained by a knowledge of our user directory.
Obviously there is going to be a problem when the bills for this illegal usage
are presented to the customers. They are already argueing that if I know the
usage is not by them why should they have to pay for it.
I see this incident as extremely damaging to the users perception of the
integrity of the email system and as such I'd like to put make some steps to
placate the users and to prevent a reoccurrence.
Firstly, will Keylink credit the illegal usage ?
Secondly, Tim Marsden our US system manager has suggested we set up and move
all our CPLs that use Netlink to, CMDJND. We would also need a copy of NETLINK
with a different name (say FRED) on CMDJND so that our use of the NETLINK
command, in the CPLs could change to FRED. This combination of a changed
command name and an ID that the hacker can't access would hopefully render JND
IDs useless to the hackers purpose.
Further we would want a program called NETLINK.CPL on CMDJND. This will be a
hacker alert and would mail a message to an OTC ID that monitors for illegal
use.
I see a real urgency about this matter and would appreciate your early advice.
Best
David Mulholland
To: BERTA (198:BERTA)
Cc: S.BERLECKY (STEVEB)
From: M.ROSENBERG (MICHAELR) Delivered: Thu 6-Oct-88 15:08 AEST Sys 6007 (18)
Subject: Hackers
Mail Id: IPM-6007-881006-136340371
Berta,
I think that I have found evidence of a hacker on system 52, which
you should chase up.
On 10/3/88 (I even put the date in US format so you can read it) at
about 07:53 GMT , 08:10 GMT and 09:00 GMT , calls were made from
31033010000552 to 5053210106 which I have reason to believe is a hacker.
If you find it to be so , I really need to know from what address he got into
system 52,as I am hoping he did it from Aust. somewhere.
If it was not, and Dialcom trace it back further, could I be told the address
furtherest back that you find.
I am having BIG problems with this guy or one of his friends, so speed will
help greatly.
I also have an account netlinking a LOT to sys41 (0311030100341) from 5053200000
He is in the billing as the United Nations. Could you have a look at the
calls to 41 from 07 and see if he has hacked an account there or if he is
legal?
Thanking you,
Michael.
To: MARK (198:MARK)
Cc: BERTA (198:BERTA)
Cc: S.BERLECKY (STEVEB)
From: M.ROSENBERG (MICHAELR) Delivered: Fri 7-Oct-88 10:52 AEST Sys 6007 (25)
Subject: Hacker mothods.
Mail Id: IPM-6007-881007-097940230
Mark, Berta,
Just a little background so that you know what brought on my
rush of hacker enquiries. Chatting to my hackers on ALTOS in Germany,
they have been daunting me saying that they have developed a means of pw
interception and they indeed were getting a lot of OTC ids from somewhere.
Finally, I found that the guy netlinks to our PADs and tielines and just
waits, and waits, until someone finally tries to use the terminal. In the case
of the NTN's that he uses, the vast majority of the calls are to system 07.
Unfortunatly, most people think that 07 is broken in some way beacuse
it doesnt display the sign on banner and Password: etc, and just keep typing
their id and password, which of course appear on the hacker's screen. There
he goes.
I have seen evidence of this from at least 52 and 41 which is why I
mentioned those two only. Because our packet network is owned by OTC , I can
find out who attempted calls to any NTN, which is how I found 41. I found 52
because when I was warning on of our people who use a tie line, the hacker
was trying it at that moment in time, and I identified the address. Also,
I was talking to the hackers later that day on ALTOS and they tried to log into
07 from 52, so I logged into 98 and did an NSY on 52. There they were.
So, there you go. I just thought you'd like to know how I came to know
about hackers on your system. I am having that NUI killed, but I am sure that
he has more.
Thanks for your help,
Michael.
To: BERTA (198:BERTA)
To: MARK (198:MARK)
From: M.ROSENBERG (MICHAELR) Delivered: Fri 7-Oct-88 11:19 AEST Sys 6007 (5)
Subject: More times.
Mail Id: IPM-6007-881007-101900857
Mark, more netlinking times as follows:
from 31033010000541 to 5053200024 (it may be 200056, but dont think so)
10/6 09:10,09:28,09:33 GMT
and from 31033010000552 on 10/6 at 07:43 GMT
To: MARK (198:MARK)
From: M.ROSENBERG (MICHAELR) Delivered: Sun 9-Oct-88 12:48 AEST Sys 6007 (11)
Subject: hacker on 41
Mail Id: IPM-6007-881009-115200647
Mark,
I found that 41:TCN181 was hacking on 10/6 at 2:44 GMT netlinking to
altos. He was one of my hackers (aust.) and came from 26245724740132.
If this guy, and/or any others have been netlinking back to aust, I could
really use that info because he is getting passwords from somewhere that I
havent found yet, presumably with his netlinking to pads/tielines trick.
There was another TCN on at the same time as Phoenix (hacker's alias) netlink
ing to a telenet address. Interestingg the way they have so many on the
one account group. e.g. 52:scx.
Thanks,
Michael.
To: MARK (198:MARK)
From: M.ROSENBERG (MICHAELR) Delivered: Sun 9-Oct-88 18:12 AEST Sys 6007 (3)
Subject: another one.
Mail Id: IPM-6007-881009-163811023
Mark, that other suspect TCN was TCN177 on 41 and definetly was hacked. Was
netlinking to altos 10/9 at 8:10 GMT from 31102050001801.
Mike.
To: MARK (198:MARK)
From: M.ROSENBERG (MICHAELR) Delivered: Thu 13-Oct-88 18:41 AEST Sys 6007 (7)
Subject: TCN098
Mail Id: IPM-6007-881013-168240539
was hacking this morning. I informed ops via Lillian who clobbered him.
I copied some of his files before he deleted them (he was making files and
then deleting them) to otc-all>tcn098 but he no doubt had made more when
he was hit so you'll have them. The hacker who called from the states
last night gave the name SAM MONICA who said he was from Dialcom, system 41.
Obviously not his real name but does it mean anything to you?
Michael
To: MARK (198:MARK)
From: M.ROSENBERG (MICHAELR) Delivered: Sat 15-Oct-88 20:42 AEST Sys 6007 (3)
Subject: TCN051
Mail Id: IPM-6007-881015-186400186
On system 41 has been hacked. If he has deleted the files on his account,
I copied them to 98:otc-all>tcn051. I noticed him on at 6:43 am on 10/15.
Michael.
To: MARK (198:MARK)
Cc: OTC264
Cc: S.BERLECKY (STEVEB)
From: M.ROSENBERG (MICHAELR) Delivered: Mon 17-Oct-88 13:27 AEST Sys 6007 (38)
Subject: TCN051
Mail Id: IPM-6007-881017-121131069
Mark,
Have you noticed the file called "DRAFT" in 41:tcn051. Note in it how
he mentions the account MONICA, which I now know to be a seclev 5 on 98.
Recall how I said that the american hacker who called me gave the name SAM
MONICA... Very unlikely to be the guy of course but you could very well
have a big security problem.
The force is also being investigated by Telecom Aust. for international
telephone fraud at the moment. Also, when I saw tcn051 being used to hack
it appeared to be being used by Phoenix.
Dear Sir,
I am the hacker responsible for using TCNxxxx Accounts as well as others
on system 41, and after talking to the system manager I am really shocked
at the stand you have chosen to take. I do not feel that the TCN USERS
SHOULD BE PENALISED FOR WEAKNESSES IN YOUR SYSTEM SECURITY, and this is
something I feel very strongly about. As I see it, it is your fault, and
you should take the responsibility. Please forget this bulshit about the
users having weak passwords, since i can obtain the password for just about any
account, no matter what password is being used.
There are a lot of people like me that know about the dialcom weaknesses,
and are exploiting these account, and I really would like to see TCN
subscribers be re-funded any excesive costs due to their activities.
If you continue to exploit your users in this way, I will have to bring
this matter to the media, and demonstrate just how easy it is to gain
access to mail and private files of your government and other subscribers.
Again I urge you to do the right thing by your customers.
As an example I am bringing to your attention a certain account such as
MONICA and other inhouse system account. What are they level 5?
Catch Ya Later
----====} THE FORCE {====----
To: MICHAELR (6007:MICHAELR)
Cc: M.HULBERT (MARK)
From: M.HULBERT (MARK) Delivered: Thu 20-Oct-88 6:38 Sys 198 (79)
Subject: Reply to: TCN051
Mail Id: IPM-198-881020-059720001
Mike,
I was noting the carrying ons as they were in progress
on Saturday. I copied the file as the Force was generating
it. The two individuals are coming in from the
Australian continent somewhere. They look to be coming in
via an US Telenet address but that is not the case. Both are
19 years old and are working on a special project to
document all of the NUAs in the world.
An ambitious project at that.
Now you have really put these two individuals out! You had
promised them a free account and then took it away form them.
That made them mad hence the "mail barrage" from system 41.
These characters have more nerve than any I have seen so far.
They have no respect for the business people. In addition, they
are using the long distance phone system to make free
calls. They talked with our client here in the states for some
3 1/2 hours on Saturday morning - our time.
They apparently have the codes for gaining free access to
your phone systems.
Unfortunate that you do not have any legal alternatives
available to you in Australia. A couple of arrests
tends to inhibit such activity.
Thanks for the note and the interest. We have appraised Telenet
of the activity and they are looking into how what and
wherefore they are cheating on their network as well.
Mark
From: M.ROSENBERG (MICHAELR) Delivered: Sun 16-Oct-88 23:29 EDT Sys 6007
To: M.HULBERT (MARK)
Subject: TCN051
Mail Id: IPM-6007-881016-211400001
Mark,
Have you noticed the file called "DRAFT" in 41:tcn051. Note in it how
he mentions the account MONICA, which I now know to be a seclev 5 on 98.
Recall how I said that the american hacker who called me gave the name SAM
MONICA... Very unlikely to be the guy of course but you could very well
have a big security problem.
The force is also being investigated by Telecom Aust. for international
telephone fraud at the moment. Also, when I saw tcn051 being used to hack
it appeared to be being used by Phoenix.
Dear Sir,
I am the hacker responsible for using TCNxxxx Accounts as well as others
on system 41, and after talking to the system manager I am really shocked
at the stand you have chosen to take. I do not feel that the TCN USERS
SHOULD BE PENALISED FOR WEAKNESSES IN YOUR SYSTEM SECURITY, and this is
something I feel very strongly about. As I see it, it is your fault, and
you should take the responsibility. Please forget this bulshit about the
users having weak passwords, since i can obtain the password for just about any
account, no matter what password is being used.
There are a lot of people like me that know about the dialcom weaknesses,
and are exploiting these account, and I really would like to see TCN
subscribers be re-funded any excesive costs due to their activities.
If you continue to exploit your users in this way, I will have to bring
this matter to the media, and demonstrate just how easy it is to gain
access to mail and private files of your government and other subscribers.
Again I urge you to do the right thing by your customers.
As an example I am bringing to your attention a certain account such as
MONICA and other inhouse system account. What are they level 5?
Catch Ya Later
----====} THE FORCE {====----
To: EIM004 (10074:EIM004)
To: BTG-DIA (10080:BTG-DIA)
To: BTG005 (10080:BTG005)
To: BTG072 (10080:BTG072)
To: DKE237 (12271:DKE237)
To: DPT258 (12271:DPT258)
To: DPT999 (12271:DPT999)
To: MSE001 (12271:MSE001)
To: MNL012 (12427:MNL012)
To: SADM (12427:SADM)
To: JUKKAI (12762:JUKKAI)
To: LEENAS (12762:LEENAS)
To: MARKKUV (12762:MARKKUV)
To: ROM001 (13065:ROM001)
To: TLO202 (13065:TLO202)
To: TLO300 (13065:TLO300)
To: DAC100 (152:DAC100)
To: SEM012 (152:SEM012)
To: SEM015 (152:SEM015)
To: CROWE (198:CROWE)
To: JOEA (198:JOEA)
To: MARK (198:MARK)
To: TOMS (198:TOMS)
To: CNP007 (2022:CNP007)
To: CNP343 (2022:CNP343)
To: CNP365 (2022:CNP365)
To: CNP517 (2022:CNP517)
To: FTZ007 (3015:FTZ007)
To: MNH001 (3015:MNH001)
To: RJS001 (3015:RJS001)
To: LADWIG (3069:LADWIG)
To: SEL008 (3069:SEL008)
To: AMI (5006:AMI)
To: AMOS (5006:AMOS)
To: FIFI (5006:FIFI)
To: IPR013 (5825:IPR013)
To: IPR023 (5825:IPR023)
To: NZP019 (6009:NZP019)
To: KDM301 (7014:KDM301)
To: KDM404 (7014:KDM404)
To: CAW003 (8088:CAW003)
To: CAW065 (8088:CAW065)
To: HQT127 (8810:HQT127)
To: SVC004 (8810:SVC004)
Bc: MICHAELR
From: C.HAPANGAMA (OTC264) Delivered: Tue 29-Mar-88 17:14 AEST Sys 6008 (33)
Subject: Security threat : OTC
Mail Id: IPM-6008-880329-155130552
To: All Dialcom Licensees.
CONFIDENTIAL
------------
OTC has determined that the hacker which has delivered the threat to us
has been using a unique NTN ( 505235689996 ) for hacking when he does
not have access to a hacked account on OTC's Dialcom system.
The hacker may have used this NTN in addition to netlinking from our systems
to access other Dialcom systems, which he has claimed. If indeed the hacker
used this method of access, it will be easily identifiable through NUSAGE.
OTC suggests that you determine if any accounts have been accessed from the
address 505235689996 by running NUSAGEs. Any ids found will most likely have
been hacked.
Our systems' addresses are 5053200000, 5053200001 and 5053200050. Most calls
made to ids from these addresses using netlink may of course be valid users.
The hacker could have accessed other systems from the many VAXs and PRIMEs
to which he supposedly has access, but these are of course unknown to us.
If any ids on your systems are found to have been hacked from Australia could
you please supply to me, 6008:OTC264, any information which you would consider
helpful to OTC.
Regards,
Channa Hapangama
Technical Support Manager, Value Added Business.
OTC.
To: MARK (198:MARK)
Cc: EIM004 (10074:EIM004)
Cc: BTG-DIA (10080:BTG-DIA)
Cc: BTG005 (10080:BTG005)
Cc: BTG072 (10080:BTG072)
Cc: DKE237 (12271:DKE237)
Cc: DPT258 (12271:DPT258)
Cc: DPT999 (12271:DPT999)
Cc: MSE001 (12271:MSE001)
Cc: MNL012 (12427:MNL012)
Cc: SADM (12427:SADM)
Cc: JUKKAI (12762:JUKKAI)
Cc: LEENAS (12762:LEENAS)
Cc: MARKKUV (12762:MARKKUV)
Cc: ROM001 (13065:ROM001)
Cc: TLO202 (13065:TLO202)
Cc: TLO300 (13065:TLO300)
Cc: DAC100 (152:DAC100)
Cc: SEM012 (152:SEM012)
Cc: SEM015 (152:SEM015)
Cc: CROWE (198:CROWE)
Cc: JOEA (198:JOEA)
Cc: TOMS (198:TOMS)
Cc: CNP007 (2022:CNP007)
Cc: CNP343 (2022:CNP343)
Cc: CNP365 (2022:CNP365)
Cc: CNP517 (2022:CNP517)
Cc: FTZ007 (3015:FTZ007)
Cc: MNH001 (3015:MNH001)
Cc: RJS001 (3015:RJS001)
Cc: LADWIG (3069:LADWIG)
Cc: SEL008 (3069:SEL008)
Cc: AMI (5006:AMI)
Cc: AMOS (5006:AMOS)
Cc: FIFI (5006:FIFI)
Cc: IPR013 (5825:IPR013)
Cc: IPR023 (5825:IPR023)
Cc: NZP019 (6009:NZP019)
Cc: KDM301 (7014:KDM301)
Cc: KDM404 (7014:KDM404)
Cc: CAW003 (8088:CAW003)
Cc: CAW065 (8088:CAW065)
Cc: HQT127 (8810:HQT127)
Cc: SVC004 (8810:SVC004)
Bc: M.ROSENBERG (MICHAELR)
From: STEVEB Delivered: Mon 28-Mar-88 15:57 AEST Sys 6008 (72)
Subject: Reply to: Security Threat to the Dialcom Community
Mail Id: IPM-6008-880328-143680409
In Reply To: IPM-198-880326-088730001
To: Dialcom Licensees
On Friday 25 March, Dialcom U.S. advised you that OTC had experienced a
particular hacking problem and that further advice would be given as to OTC's
approach to this matter.
OTC requests that all licensees, until further notified, please keep the
information concerning this particular hacking problem confidential and at the
hughest level in your organisations and, further, that no public statement be
made until OTC advises.
The OTC contact point on this matter is:
Mr. C. Hapangama
Mail Box No. 6008:OTC264
Business Telephone: 61.2.287 5857
Home Telephone : 61.2.481 8997
Regards,
D. BRAWN
Chief Manager - Products Business
OTC
P.S. Would all licensees please mail a contact name and telephone number
to Mr. Hapangama so that you may be contacted if the need arises due to an
emergency situation.
From: M.HULBERT (MARK) Delivered: Sat 26-Mar-88 9:51 Sys 198
To: STEVEB
Subject: Security Threat to the Dialcom Community
Mail Id: IPM-198-880326-088730001
Our licensee in Australia, OTC, has been penetrated by
a hacker who claims to have access to about 100
Dialcom accounts on systems such as BT Gold, Primecom,
Telebox, Goldnet, Dialcom and so forth.
Interestingly enough, the hacker claims that he has additional
access to both Prime and Vax systems which he can program
to commence sending thousands of mail messages to every
customer account that he knows about.
His request is that OTC give him six free mailboxes or he
will launch his mail inundation upon the Dialcom community.
We do not know the degree of capability to carryout such a
threat but certainly, if perpetrated, it could have significant
implications on each of us. From a security viewpoint, we
should expect that the messages will show hostility and operationally,
they could clog our networks and systems and increase our network
expense and response times.
We are pursuing this issue with OTC and will inform each of you as
additional information develops. If you note any problems of
a similar nature, please inform all addressees as to your findings.
We are developing defense strategies in conjunction with OTC and
will keep you abreast of the activities as they are unfolding.
Mark Hulbert
Director, Operations Planning
Fo: MICHAELR
Fo: STEVEB
From: C.HAPANGAMA (OTC264) Delivered: Mon 28-Mar-88 11:02 AEST Sys 6008 (107)
Subject: Reply to: Hacker threat to Keylink-Dialcom.
Mail Id: IPM-6008-880328-099350092
From: M.HULBERT (MARK) Delivered: Sat 26-Mar-88 4:41 Sys 198
To: C.HAPANGAMA (OTC264)
Subject: Reply to: Hacker threat to Keylink-Dialcom.
Mail Id: IPM-198-880326-042280001
Channa,
I will look into the source of the hacking from our end here
to determine if we can isolate the hacker on our end.
The real concern is whether or not you may bring the
resources of the local law enforcement authorities
to bear on this issue to assist you. The biggest problem
is the tracking of the source . If the access is from
a dialup rotor in your network, the capability to trace
the calls may be oyyour best capability to identify the
source of your hacking. I have worked very closely with
the US Secret Service on just such an instance and have
recently concluded the effort with the arrest of the
hacker. by the Secret Service. I suggest that is the laws
of your country support your a make electronic data theft a crime,
you should dpursue a d spusrsue this with the authorities. If that
is not a crime, then the possibility of extortion may be a means that
law that you may em,ploy to ploy to grab gain the assiststance of the
law enforcement authorities.
In addition, depending on your relationship with the local
telephone company, we you may be able to initiate a trace
without the benefit of the laaw ebnforcement folks.olks. that
would allow you to monitor the particular IDs that
the user hacks and start the trace based upon the
access loine (or Pad port) that the call ame in oncame in on.
I also suggest that you identify the hacker's profile. Most have a
a particular characteristic that you can use to track and
trace the users activity. It may be time of cday that the
accesses occur, particular accounts, the network address from
which the accesses occur, particular commands not normally
used by clients etc. I have found that net-talk is one that
the hackers on our end like. They also like to upload and
download files of software to each other. In addition, they
set up sub directories which have the latestand greatest of
information on the hacking community activities and
at least in my experience, we have seen them solicit
others to join them in sessions on the hacked ID.
I found that it was better to move the user from the
hacked ID to a new ID and leave the old ID in place to
track the activity of the hacker. It provided data on what other
IDs he/she may have hacked since they tended to connect to other
IDs from a central ID.
We will be glad to assist you as you move on this problem.
Please provide any information or questions that you may
have to me with a copy to Gideon Amir, 98:Gideon.
From: C.HAPANGAMA (OTC264) Delivered: Fri 25-Mar-88 0:40 EST Sys 6008
To: M.HULBERT (MARK)
Subject: Hacker threat to Keylink-Dialcom.
Mail Id: IPM-6008-880325-006130001
Mr. Joe Antonellis
Division Vice President,
Dialcom International.
ANALYSIS OF HACKER'S THREAT TO KEYLINK-D
----------------------------------------
On the 25th March 1988, 11:45 AEST, Mr J. Antonellis of Dialcom
was advised that OTC had received a threat from a hacker
This message is to formally advise Dialcom of the nature of the
threat in which the hacker claimed:
1) The hacker claims to have access to about 100 Dialcom accounts on BT GOLD,
PRIMECOM, TELEBOX, GOLDNET etc.
2) The hacker intends using these accounts to send thousands of mail
to all of the customer accounts on our systems of which he is aware and
which OTC believes is quite extensive.
The hacker threatens to do this for as many weeks as required
until OTC succumbs and delivers the hacker six free mailboxes.
3) The hacker claims to have access to other PRIMEs and VAXs which he can
program to do this feat without his intervention, which we believe.
The hacker accesses the OTC Dialcom system by using Austpac dial-up
and less frequently, from OTC Data Access dial-up. The hacker uses a common
NUI which is used for access by all our dial-up customers.
This message was sent to OTC from 157:AGS325 at 22:13 3/24/88 AEST, which we
believe has been hacked.
OTC and Telecom (Aust.) are reviewing this situation and expect
to further advise Dialcom Inc. of our intentions by Monday 3/28/88.
Please note these contacts in OTC re this situation:
Legal : Ros Robertson Aust 2-287 5204 6008:OTC383
System : Channa Hapangama 2-287 5857 6008:OTC264
Commercial : David Brawn 2-287 5960 6008:OTC033
Gary Donald 2-287 5990 6008:OTC003
Facsimile : 2-287 4435
Channa Hapangama
Technical Support Manager, Value Added Business.
OTC
To: JOEA (198:JOEA)
Cc: DM (198:DM)
Cc: MARK (198:MARK)
Bc: MICHAELR
From: C.HAPANGAMA (OTC264) Delivered: Fri 25-Mar-88 15:39 AEST Sys 6008 (44)
Subject: Hacker threat to Keylink-Dialcom.
Mail Id: IPM-6008-880325-140990869
Mr. Joe Antonellis
Division Vice President,
Dialcom International.
ANALYSIS OF HACKER'S THREAT TO KEYLINK-D
----------------------------------------
On the 25th March 1988, 11:45 AEST, Mr J. Antonellis of Dialcom
was advised that OTC had received a threat from a hacker
This message is to formally advise Dialcom of the nature of the
threat in which the hacker claimed:
1) The hacker claims to have access to about 100 Dialcom accounts on BT GOLD,
PRIMECOM, TELEBOX, GOLDNET etc.
2) The hacker intends using these accounts to send thousands of mail
to all of the customer accounts on our systems of which he is aware and
which OTC believes is quite extensive.
The hacker threatens to do this for as many weeks as required
until OTC succumbs and delivers the hacker six free mailboxes.
3) The hacker claims to have access to other PRIMEs and VAXs which he can
program to do this feat without his intervention, which we believe.
The hacker accesses the OTC Dialcom system by using Austpac dial-up
and less frequently, from OTC Data Access dial-up. The hacker uses a common
NUI which is used for access by all our dial-up customers.
This message was sent to OTC from 157:AGS325 at 22:13 3/24/88 AEST, which we
believe has been hacked.
OTC and Telecom (Aust.) are reviewing this situation and expect
to further advise Dialcom Inc. of our intentions by Monday 3/28/88.
Please note these contacts in OTC re this situation:
Legal : Ros Robertson Aust 2-287 5204 6008:OTC383
System : Channa Hapangama 2-287 5857 6008:OTC264
Commercial : David Brawn 2-287 5960 6008:OTC033
Gary Donald 2-287 5990 6008:OTC003
Facsimile : 2-287 4435
Channa Hapangama
Technical Support Manager, Value Added Business.
OTC
To: BERTA (198:BERTA)
To: MARK (198:MARK)
Cc: S.BERLECKY (STEVEB)
From: M.ROSENBERG (MICHAELR) Delivered: Mon 31-Oct-88 11:37 AEDT Sys 6007 (57)
Subject: UK security
Mail Id: IPM-6007-881031-104601171
Berta, Mark,
While watching another German chat host, i observed the following
conversation:
1 0 Hp3000's guest Saber's.Edge
4 0 023427730040500 shatter shatter
5 0 uucpland guest uucico
6 0 guest
<4> shatter says: saber: i need the proper nua -- i will swop 4 full access to s
ystem 72
<1> Saber's.Edge says: well thats the proper nua..
<1> Saber's.Edge says: or if your in the usa its 301346
<4> shatter says: ghal: thnx -- the system 72 is 023421920100472
<4> shatter says: id mag33023 neemg23
<1> Saber's.Edge says: thanks ..
<1> Saber's.Edge says: what id do you have on the d46?
<4> shatter says: saber: none yet -- i am going to hack it l8er
<1> Saber's.Edge says: not the pw but the Z{d..
<1> Saber's.Edge says: not that great of a system.. i have a few accounts on it
now..
<4> shatter says: saber: i have hacked the uk dialcoms and now working on the ot
hers
.sx
<1> Saber's.Edge says: well don't fuck up all the dialcoms..
<4> shatter says: saber: am turning system 72 in2 a pad
No Chan From User Called
1 0 Hp3000's guest Saber's.Edge
4 0 023427730040500 shatter shatter
5 0 uucpland guest uucico
6 0 guest
<1> Saber's.Edge says: also don't tell ANYONE how to hack them..
<1> Saber's.Edge says: i've heard about the Australian's problems once people fo
und out how to hack Dialcom's..
<4> shatter says: saber: i won't -- but just need to attach them all from the uk
4 a major hack l8er
<1> Saber's.Edge says: don't fuck up the USA's Dialcom's..
+++ <0> molinari +++
<4> shatter says: saber: i won't -- don't worry -- just wanna nick some sw
<0> molinari says: puach..
--- <0> molinari ---
--- <4> shatter ---
--- <4> shatter ---
--- <5> uucico ---
.sx
No Chan From User Called
1 0 Hp3000's guest Saber's.Edge
6 0 guest
The id given on 72 is valid, I tried it. Please ignore any accesses from
5053200000 between 00:00 and 01:00 GMT on 31/10 because that was me checking
if it was true. I dont know where that NTN 023427730040500 is, I get invalid
address when I call it. I could well be an NUI that he has. That number
can be changed by the user so it may not be a valid address at all. I have
heard claims from other hackers that they have accessed source code from US
dialcoms when they didn't know who I was.
Regards,
Michael.
Fo: M.ROSENBERG (MICHAELR)
Fo: OTC264
From: S.BERLECKY (STEVEB) Delivered: Tue 18-Oct-88 15:12 AEST Sys 6007 (58)
Subject: SWISS PAVILION EXPO HACKER PROBLEM
Mail Id: IPM-6007-881018-136940425
for your perousal, steve
mike, do not ring the swiss guy until you talk to channa or me.
From: J.PURDY (OTC288) Delivered: Tue 18-Oct-88 14:57 AEST Sys 6007
To: S.BERLECKY (STEVEB)
Subject: SWISS PAVILION EXPO HACKER PROBLEM
Mail Id: IPM-6007-881018-134620160
STEVE,
THE X121 CALLED WAS 026245911010290
ITS SOME SORT OF BULLETIN BOARD WITH PEOPLE CHATTING ON IT IN NUREMBURG IN
GERMANY . IF U WANT TO LOG ON USE THE PASSWORD "GAST" (MEANS GUEST IN GERMAN
SO PETER MOLL (THE EXPO SWISS PAVILION ASSISTANT MANAGER) TELLS ME
SHORTLY AFTER HE LOGGED ON HE RECEIVED THE FOLLOWING
"AUSTPAC SECURITY
YOU SHOULD HAVE ENTERED
-?N AND 12 CHARACTERS"
THEN FOLLOWED MORE PEOPLE CHATTING.
THEN AGAIN
"AUSTPAC SECURITY
WOT WERE THE EXACT 12 CHARACTERS YOU TYPED"
PETER MOLL THEN SED
"PLS IDENTIFY YOURSELF "
RESPONSE WAS
"AUSTPAC SECURITY
WOT ACCOUNT CODE EXACTLY DID YOU ENTER"
PETER MOLL RESPONSE
"PLSE IDENTIFY YOURSELF"
RESPONSE WAS
"MICHAEL ROSENBURG"
PETER MOLL SED
"WHAT IS PROBLEM"
RESPONSE WAS
"AUSTPAC - OTC SECURITY
TO WHISPER IT TO ME "
(APPRS USING THIS BULLETING BOARD BY HITTING A FUNCTION KEY OR SOMETHING
THEY CAN SEND TO ANOTHER PERSON WHITHOUT THE OTHER USERS SEEING IT
(I.E. WHISPERING IT)
PETER MOLLS RESPONSE WAS
"PLSE CALL ME ON 846-4017"
THE SYSTEM THEN LOCKED UP
AND THAT WAS THE END OF IT.
OPE ITS OF SOME ASSISTANCE
TO YOU.....
I THORT PETER MOLL WAS SOMEWHAT ASTUTE IN NOT DIVULGING HIS NUI (HE HAS
AN ADDITIONAL DIAL UP NUI TO HIS X28 LINK)
IF U OR MICHAEL NEED TO CONTACT HIM HIS NBR IS
PETER MOLL SWISS PAVILION EXPO 88 07 8464017. HE IS A VERY APPROACHABLE GUY
AND WE HAVE WORKED CLOSELY WITH HIM AT EXPO, HOLDING DATA ACCESS SEMINARS
ETC AT THE SWISS PAVILION
I AM QUITE SURE HE WOULD NOT BE A PARTY TO ANY HACKING ACTIVITIES HIMSELF.
GIVE MY REGARDS TO MICHAEL HOPE HE IS FEELING BIT BETR
RGDS
JOHN PURDY BRISBANE OFFICE
To: MARK (198:MARK)
Cc: BERTA (198:BERTA)
Cc: DM (198:DM)
Bc: M.ROSENBERG (MICHAELR)
From: S.BERLECKY (STEVEB) Delivered: Mon 10-Oct-88 18:52 AEST Sys 6007 (20)
Subject: HACKING
Mail Id: IPM-6007-881010-169901197
Mark,
Thankyou for your help this morning concerning the id UDP081. We decided
to allow system 141 to talk to system 6007 again this afternoon, as soon
as we re-opened this path the letters started flowing in again except this
time they were from UDP080. We have closed this path again. Could i ask
you to scan the whole UDP account and possibly the whole TCN account
on system 141 as these seem to be a source of illegal use. Michael rosenberg
detected TCN178 and UDP080 being used from the address 31102050001801.
You may want to scan on this address as well.
As far as the last few days effort goes there was 4339 messages sent
from UDP081 to our systems, only about 160 hit real accounts on our systems
and only 13 out of these 160 actually read the item. We have deleted the other
147 letters off our system. We are also contacting the 13 that have read
this item.
Thanks again for your help and waiting ti hear from you if you come up
with anything.
Regards Steve Berlecky (6007:steveb)
To: MICHAELR (6007:MICHAELR)
Cc: R.BARNACK (BERTA)
From: M.HULBERT (MARK) Delivered: Mon 31-Oct-88 11:48 Sys 198 (69)
Subject: Reply to: UK security
Mail Id: IPM-198-881031-106230001
Thanks much Mike. I will get this to the UK for them to act on
it in the morning.
I will review it a bit more then as well.
Mark
From: M.ROSENBERG (MICHAELR) Delivered: Sun 30-Oct-88 19:37 EST Sys 6007
To: M.HULBERT (MARK)
Subject: UK security
Mail Id: IPM-6007-881030-176580001
Berta, Mark,
While watching another German chat host, i observed the following
conversation:
1 0 Hp3000's guest Saber's.Edge
4 0 023427730040500 shatter shatter
5 0 uucpland guest uucico
6 0 guest
<4> shatter says: saber: i need the proper nua -- i will swop 4 full access to s
ystem 72
<1> Saber's.Edge says: well thats the proper nua..
<1> Saber's.Edge says: or if your in the usa its 301346
<4> shatter says: ghal: thnx -- the system 72 is 023421920100472
<4> shatter says: id mag33023 neemg23
<1> Saber's.Edge says: thanks ..
<1> Saber's.Edge says: what id do you have on the d46?
<4> shatter says: saber: none yet -- i am going to hack it l8er
<1> Saber's.Edge says: not the pw but the Z{d..
<1> Saber's.Edge says: not that great of a system.. i have a few accounts on it
now..
<4> shatter says: saber: i have hacked the uk dialcoms and now working on the ot
hers
.sx
<1> Saber's.Edge says: well don't fuck up all the dialcoms..
<4> shatter says: saber: am turning system 72 in2 a pad
No Chan From User Called
1 0 Hp3000's guest Saber's.Edge
4 0 023427730040500 shatter shatter
5 0 uucpland guest uucico
6 0 guest
<1> Saber's.Edge says: also don't tell ANYONE how to hack them..
<1> Saber's.Edge says: i've heard about the Australian's problems once people fo
und out how to hack Dialcom's..
<4> shatter says: saber: i won't -- but just need to attach them all from the uk
4 a major hack l8er
<1> Saber's.Edge says: don't fuck up the USA's Dialcom's..
+++ <0> molinari +++
<4> shatter says: saber: i won't -- don't worry -- just wanna nick some sw
<0> molinari says: puach..
--- <0> molinari ---
--- <4> shatter ---
--- <4> shatter ---
--- <5> uucico ---
.sx
No Chan From User Called
1 0 Hp3000's guest Saber's.Edge
6 0 guest
The id given on 72 is valid, I tried it. Please ignore any accesses from
5053200000 between 00:00 and 01:00 GMT on 31/10 because that was me checking
if it was true. I dont know where that NTN 023427730040500 is, I get invalid
address when I call it. I could well be an NUI that he has. That number
can be changed by the user so it may not be a valid address at all. I have
heard claims from other hackers that they have accessed source code from US
dialcoms when they didn't know who I was.
Regards,
Michael.
To: MICHAELR (6007:MICHAELR)
From: M.HULBERT (MARK) Delivered: Sun 16-Oct-88 1:38 Sys 198 (22)
Subject: Reply to: TCN051
Mail Id: IPM-198-881016-014820001
MIKE<
Thanks for the info. I have had Operations watching for
any activity and I did get on and check on what was going
on as well at about 06:50 our time this morning.
I had a brief chat session with him on line but he was
very cautious. It was THE FORCE and he didn't open up
too much.
I will look at the files shortly.
Mark
From: M.ROSENBERG (MICHAELR) Delivered: Sat 15-Oct-88 6:44 EDT Sys 6007
To: M.HULBERT (MARK)
Subject: TCN051
Mail Id: IPM-6007-881015-060630001
On system 41 has been hacked. If he has deleted the files on his account,
I copied them to 98:otc-all>tcn051. I noticed him on at 6:43 am on 10/15.
Michael.
To: MICHAELR (6007:MICHAELR)
From: M.HULBERT (MARK) Delivered: Fri 14-Oct-88 0:39 Sys 198 (22)
Subject: Reply to: TCN098
Mail Id: IPM-198-881014-005910001
Alan,
The number of minutes was for a one week extract of our bill since
it was too time consuming to perform a full month's review.
If you expand them by about 4.33 - you should be close. Our international
traffic minutes for the August timeframe was about 38K minutes
Mark
From: M.ROSENBERG (MICHAELR) Delivered: Thu 13-Oct-88 4:42 EDT Sys 6007
To: M.HULBERT (MARK)
Subject: TCN098
Mail Id: IPM-6007-881013-042410001
was hacking this morning. I informed ops via Lillian who clobbered him.
I copied some of his files before he deleted them (he was making files and
then deleting them) to otc-all>tcn098 but he no doubt had made more when
he was hit so you'll have them. The hacker who called from the states
last night gave the name SAM MONICA who said he was from Dialcom, system 41.
Obviously not his real name but does it mean anything to you?
Michael
To: MICHAELR (6007:MICHAELR)
Cc: STEVEB (6007:STEVEB)
Cc: M.HULBERT (MARK)
From: M.HULBERT (MARK) Delivered: Mon 10-Oct-88 22:29 Sys 198 (37)
Subject: Reply to: hacker on 41
Mail Id: IPM-198-881010-202440001
Mike,
I note a pattern with the hackers. I shut down the SCX account
access on Saturday since I noted the activity there.
If a hacker breaks into an account, they use the directory for
the account to:
a. Get a list of the approved accounts on the systems
b. Use the directory as a source of passwords. I have noted
that names organizational abbreviations etc do map to the
user's passwords.
Once they are into an account prefix, they usually find several
easily accessed accounts. In addition, they do not bang on an
ID more than a couple or three times so as to not raise our
Operations folks awareness of an attempt to penetrate.
Mark
From: M.ROSENBERG (MICHAELR) Delivered: Sat 8-Oct-88 22:49 EDT Sys 6007
To: M.HULBERT (MARK)
Subject: hacker on 41
Mail Id: IPM-6007-881008-205390001
Mark,
I found that 41:TCN181 was hacking on 10/6 at 2:44 GMT netlinking to
altos. He was one of my hackers (aust.) and came from 26245724740132.
If this guy, and/or any others have been netlinking back to aust, I could
really use that info because he is getting passwords from somewhere that I
havent found yet, presumably with his netlinking to pads/tielines trick.
There was another TCN on at the same time as Phoenix (hacker's alias) netlink
ing to a telenet address. Interestingg the way they have so many on the
one account group. e.g. 52:scx.
Thanks,
Michael.
To: MICHAELR (6007:MICHAELR)
From: M.HULBERT (MARK) Delivered: Sat 8-Oct-88 11:20 Sys 198 (52)
Subject: Reply to: Reply to: not him again
Mail Id: IPM-198-881008-102090001
Mike,
The crew is not just your barea - I have seen them coming in from
the West Coast area of the US as well.
Will be sorting it out this weekend and will advise you more.
Mark
From: M.ROSENBERG (MICHAELR) Delivered: Thu 6-Oct-88 19:31 EDT Sys 6007
To: M.HULBERT (MARK)
Subject: Reply to: not him again
Mail Id: IPM-6007-881006-175700001
Mark,
The address is stated in this is not quite correct, i was quoting it from memory.
The address was 505233589998 (not 9996). but you would have found that from
one nusage anyway.
Michael.
From: M.HULBERT (MARK) Delivered: Fri 7-Oct-88 3:20 Sys 198
Forward: M.ROSENBERG (MICHAELR)
Subject: not him again
Mail Id: IPM-198-881007-030120001
Mike,
Thanks for the warning. I will get back to you later
this evening.
Mark
From: R.BARNACK (BERTA) Delivered: Thu 6-Oct-88 13:02 EDT Sys 198
Forward: M.HULBERT (MARK)
Subject: not him again
Mail Id: IPM-198-881006-117340135
this should be it.
berta
From: M.ROSENBERG (MICHAELR) Delivered: Thu 6-Oct-88 8:54 EDT Sys 6007
To: R.BARNACK (BERTA)
Subject: not him again
Berta,
I identified some hacked accounts as (52)scx027 coming from 505233589996,
and i called dialcom operations and notified them of same. I still don't
know if there are more on 52 (they certainly claim to have lots more).
I would certainly look for any access by that address. I didnt find out about
any on 41.
Michael
Fo: MICHAELR (6007:MICHAELR)
Cc: M.HULBERT (MARK)
From: M.HULBERT (MARK) Delivered: Fri 7-Oct-88 3:20 Sys 198 (27)
Subject: not him again
Mail Id: IPM-198-881007-030120001
Mike,
Thanks for the warning. I will get back to you later
this evening.
Mark
From: R.BARNACK (BERTA) Delivered: Thu 6-Oct-88 13:02 EDT Sys 198
Forward: M.HULBERT (MARK)
Subject: not him again
Mail Id: IPM-198-881006-117340135
this should be it.
berta
From: M.ROSENBERG (MICHAELR) Delivered: Thu 6-Oct-88 8:54 EDT Sys 6007
To: R.BARNACK (BERTA)
Subject: not him again
Berta,
I identified some hacked accounts as (52)scx027 coming from 505233589996,
and i called dialcom operations and notified them of same. I still don't
know if there are more on 52 (they certainly claim to have lots more).
I would certainly look for any access by that address. I didnt find out about
any on 41.
Michael
To: MARK (198:MARK)
From: M.ROSENBERG (MICHAELR) Delivered: Tue 22-Nov-88 17:49 AEDT Sys 6007 (17)
Subject: Hackers on 46
Mail Id: IPM-6007-881122-160360329
Mark,
I think that you will find that 46:ltl492 and 46:fmt004 have been hacking
furiously lately. If you can wait a couple of days before killing them, it
would be better for me because I think the guy knows that I saw him on
altos and if the account is killed straight away he will know that it was me.
I think that the hacer is the one who knows my home number/address etc and
don't wabt to get him upset with me. I am trying to make him think that
I have stopped chasing hackers. Are the network addresses from which he
comes (not the australian ones) telenet dial-up ports? If they are, then
it would be nice if Telenet could get in touch with Telecom Aust. here
because I know a guy in Telecom who wants to bust these guys for telephone
fraud, because they are getting free phone calls to the states!!! Would Telenet
be interested??
Let me know what you find?
Thanks,
Michael.
To: MARK (198:MARK)
From: M.ROSENBERG (MICHAELR) Delivered: Sat 3-Dec-88 9:55 AEDT Sys 6007 (7)
Subject: Hacker? on 78
Mail Id: IPM-6007-881203-089380919
Mark,
on the 11/30 or 12/1 ( I can't remember ) I saw someone on altos
coming from 23421920100478, which is sys 78. I can't remember the times
or dates but they more than likely would have been netlinking to
26245890040004. Would you forward this message to BT?
Thanks,
Michael.
To: BERTA (198:BERTA)
From: M.ROSENBERG (MICHAELR) Delivered: Fri 9-Dec-88 11:25 AEDT Sys 6007 (30)
Subject: Security
Mail Id: IPM-6007-881209-102761316
Berta,
I managed to use network_define to effectively disable a terminal by
setting the PAD parameters to appropriate values. A very messy solution but
effective in the interim.
The security problem which I was trying to to tell you was this one:
At the moment, the OS will look in login>sons for the ufd name of a user logging
in. If found, it will execute the specified command, which is the way AOSLOGIN
is run. I have been using that means to enforce other restrictions on our
inhouse users and certain hacked accounts. However , the problem is that
if the user strikes BREAK as he logs in, the OS does not look in SONS but
goes into command mode, thus avoiding any security that should be applied to
that account. This includes any menu.ctl settings which AOSLOGIN would set
on a user.
I suggest that the OS not be allowed to be interrupted during the login phase
until after a command file in SONS has been executed. Generally, I mean
that we should be able to force a user to execute an external command that we
may wish him to, even if he tries to avoid this by breaking out of the
login procedure.
This would be very handy to me to enforce extra security restrictions on
inhouse accounts. It works fine for normal users, but my hackers know about this
window, and I can't put any more security on them except seclevs.
Is this possible? What does Fritz say?
Thanks,
Michael.
From: R.MYERS (BERTA) Delivered: Thu 22-Dec-88 6:00 Sys 198
Forward: S.BERLECKY (STEVEB)
Subject: Reply to: trace facilities
Mail Id: IPM-198-881222-054030001
Here you go... words of Fritz..
berta.
From: F.THANE (FRITZ) Delivered: Wed 21-Dec-88 11:51 EST Sys 198
To: R.MYERS (BERTA)
Subject: Reply to: trace facilities
Mail Id: IPM-198-881221-106700986
In Reply To: IPM-198-881221-081340993
While such trace facilities would be nice, they do not exist in
the present version of the O/S. In fact, they never have existed
because of memory requirements. I had a trace function in rev 18
at one point that only saved the frame/packet header information.
In order for the system to be able to retrieve that info, approximately
256 frames had to be saved because of the speed with which they
would arrive.
From: R.MYERS (BERTA) Delivered: Wed 21-Dec-88 9:02 EST Sys 198
Forward: F.THANE (FRITZ)
Subject: trace facilities
Can we help these hacked souls......
tks,
berta
From: S.BERLECKY (STEVEB) Delivered: Wed 21-Dec-88 0:58 EST Sys 6007
To: R.MYERS (BERTA)
Subject: trace facilities
Berta,
here is a different question from the usual fax questions....
Michael is trying to track Hackers and has come up with some useful tools
however, we have found a rather large hole in his program and with no way
of remeding it. What i would like to find out from Dialcom and in this
case i probably mean Fritz or Pat is whether there are anyways of tracing
or tapping into (software wise) the x25 or virtual circuit connections.
To put it simply we need to monitor what is happening on the lines and
ports.
I know Dialcom may not want to give this sort of info out or release this
sort of trace facilities, but could i get an answer of whether it can be done
We are talking desperate times here, either Dialcom gives me something
or i may have to gag michael from asking me this question 20 times a day.
help needed and wanted, steve
To: OTC264
From: M.ROSENBERG (MICHAELR) Delivered: Thu 29-Dec-88 22:44 AEDT Sys 6007 (5)
Subject: HACKER
Mail Id: IPM-6007-881229-204630463
I DETETCTED CEG002 HACKING TONITE, ALTHOUGH HE WAS HACKING ON
IT LAST NITE TOO. I DONT THINK THAT HE
HAS THE 001 ACCOUNT. I HAVE KILLED CEG002 AFTER KNOCKING HIM OFF..
MIKE..
Fo: MICHAELR (6007:MICHAELR)
Cc: M.HULBERT (MARK)
Cc: R.RUSSIN (ROBERT)
From: M.HULBERT (MARK) Delivered: Wed 23-Nov-88 4:17 Sys 198 (54)
Subject: Reply to: Hackers on 46
Mail Id: IPM-198-881123-038550001
Michael,
We have two addresses in Australia that indicate that
our "friends" are using your network to access our
IDs on the systems here. Here are a couple of numbers to
run against the network addresses and maybe we
can begin to "smoke out" our friends!
505222389941 ( two accesses)
Mark
From: M.HULBERT (MARK) Delivered: Tue 22-Nov-88 8:26 EST Sys 198
To: M.HULBERT (MARK)
Subject: Reply to: Hackers on 46
Mail Id: IPM-198-881122-075980904
In Reply To: IPM-6007-881122-016040001
Thanks - Mike. I have noted the hacking on the FMT account
for the last three weeks but the client is unable to
react to changing the password. We have advised the
sales folks but the PCs associated with the account seem
to be difficult to change the password.
We have advised Telenet and as I indicated before - the FORCE is
entering Telenet via the Birmingham Alabama node in the
US and D>J> Chronos is entering normally via the Santa Barbara
California Telenet node. However, we have yet been able to
determine how they are doing it. I do suspect that they have
access to a credit card authorization number and may be
using that to reach us.
Mark
From: M.ROSENBERG (MICHAELR) Delivered: Tue 22-Nov-88 1:46 EST Sys 6007
To: M.HULBERT (MARK)
Subject: Hackers on 46
Mark,
I think that you will find that 46:ltl492 and 46:fmt004 have been hacking
furiously lately. If you can wait a couple of days before killing them, it
would be better for me because I think the guy knows that I saw him on
altos and if the account is killed straight away he will know that it was me.
I think that the hacer is the one who knows my home number/address etc and
don't wabt to get him upset with me. I am trying to make him think that
I have stopped chasing hackers. Are the network addresses from which he
comes (not the australian ones) telenet dial-up ports? If they are, then
it would be nice if Telenet could get in touch with Telecom Aust. here
because I know a guy in Telecom who wants to bust these guys for telephone
fraud, because they are getting free phone calls to the states!!! Would Telenet
be interested??
Let me know what you find?
Thanks,
Michael.
To: MICHAELR (6007:MICHAELR)
Cc: R.RUSSIN (ROBERT)
From: M.HULBERT (MARK) Delivered: Thu 23-Mar-89 4:40 Sys 198 (30)
Subject: Reply to: FORCE
Mail Id: IPM-198-890322-122881269
In Reply To: IPM-6007-890321-174760001
Mike,
I haven't seen hide nor har of the Force or D.J. Chronos.
We continue to sweep the systems on a weekly basis but no
signs of the buggers.
I sense that there are more active police activities in this
area in Australia since there seemed to be a rather active
group attacking credit computers etc as I saw in a US newspaper.
Mark
From: M.ROSENBERG (MICHAELR) Delivered: Tue 21-Mar-89 19:25 EST Sys 6007
To: M.HULBERT (MARK)
Subject: FORCE
Mail Id: IPM-6007-890321-174760001
Mark,
there has been a falling out amongst hackers in Australia, what with
the Federal police chasing after them and I had one telephone me yesterday
with some information.
He told me that the FORCE has now retired due to various reasons.
Have you noticed that the FORCE has stopped?? He hasn't annoyed me for
many months so I don't know. I do believe this guy so I though that you might
like to know.
Regards,
Michael
To: MARK (198:MARK)
To: ROBERT (198:ROBERT)
Bc: BERTA (135:BERTA)
From: M.ROSENBERG (MICHAELR) Delivered: Wed 9-Aug-89 17:13 AEST Sys 6007 (1016)
Subject: Reply to: Reply to: Reply to: Intruder
Mail Id: IPM-6007-890809-154990609
In Reply To: IPM-198-890808-130321279
I might regret saying this, but what would you say if I said that
I knew who this Australian hacker was, down to address and phone number,
and at one stage had the federal police looking into him, bu
There was much activity about 3-4 months with this guy and variuos authorities
and he got scared and stopped for a while and I haven't seen hide nor hair
of him on my system since. However, the guys in our packet switching
in whom I provoked much interest have been aware of the above Australian
NTN and when I talked to then today, they were aware that Goldnet has been
suspect for the last 2 months.
I do not know what the status of this guy is with the law here, but if you
express interest (stupid question, but I'll have to ask it) in this guy
from an official position, I will do what I can.
We managed to forget about him because he avoids 6007,6008 and 6009
like the plague because I have recorded his activities so often.
anyway, let me know.
Regards,
Michael Rosenberg.
OTC Australia / Network Innovations
From: R.RUSSIN (ROBERT) Delivered: Wed 9-Aug-89 4:48 Sys 198
To: M.ROSENBERG (MICHAELR)
Subject: Reply to: Reply to: Intruder
Mail Id: IPM-198-890808-130321279
In Reply To: IPM-198-890807-071231114
Hacker Report Summary for May/June/July 1989
------------------------------------------
U.S Dialcom accounts hit.
50: SIE134 May 3, 7, 15, 23, 29 & 31 penetrated via network address
311080500018xx Telenet Santa Barbara California.
50: SIE169 May 1, 2, 3, 7, 8, 9, 10, 11, 12, 14, 15, 16, 17, 18, 19
21, 22, 24, 25, 27, 29, 30 & 31 penetrated via network address
311080500018xx Telenet Santa Barbara California.
50: SIE110 May 1, 2, 5, 7, 10, 16 - June 1, 2, 3, 4 & 5 penetrated via
network address 311080500018xx Telenet Santa Barbara California and
311080400009xx, 311080400019xx Telenet Richmond Virginia.
The entire account group SIE had their passwords changed on June 6th
by my request to the System Administrator thru the Dialcom Support Rep.
The passwords were changed to 6 character using it least one special
character and not using a common name. The account hasn't been penetrated
since then.
42: IMC096 June 10, 11, 12 penetrated via network address 311080500018xx
Telenet Santa Barbara California, 31102336010404 Telenet Host Computer
unknown. Telenet wouldn't disclose what kind of system it was to Dialcom.
The password was changed on June 12.
42:IMC2371 June 21, 22 & 23 penetrated via network address 311080500018xx
and 31102336010404. The password was changed on June 23.
42:IMC2816 June 23, 24, 25, 26, 27, 28 penetrated via network address
311080500018xx and 31102336010404. The password was changed on June 28.
-------------------------------------------------------------------------------
>From the NUSAGE report provided by Ami Hadas 5006:AMI I see that the hacker
launched from 50:SIE110 on June 3, 4 and 5 and gained access to system 05
AIT001. On the U.S side the hacker passed thru this account from the
network address 311080500018xx.
Again from the report I see that the hacker launched from 42:IMC096 on June
11 and 12 and gained access to system 05 AIT001. On the U.S. side the hacker
passed thru this account via the network address 311080500018xx on June 10
to unknown address around the world and to 05 AIT001 on June 11 and 12 via
the network address 31102336010404.
This explains the access to system 05 from both system 50 and 42. However the
main launching pad to system 05 has been via the Telenet network address
311080500018xx in Santa Barbara California and OTC address 505236189937 in
Australia.
Here are the country DNIC numbers the hacker(s) are going to from
the NUSAGE report Ami sent us from system 05 in Israel.
2624 Germany
5053 Australia
4872 Taiwan
2080 France
2284 Switzerland
2342 UK
2382 Denmark
4542 Hong Kong
5252 Singapore
2422 Norway
5052 Australia
2724 Ireland
5301 New Zealand
2322 Austria
-------------------------------------------------------------------------------
In general from my experience with this group of hackers is that they have
a PC setup to process an algorithm which tries to break a known account using
a database list of passwords from a dictionary and also slang words used in
this day and age. Once on they upload from the PC these same database's and other
Prime CPL's they have created to the host system and use this system to launch
their attack on other host systems via the netlink command. In the beginning
when I started working in this area (Sept 88) the hackers would have a habit
of leaving trails behind them example CPL's, input files, database's etc..
In some cases they would create subufd's and keep a backup copy of their files
there as well. They also used common file names such as DEF.CPL, PW.CPL, FILE
DATA, DEF03.CPL, DE3F.CPL, DEF3.CPL, (BACKUP = subufd) and many other ?.CPL
files. After scanning the systems and finding many back doors they had because
of the files they left there. It was easy at first to locate them, remove the
file and have the user change the password to a 6 character one using a special
character in it as well. After a couple months they learned to use different
names for their files since they were onto me locating them by their habit
of file names. Even after that they got smart and only left files penetrated
accounts that they needed. Any account they needed as a back door they didn't
place any files on it.
Since September 1988 I have been investigating all systems on a weekly basis
for any kind of hacker activity. This was done by looking over unusual system
console readings, NUSAGE runs and of course notifications by support staff
and customers. The information gathered is then used for tracking hackers
such as adding new network address numbers to the nusage runs, examining
files found on penetrated accounts and getting an understanding for how
they think and what they are up to.
Basically they use our systems to penetrate other computer systems and also
to move information around the world from intelligence gathered on those other
systems. This goes for the licensee community as well. I can stop them
from accessing an account of a U.S. Dialcom system and they will then go
to a licensee system or someone else for a while. They know who is the
most vulnerable and who isn't.
If you have any questions on any of this please let me know.
Thanks,
Robert Russin Dialcom Systems Security
From: M.HULBERT (MARK) Delivered: Mon 7-Aug-89 7:54 EDT Sys 198
To: R.RUSSIN (ROBERT)
Subject: Reply to: Intruder
Mail Id: IPM-198-890807-071231114
In Reply To: IPM-198-890807-059120949
Lillian, I have Robert investigating the details and we will
be looking at the circumstances surrounding it. We have seen
two individuals from Australia before - "The Force" and DJ Kronos
who have been active from Australia. Unfortunately, we have
not had great success in gaining cooperation from the Australian
law enforcement folks to track the soure there.
We will be reviewing our data tomorrow morning and will get back to you
after that review.
Mark
From: L.WACHBROIT (LILLIANW) Delivered: Mon 7-Aug-89 6:34 EDT Sys 198
Forward: M.HULBERT (MARK)
Subject: Intruder
Mark,
More on the Hacker incident(s) Zohar reported today -- looks very
very serious!
Please let me, Zohar and Ami know how you wish to proceed. (and
whether we need the Aussies involved as well). If you need to
speak to either of them directly, Zohar's number is +972-3-7532418
and Ami's is +972-3-7532419.
Thanks,
Lillian
From: A.HADAS (AMI) Delivered: Mon 7-Aug-89 6:03 EDT Sys 5006
To: L.WACHBROIT (LILLIANW)
Subject: Intruder
Hi,
Unfortunately we discovered only now an intruder who broke into our system
during June and July. The hacker is a pro who knows too much about Prime
Dialcom and DEC systems as well. Actually more then one person are involved
in that crime and as you can see from the nusage file below which contains
the calling address and the outgoing called address, these guys are spread
around US, Europe and Australia.
From June 3rd and on they were using the ID of AIT001 to sign on system 05.
Some of the calls are coming from Dialcom system 150 and 142. I would like
you to ask these system administrators to run nusage and find the guys who
called system 5005 (at 425130000215 or 425130000215xx or 42513000013744)
on the appropriate days (note the 7 hours difference between us).
I am sending you the complete nusage out file which the complete list
of addresses and dates, this may give you further clues.
Aurec would like to get all of the details you can before we take further
steps.
I would also ask you to scan for calls to 425130000537 which is an Aurec
Information system located here, we suspect that the same guys accessed
that system illegally during that period.
Please assign top priority to that investigation. It looks like we have
professionals (who wrote CPL and BASIC procedures to scan addresses and
try to break into systems all over the world) who have a commercial
intelligence interest in our systems.
Another clue may be found in a *MAILSAVE* file which is signed by
David and mentions IND001 and IND003.
Regards, Ami.
------------------------------------------------------------------------------
Date Time VC Net Adr Net Addr Con Hrs Chars I/O
06/03 11:22 26245890040004 31103010025350 0:05 567 309
06/03 11:27 3106004064 31103010025350 0:31 5728 198
06/03 14:02 26245890040004 31103010025350 0:18 2495 488
06/03 14:31 3106004064 31103010025350 0:03 25 96
06/04 16:30 26245890040004 31103010025350 0:01 429 74
06/04 16:39 26245300030056 31103010025350 0:02 0 54
06/04 16:51 26245890040004 31103010025350 0:01 54 54
06/04 16:53 26245890040004 31103010025350 0:01 425 51
06/04 16:54 26245890040004 31103010025350 0:01 138 53
06/04 17:00 26245890040004 31103010025350 0:52 9077 1204
06/05 12:05 26245890040004 31103010025350 0:03 476 56
06/05 13:16 5053200000 31103010025350 0:01 61 13
06/05 18:50 26245890040004 31103010025350 0:01 500 53
06/05 18:51 26245890040004 31103010025350 0:01 96 13
06/06 7:05 26245890040004 31108050001803 0:01 481 65
06/06 9:00 26245890040004 31108050001803 0:02 519 63
06/07 7:36 26245400050570 31108050001806 0:04 2196 372
06/07 7:40 26245890040004 31108050001806 0:32 827 82
To: MARK (198:MARK)
To: OPER (198:OPER)
From: M.ROSENBERG (MICHAELR) Delivered: Fri 24-Nov-89 9:57 AEDT Sys 6007 (17)
Subject: possible hacker
Mail Id: IPM-6007-891124-089570784
Mark, and the operations guys because I know Mark will be away until monday.
I have a hacker here who a couple of nights ago made several calls to system 41
. Last night, I had hacking attempts from this address:
031103010025341 which I am presuming is an outgoing address for system 41. It
may not be, in which case please ignore this message.
The calls would have been to 5053200001 or 505211114995 and were at
at 0649 on the 23/nov your time. You might want to check to see if that account
has been hacked, I'd say that it has been. I know that the guy is Australian.
If you find it to be hacked, could you please give me some details about
his calling address etc, so that I may look around my systems further for
possible hacks.
Thanks,
Michael Rosenberg.
OTC Australia.
To: M.AUSCHWITZ (MONICA)
Cc: M.HULBERT (MARK)
Cc: R.RUSSIN (ROBERT)
Cc: T.SCHUYLER (TOMS)
Bc: MICHAELR (6007:MICHAELR)
From: R.RUSSIN (ROBERT) Delivered: Tue 28-Nov-89 4:38 Sys 198 (18)
Subject: HACKED Accounts on System 41
Mail Id: IPM-198-891127-113090211
Monica,
Here are the ufd's we spoke about. Please have the passwords
on them changes asap. I also have the nusage access online if you want
to look at it as well.
ATN037 , EPI059 , EPI062 , EPI102 , EPI171 , EPI172 , EPI192 , PPX072 ,
TCN149 , TCN1608 , TCN266 , TCN3058 and UGA011.
The ufd TCN4019 was the first account penetrated and was were the launch
took place to get access to the other accounts. The incoming address for
TCN4019 was 505236189937 and 5053200001 which are both Australia DNIC's.
It looks like the FORCE is back.
The access started on November 20th and went through the 26th. Nothing
yet today so far.
Robert
To: MICHAELR (6007:MICHAELR)
From: M.HULBERT (MARK) Delivered: Mon 27-Nov-89 5:39 Sys 198 (31)
Subject: Reply to: possible hacker
Mail Id: IPM-198-891126-122830523
In Reply To: IPM-6007-891124-089570784
I have the note and will follow up on it today.
The address calling your system 031103010025341
is in fact our system 41. Good catch.
Thanks Mike.
Mark
From: M.ROSENBERG (MICHAELR) Delivered: Thu 23-Nov-89 17:56 EST Sys 6007
To: M.HULBERT (MARK)
Subject: possible hacker
Mail Id: IPM-6007-891124-089570784
Mark, and the operations guys because I know Mark will be away until monday.
I have a hacker here who a couple of nights ago made several calls to system 41
. Last night, I had hacking attempts from this address:
031103010025341 which I am presuming is an outgoing address for system 41. It
may not be, in which case please ignore this message.
The calls would have been to 5053200001 or 505211114995 and were at
at 0649 on the 23/nov your time. You might want to check to see if that account
has been hacked, I'd say that it has been. I know that the guy is Australian.
If you find it to be hacked, could you please give me some details about
his calling address etc, so that I may look around my systems further for
possible hacks.
Thanks,
Michael Rosenberg.
OTC Australia.
To: MICHAELR (6007:MICHAELR)
Cc: M.HULBERT (MARK)
From: R.RUSSIN (ROBERT) Delivered: Fri 27-Jan-89 1:40 Sys 198 (241)
Subject: Reply to: Reply to: Reply to: Tracking NUA's on systems.
Mail Id: IPM-198-890126-086660371
In Reply To: IPM-6007-890125-183020001
Yes I do work for Mark Hulbert and have been with Dialcom for almost nine years
now. Mark gave me your name as a contact for OTC Security and I wanted to include
you in on everything in this area.
I will keep you posted on the progress of the Committee membership and appreciate
all your feedback.
Robert
From: M.ROSENBERG (MICHAELR) Delivered: Wed 25-Jan-89 20:20 EST Sys 6007
To: R.RUSSIN (ROBERT)
Subject: Reply to: Reply to: Tracking NUA's on systems.
Mail Id: IPM-6007-890125-183020001
Robert,
I haven't heard of you before this message but imagine you work
with Mark on at least security issues.
I would encourage a licensee-wide security network whole
heartedly..
It is my concerted opinion that THE FORCE was responsible for the
$500,000 Citibank fraud 2 weeks ago. I am trying to cut through the
Red Tape and talk to my contact in Telecom Aust detective services who
should be involved with this crime as he has been trying to catch
the force for international telephone fraud for quite some time.
Force doesn't worry my system any more since he has found it easier
to go diretly to the US by Telenet Dialup..
Look forward to hearing more from you about this,
Michael.
From: R.RUSSIN (ROBERT) Delivered: Thu 26-Jan-89 3:42 Sys 198
To: M.ROSENBERG (MICHAELR)
Subject: Reply to: Tracking NUA's on systems.
Mail Id: IPM-198-890125-104830689
In Reply To: IPM-10080-890125-095210001
I will look into this and let you know what I find out.
I'm replying back to your message to both yourself and Michael Rosenberg
with OTC in Australia for his FYI as well.
I have some good news about NUSAGE that I found out about which
will help you in your investigating. I will load in the phantom
file I run and also the como output file it creates. I run this
on all our commercial systems each week and review it. The
network address being checked are the ones that have been used
by hackers. The option that I have now started using will report
two network addresses if the user is netlink out from the our/your
host system. Th first one is the address where the user is coming
in from and the second is where the user is netlinking out to.
I need both of your help in developing and participating in a Dialcom
Licensee's Security Board to estabilish contacts with all our
Licensee's to pass hacker information and any other helpful tips
around to each other. This will require that a distibution list be created to
contain all representatives from each Licensee. I only have you (BT) and
Michael (OTC) so far as contacts. We could then use this list to circulate
information and keep well abreast of the International communities problems
with hackers and helpful tips learned. It would also serve as a means
to get better acquanted with our Licensee's and provide support and guidance
on problem solving in the area of system security. It may even help some
in other areas as well.
What I have done over her was establish the account on 98:SECURITY for reporting
suspicious activity from the field. I received positive results from this and
it has been a very helpful tool for me and also the field as having a focal point
for escallating problems. I sign onto this account every day and check for incoming
mail. It was easier for people to remember the ufd SECURITY than my account 98:ROBERT
when it came to reporting problems. I announced this to the field and it has become
standard for Dialcom US.
This same account could be established at each licensee's site on their designated
system and reviewed by their system security officer as well.
How do you both feel about this?
Anyway here is some information to pass along to you for now.
Robert Russin
I discovered the account 50:SIE147 was penetrated and checked
the addresses and found out the following:
INCOMING ADDRESSES
------------------
311080500018 Santa Barbara California
311050100016 Little Rock Arkansas
311020600018 Seatle Washington
311020500018 Birmingham Alabama
OUTGOING ADDRESSES
------------------
26245400050233 Germany
23422351919169 UK
900041 System 41 Dialcom US
311022300096 TYMNET Accounting System
425130000215 Israel
23422020010700 UK
30293800354 Canada
23422351919169 UK
The hacker is "The Force" again.
The following is the input stream to run as a phantom and the output
como file it creates.
COMO BERT
DATE
SYS
NUSAGE -U ? -D 01/04-01/16 -NET 311020500018&311080500018&311030100253&
311061500013&505222389941&4542000206&2222631060&31106170010301 &
-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT
NUSAGE -U ? -D 01/04-01/16 -NET 311050100016&311020600018&26245400050&
2342235&311022300&425130000&30293800 &
-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT
COMO -E
>DATE
Tuesday, January 17, 1989 12:28:29 AM EST
>SYS
<S50-0>OPER on system 50
>NUSAGE -U ? -D 01/04-01/16 -NET 311020500018&311080500018&311030100253&
NUSAGE 4.0b
More>311061500013&505222389941&4542000206&2222631060&31106170010301 &
More>-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT
User Name Date Time Net Addr VC Net Adr Baud GW Col Con Hrs
SIE147 06 10:25 31108050001802 26245400050233 1200 - NC 0:22
SIE147 06 10:26 31108050001802 425130000215 1200 - NC 0:00
SIE147 06 10:27 31108050001802 311022300002 1200 - NC 0:01
SIE147 06 10:29 31108050001802 311022300002 1200 - NC 0:01
SIE147 06 10:32 31108050001802 311022300010 1200 - NC 0:00
SIE147 06 10:34 31108050001802 311022300019 1200 - NC 0:00
SIE147 06 10:35 31108050001802 311022300096 1200 - NC 0:01
SIE147 06 10:36 31108050001802 900041 1200 - NC 0:02
SIE147 06 10:38 31108050001802 425130000215 1200 - NC 0:03
SIE147 06 10:50 31108050001805 26245400050233 1200 - NC 0:02
SIE147 06 11:15 31108050001805 26245400050233 1200 - NC 0:20
SIE147 06 11:20 31108050001805 425130000215 1200 - NC 0:02
SIE147 06 11:23 31108050001805 26245400050233 1200 - NC 0:00
SIE147 06 11:23 31108050001805 23422351919169 1200 - NC 0:00
SIE147 06 11:24 31108050001805 23422020010700 1200 - NC 0:00
SIE147 06 11:26 31108050001805 23422020010700 1200 - NC 0:01
SIE147 06 11:27 31108050001805 23422020010700 1200 - NC 0:02
SIE147 06 0:57
SIE147 13 6:36 31108050001801 26245400050233 1200 - NC 0:05
SIE147 1:03
1:03
>NUSAGE -U ? -D 01/04-01/16 -NET 311050100016&311020600018&26245400050&
NUSAGE 4.0b
More>2342235&311022300&425130000&30293800 &
More>-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT
User Name Date Time Net Addr VC Net Adr Baud GW Col Con Hrs
NGM0910 11 11:53 31105010001603 90010789 2400 - COL 0:11
SIE147 04 0:42 31105010001601 311022300096 2400 - NC 0:00
SIE147 04 0:43 31105010001601 311022300094 2400 - NC 0:00
SIE147 04 0:43 31105010001601 311022300095 2400 - NC 0:02
SIE147 04 0:44 31105010001601 311022300103 2400 - NC 0:00
SIE147 04 0:45 31105010001601 311022300103 2400 - NC 0:00
SIE147 04 0:46 31105010001601 31102230009202 2400 - NC 0:00
SIE147 04 0:47 31105010001601 31102230009203 2400 - NC 0:00
SIE147 04 0:47 31105010001601 31102230009210 2400 - NC 0:00
SIE147 04 0:47 31105010001601 31102230009211 2400 - NC 0:00
SIE147 04 0:48 31105010001601 31102230009212 2400 - NC 0:00
SIE147 04 0:48 31105010001601 31102230009209 2400 - NC 0:00
SIE147 04 0:49 31105010001601 31102230009208 2400 - NC 0:01
SIE147 04 0:51 31105010001601 26245400050233 2400 - NC 0:01
SIE147 04 0:52 31105010001601 31102230009201 2400 - NC 0:00
SIE147 04 0:53 31105010001601 31102230009202 2400 - NC 0:00
SIE147 04 0:54 31105010001601 311022300096 2400 - NC 0:00
SIE147 04 0:54 31105010001601 311022300094 2400 - NC 0:00
SIE147 04 0:54 31105010001601 31102230009201 2400 - NC 0:00
SIE147 04 0:55 31105010001601 311022300179 2400 - NC 0:01
SIE147 04 0:55 31105010001601 31102230017901 2400 - NC 0:01
SIE147 04 0:55 31105010001601 31102230017901 2400 - NC 0:00
SIE147 04 0:55 31105010001601 31102230017901 2400 - NC 0:00
SIE147 04 0:56 31105010001601 31102230017701 2400 - NC 0:02
SIE147 04 0:56 31105010001601 31102230017701 2400 - NC 0:02
SIE147 04 0:58 31105010001601 311022300103 2400 - NC 0:00
SIE147 04 0:59 31105010001601 31102230050001 2400 - NC 0:01
SIE147 04 0:59 31105010001601 31102230050001 2400 - NC 0:01
SIE147 04 1:00 31105010001601 31102230019302 2400 - NC 0:00
SIE147 04 1:01 31105010001601 311022300188 2400 - NC 0:01
SIE147 04 1:01 31105010001601 31102230018801 2400 - NC 0:00
SIE147 04 1:01 31105010001601 31102230018801 2400 - NC 0:00
SIE147 04 1:02 31105010001601 31102230009201 2400 - NC 0:00
SIE147 04 1:03 31105010001601 311022300050 2400 - NC 0:00
SIE147 04 1:04 31105010001601 31102230004901 2400 - NC 0:00
SIE147 04 1:04 31105010001601 31102230004901 2400 - NC 0:04
SIE147 04 1:09 31105010001601 311022300096 2400 - NC 0:00
SIE147 04 1:09 31105010001601 31102230009201 2400 - NC 0:00
SIE147 04 1:10 31105010001601 31102230009202 2400 - NC 0:03
SIE147 04 1:12 31105010001601 31102230009201 2400 - NC 0:00
SIE147 04 1:14 31105010001601 311022300047 2400 - NC 0:09
SIE147 04 1:23 31105010001601 31102230004703 2400 - NC 0:00
SIE147 04 1:24 31105010001601 31102230004703 2400 - NC 0:02
SIE147 04 1:26 31105010001601 311022300096 2400 - NC 0:01
SIE147 04 1:26 31105010001601 31102230009201 2400 - NC 0:00
SIE147 04 1:27 31105010001601 31102230004706 2400 - NC 0:02
SIE147 04 1:32 31105010001601 311022300096 2400 - NC 0:01
SIE147 04 1:36 31105010001601 311022300096 2400 - NC 0:00
SIE147 04 0:42
0:53
>COMO -E
From: V.LUNDBERG (BTG072) Delivered: Wed 25-Jan-89 10:34 EST Sys 10080
To: R.RUSSIN (ROBERT)
Subject: Tracking NUA's on systems.
Mail Id: IPM-10080-890125-095210001
Robert,
I have been talking with our networks team about a specific
NUA and tracking of access over this NUA, and we have a need
to track access AS IT HAPPENS as opposed to using NUSAGE to
track access AFTER is has happened. Do you know of any way
we can track the access over the NUA as it happens, is there
anything we can setup that will send a system alarm in some
sharp or form when any user accesses over this specific NUA.
Your thoughts would be greatly appreciated on this one.
Cheers, Vicky.
To: BTG072 (10080:BTG072)
To: MICHAELR (6007:MICHAELR)
Cc: M.HULBERT (MARK)
Cc: R.RUSSIN (ROBERT)
From: R.RUSSIN (ROBERT) Delivered: Thu 26-Jan-89 3:42 Sys 198 (203)
Subject: Reply to: Tracking NUA's on systems.
Mail Id: IPM-198-890125-104830689
In Reply To: IPM-10080-890125-095210001
I will look into this and let you know what I find out.
I'm replying back to your message to both yourself and Michael Rosenberg
with OTC in Australia for his FYI as well.
I have some good news about NUSAGE that I found out about which
will help you in your investigating. I will load in the phantom
file I run and also the como output file it creates. I run this
on all our commercial systems each week and review it. The
network address being checked are the ones that have been used
by hackers. The option that I have now started using will report
two network addresses if the user is netlink out from the our/your
host system. Th first one is the address where the user is coming
in from and the second is where the user is netlinking out to.
I need both of your help in developing and participating in a Dialcom
Licensee's Security Board to estabilish contacts with all our
Licensee's to pass hacker information and any other helpful tips
around to each other. This will require that a distibution list be created to
contain all representatives from each Licensee. I only have you (BT) and
Michael (OTC) so far as contacts. We could then use this list to circulate
information and keep well abreast of the International communities problems
with hackers and helpful tips learned. It would also serve as a means
to get better acquanted with our Licensee's and provide support and guidance
on problem solving in the area of system security. It may even help some
in other areas as well.
What I have done over her was establish the account on 98:SECURITY for reporting
suspicious activity from the field. I received positive results from this and
it has been a very helpful tool for me and also the field as having a focal point
for escallating problems. I sign onto this account every day and check for incoming
mail. It was easier for people to remember the ufd SECURITY than my account 98:ROBERT
when it came to reporting problems. I announced this to the field and it has become
standard for Dialcom US.
This same account could be established at each licensee's site on their designated
system and reviewed by their system security officer as well.
How do you both feel about this?
Anyway here is some information to pass along to you for now.
Robert Russin
I discovered the account 50:SIE147 was penetrated and checked
the addresses and found out the following:
INCOMING ADDRESSES
------------------
311080500018 Santa Barbara California
311050100016 Little Rock Arkansas
311020600018 Seatle Washington
311020500018 Birmingham Alabama
OUTGOING ADDRESSES
------------------
26245400050233 Germany
23422351919169 UK
900041 System 41 Dialcom US
311022300096 TYMNET Accounting System
425130000215 Israel
23422020010700 UK
30293800354 Canada
23422351919169 UK
The hacker is "The Force" again.
The following is the input stream to run as a phantom and the output
como file it creates.
COMO BERT
DATE
SYS
NUSAGE -U ? -D 01/04-01/16 -NET 311020500018&311080500018&311030100253&
311061500013&505222389941&4542000206&2222631060&31106170010301 &
-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT
NUSAGE -U ? -D 01/04-01/16 -NET 311050100016&311020600018&26245400050&
2342235&311022300&425130000&30293800 &
-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT
COMO -E
>DATE
Tuesday, January 17, 1989 12:28:29 AM EST
>SYS
<S50-0>OPER on system 50
>NUSAGE -U ? -D 01/04-01/16 -NET 311020500018&311080500018&311030100253&
NUSAGE 4.0b
More>311061500013&505222389941&4542000206&2222631060&31106170010301 &
More>-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT
User Name Date Time Net Addr VC Net Adr Baud GW Col Con Hrs
SIE147 06 10:25 31108050001802 26245400050233 1200 - NC 0:22
SIE147 06 10:26 31108050001802 425130000215 1200 - NC 0:00
SIE147 06 10:27 31108050001802 311022300002 1200 - NC 0:01
SIE147 06 10:29 31108050001802 311022300002 1200 - NC 0:01
SIE147 06 10:32 31108050001802 311022300010 1200 - NC 0:00
SIE147 06 10:34 31108050001802 311022300019 1200 - NC 0:00
SIE147 06 10:35 31108050001802 311022300096 1200 - NC 0:01
SIE147 06 10:36 31108050001802 900041 1200 - NC 0:02
SIE147 06 10:38 31108050001802 425130000215 1200 - NC 0:03
SIE147 06 10:50 31108050001805 26245400050233 1200 - NC 0:02
SIE147 06 11:15 31108050001805 26245400050233 1200 - NC 0:20
SIE147 06 11:20 31108050001805 425130000215 1200 - NC 0:02
SIE147 06 11:23 31108050001805 26245400050233 1200 - NC 0:00
SIE147 06 11:23 31108050001805 23422351919169 1200 - NC 0:00
SIE147 06 11:24 31108050001805 23422020010700 1200 - NC 0:00
SIE147 06 11:26 31108050001805 23422020010700 1200 - NC 0:01
SIE147 06 11:27 31108050001805 23422020010700 1200 - NC 0:02
SIE147 06 0:57
SIE147 13 6:36 31108050001801 26245400050233 1200 - NC 0:05
SIE147 1:03
1:03
>NUSAGE -U ? -D 01/04-01/16 -NET 311050100016&311020600018&26245400050&
NUSAGE 4.0b
More>2342235&311022300&425130000&30293800 &
More>-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT
User Name Date Time Net Addr VC Net Adr Baud GW Col Con Hrs
NGM0910 11 11:53 31105010001603 90010789 2400 - COL 0:11
SIE147 04 0:42 31105010001601 311022300096 2400 - NC 0:00
SIE147 04 0:43 31105010001601 311022300094 2400 - NC 0:00
SIE147 04 0:43 31105010001601 311022300095 2400 - NC 0:02
SIE147 04 0:44 31105010001601 311022300103 2400 - NC 0:00
SIE147 04 0:45 31105010001601 311022300103 2400 - NC 0:00
SIE147 04 0:46 31105010001601 31102230009202 2400 - NC 0:00
SIE147 04 0:47 31105010001601 31102230009203 2400 - NC 0:00
SIE147 04 0:47 31105010001601 31102230009210 2400 - NC 0:00
SIE147 04 0:47 31105010001601 31102230009211 2400 - NC 0:00
SIE147 04 0:48 31105010001601 31102230009212 2400 - NC 0:00
SIE147 04 0:48 31105010001601 31102230009209 2400 - NC 0:00
SIE147 04 0:49 31105010001601 31102230009208 2400 - NC 0:01
SIE147 04 0:51 31105010001601 26245400050233 2400 - NC 0:01
SIE147 04 0:52 31105010001601 31102230009201 2400 - NC 0:00
SIE147 04 0:53 31105010001601 31102230009202 2400 - NC 0:00
SIE147 04 0:54 31105010001601 311022300096 2400 - NC 0:00
SIE147 04 0:54 31105010001601 311022300094 2400 - NC 0:00
SIE147 04 0:54 31105010001601 31102230009201 2400 - NC 0:00
SIE147 04 0:55 31105010001601 311022300179 2400 - NC 0:01
SIE147 04 0:55 31105010001601 31102230017901 2400 - NC 0:01
SIE147 04 0:55 31105010001601 31102230017901 2400 - NC 0:00
SIE147 04 0:55 31105010001601 31102230017901 2400 - NC 0:00
SIE147 04 0:56 31105010001601 31102230017701 2400 - NC 0:02
SIE147 04 0:56 31105010001601 31102230017701 2400 - NC 0:02
SIE147 04 0:58 31105010001601 311022300103 2400 - NC 0:00
SIE147 04 0:59 31105010001601 31102230050001 2400 - NC 0:01
SIE147 04 0:59 31105010001601 31102230050001 2400 - NC 0:01
SIE147 04 1:00 31105010001601 31102230019302 2400 - NC 0:00
SIE147 04 1:01 31105010001601 311022300188 2400 - NC 0:01
SIE147 04 1:01 31105010001601 31102230018801 2400 - NC 0:00
SIE147 04 1:01 31105010001601 31102230018801 2400 - NC 0:00
SIE147 04 1:02 31105010001601 31102230009201 2400 - NC 0:00
SIE147 04 1:03 31105010001601 311022300050 2400 - NC 0:00
SIE147 04 1:04 31105010001601 31102230004901 2400 - NC 0:00
SIE147 04 1:04 31105010001601 31102230004901 2400 - NC 0:04
SIE147 04 1:09 31105010001601 311022300096 2400 - NC 0:00
SIE147 04 1:09 31105010001601 31102230009201 2400 - NC 0:00
SIE147 04 1:10 31105010001601 31102230009202 2400 - NC 0:03
SIE147 04 1:12 31105010001601 31102230009201 2400 - NC 0:00
SIE147 04 1:14 31105010001601 311022300047 2400 - NC 0:09
SIE147 04 1:23 31105010001601 31102230004703 2400 - NC 0:00
SIE147 04 1:24 31105010001601 31102230004703 2400 - NC 0:02
SIE147 04 1:26 31105010001601 311022300096 2400 - NC 0:01
SIE147 04 1:26 31105010001601 31102230009201 2400 - NC 0:00
SIE147 04 1:27 31105010001601 31102230004706 2400 - NC 0:02
SIE147 04 1:32 31105010001601 311022300096 2400 - NC 0:01
SIE147 04 1:36 31105010001601 311022300096 2400 - NC 0:00
SIE147 04 0:42
0:53
>COMO -E
From: V.LUNDBERG (BTG072) Delivered: Wed 25-Jan-89 10:34 EST Sys 10080
To: R.RUSSIN (ROBERT)
Subject: Tracking NUA's on systems.
Mail Id: IPM-10080-890125-095210001
Robert,
I have been talking with our networks team about a specific
NUA and tracking of access over this NUA, and we have a need
to track access AS IT HAPPENS as opposed to using NUSAGE to
track access AFTER is has happened. Do you know of any way
we can track the access over the NUA as it happens, is there
anything we can setup that will send a system alarm in some
sharp or form when any user accesses over this specific NUA.
Your thoughts would be greatly appreciated on this one.
Cheers, Vicky.
To: JOEA (198:JOEA)
Cc: DM (198:DM)
Cc: MARK (198:MARK)
Bc: MICHAELR
From: C.HAPANGAMA (OTC264) Delivered: Fri 25-Mar-88 15:39 AEST Sys 6008 (44)
Subject: Hacker threat to Keylink-Dialcom.
Mail Id: IPM-6008-880325-140990869
Mr. Joe Antonellis
Division Vice President,
Dialcom International.
ANALYSIS OF HACKER'S THREAT TO KEYLINK-D
----------------------------------------
On the 25th March 1988, 11:45 AEST, Mr J. Antonellis of Dialcom
was advised that OTC had received a threat from a hacker
This message is to formally advise Dialcom of the nature of the
threat in which the hacker claimed:
1) The hacker claims to have access to about 100 Dialcom accounts on BT GOLD,
PRIMECOM, TELEBOX, GOLDNET etc.
2) The hacker intends using these accounts to send thousands of mail
to all of the customer accounts on our systems of which he is aware and
which OTC believes is quite extensive.
The hacker threatens to do this for as many weeks as required
until OTC succumbs and delivers the hacker six free mailboxes.
3) The hacker claims to have access to other PRIMEs and VAXs which he can
program to do this feat without his intervention, which we believe.
The hacker accesses the OTC Dialcom system by using Austpac dial-up
and less frequently, from OTC Data Access dial-up. The hacker uses a common
NUI which is used for access by all our dial-up customers.
This message was sent to OTC from 157:AGS325 at 22:13 3/24/88 AEST, which we
believe has been hacked.
OTC and Telecom (Aust.) are reviewing this situation and expect
to further advise Dialcom Inc. of our intentions by Monday 3/28/88.
Please note these contacts in OTC re this situation:
Legal : Ros Robertson Aust 2-287 5204 6008:OTC383
System : Channa Hapangama 2-287 5857 6008:OTC264
Commercial : David Brawn 2-287 5960 6008:OTC033
Gary Donald 2-287 5990 6008:OTC003
Facsimile : 2-287 4435
Channa Hapangama
Technical Support Manager, Value Added Business.
OTC
To: MICHAELR (6008:MICHAELR)
From: CA-EXT-DIR (AGS325) Delivered: Thu 24-Mar-88 22:13 Sys 157 (76)
Subject: HACKING MINERVA
Mail Id: IPM-157-880324-199990001
Hello Michael, it is time we had chat.
First of all, let me introduce myself. I am force, a long time hacker
of
your dialcom system, since about 1984.
The reason for this message is to get you to set up some mailboxes on
keylink for me. say RLM001 FORCER or HCK001 FORCER if the first is taken.
I figure, why go on hacking users accounts which I am sure cause them and
you
a lot of problems. This is a simple solution. If I had some mailboxes,
there would be
no need to have my team scanning your accounts al the time. In any case
it would remove
a lot of your security problems, since there is only me and the electron.
We are the only two serious hackers as far as minerva goes. I guess he
is
your problem, since I don't like him much either. (oh dont forget his
sidekick
THE POWERSPIKE. He's rather useless if you would ask me).
OH YES WITH THE RLM001 please set up 5 other accounts in the series for
possible later use.
Hacking minerva for over 4 years, one accumulates a lot of knowledge,
and I know trix you probably haven't though off. You see, because of
your recent updates in security, it is becoming a pain to scan for4-5 hrs
to get an account which might last only that long, and then have NETLINK
barred for life, so I though that was a nice alternative.
here is what you will get in exchange..
1 - I will not hack any more real user accounts.
2 - There will be no scanning of accounts.
3 - And most importantly, your system will live.
Let me expand on #3. You see, I pride myself in the fact that I have never
caused any damage to the system, to the users data. Only the use of
netlink, and the use of disused accounts to set up few trojans like the
one which mr CURTIS of sys 08 helped me out with. I would like to keep
it that way, but really you have carried the security a little bit too
far. And some retaliation may be in order.
There is a number of things one can do. I will tell you about one, so that
if you decide to take precautions agains't one (if possible) I will still
have the other options open.
I have access to close to 100 accounts on dialcoms all over the world.
BT GOLD, PRIMECON, TELEBOX, GOLDNET etc, you name in. I also have number
of VAX's which can be programmed to control these accounts 24 hrs a day
7 days a week. Imaggine this....
one day you log on to your system, and find you have some mail.
Suddenly to your surprise, you find that you have 1000 duplicate coppies
of the same useless message, from all parts of the globe.
Suddenly, the phones at otc start to ring like crazy from users, who
each have about 5000+ coppies of the same message.
You delete it and contact the other dialcoms to kill the accounts.
You think the problem is gone, but next day newt new duplicates of the
same message are back.
well, with about 100 dialcoms to choose from it could be kept up for
weeks, making your system useless as far as mail goes.
Think about it... Only alternative is to restrict the mail to only about
5
per user comming from outside, or barr international mail alltogether.
Frightning thought isn't it. The good thing is that I can get a system
such as a vax or another prime, to control all this for me, rather
randomply more or less.
This is just one of the things that can be done. Think about it.
Please contact me on RLM001, or mail back to here, but the real user
may intercept it first, in which case. hmmm, I guess I will mail you
again, and possibly send few duplicates to make sure the message get's
through.
HAVE A NICE DAY.
Oh yes, next time you break in for a chat, on keylink, please hang around
for a while. I am sure we could find some interesting things to talk about.
Here it is again RLM001-RLM006 passwd FORCER
Fo: MICHAELR
From: AFV001 Delivered: Mon 10-Oct-88 13:06 AEST Sys 6007 (64)
Subject: SYSTEM SECURITY
Mail Id: IPM-6007-881010-118010370
From: HQ.RBLAC3 (UDP081) Delivered: Sat 8-Oct-88 19:30 Sys 141
To: AFV001
Subject: SYSTEM SECURITY
Mail Id: IPM-141-881008-175500001
Dear Sir,
I am writing this letter to all Minerva And Keylink users, to inform you about
the practises which have been occuring quite recently, and which concern me
very much. I have always been under the impression that Keylink had some
integrity, and was a secure system to use, but have found otherwise.
Minerva and Keylink operators, have the capability to monitor all use of the
system, which gives them access to your private mail, online files and
any information you gain through the use of the NETLINK facility.
Two people I know, make a regular use of this facility, to call a Unix System
in Germany. Both of their accounts have been vioalated by the operator(s)
of Keylink.
- THEY HAVE STOLEN PRIVATE INFORMATION WHICH MAY HAVE BEEN STORED THERE.
- THEY HAVE GAINED FREE USE OF THE FACILITIES, EVEN THOUGH NOT AUTHORISED
TO LEGALY ACCESS IT.
- THEY HAVE IMPERSONATED THE REAL OWNERS OF THE ACCOUNTS, TO OBTAIN FURTHER
INFORMATION FROM OTHER PEOPLE, AND TO DISCREDIT THEM BY OBUSING OTHER
USERS UNDER THEIR ACCOUNTS.
There is proof beyond any shadow of the doubt that this took place, and there
are several witneses, who have seen this happen and even seen the person(s)
involed admit to it. Under Victorian hacking laws, they would be liable for
upto $100000 and a maximum of ten years inprisonment. I am sure the German
and other Australian States would have such laws, which I am not familiar
with at this time.
The person in question is an OTC Employee called MICHAEL ROSENBERG, who
currently still works as a person involved, or in charge of the system
security. It's all rather ironical.
Their excuse is that it is being done to protect the integrity of the system
and its users, but I consider this to be inexcuseable behaviour, not justified
by any reasons. In principle, they are worse than the hackers they are trying
to protect the system from. Only difference, they can abuse their ability
to monitor the system activity and capture any information and accounts the
users type.
This is to let you know what sort of thing goes on quite frequently and is
tolerated on the Keylink and Minerva network. I will not let the matter rest
here, and the media will be informed about their actions.
From what i have been told, this thing is not restricted to keylink, since
the same people have got access to the entire MIDAS, now called OTC DATA
ACCESS Network. I have also spoken to AUSTPAC Representatives, and they have
informed me that all of their data traffic bound for
overseas is sent out through the OTC Network, Which in my view leaves all
data comming from austpac open to abuse as well.
AS FOR MYSELF, I NO LONGER USE KEYLINK, BUT ITS EQUIVALENT IN THE UNITED
STATES. I ASSUME THEY WILL TRY TO STOP THIS MESSAGE REACHING YOU, OR DENY
ALL THE DETAILS, BUT PLEASE I URGE YOU TO CONSIDER THE IMPLICATION AND TAKE
THE APPROPRIATE MEASURES, TO PREVENT THIS SORT OF THING HAPPENING.
Yours Faithfully
Very Mad X-Keylink User
To: MARK (198:MARK)
To: ROBERT (198:ROBERT)
From: MIKE.ROSENBERG (MICHAELR) Delivered: Thu 8-Feb-90 10:35 AEDT Sys 6007 (21)
Subject: Activity from Australia on System 41
Mail Id: IPM-6007-900208-095270350
Dear Robert/Mark, assuming that you are both still emplyed by Dialcom....
Our packet switch guys have informed me of much activity to system 41
over the last few days.
I suggest you look for accesses from 505234289983 on :
2/7 0135 to 1811 UTC for a start.
Check for other accesses during feb. of course, but you should find accesses
on at least the 2nd and 6th as well.
You you also check an access from 505291989999 on 2/7 11:00 UTC please. It
was only 4 minutes long so it is probably OK.
This suspect NUI is not going be be blacklisted by OTC because furtive
investigations are under way into his activities.
Hear from you shortly,
Regards,
Michael.
To: DM (198:DM)
Cc: MARK (198:MARK)
Cc: ROBERT (198:ROBERT)
Cc: S.BERLECKY (STEVEB)
From: M.ROSENBERG (MICHAELR) Delivered: Mon 12-Mar-90 14:54 AEST Sys 6007 (97)
Subject: Reply to: Reply to: Hacker
Mail Id: IPM-6007-900312-134220906
In Reply To: IPM-198-900309-155230700
Dave,
I have asked around OTC for how to help you. Apparently OTC is still
bound ny legislation which prohibits it giving out trace information to any
one except to the customer to whom the info belongs. This is being changed,
but cannot be changed until after our federal election on March 24.
I any case, as far as official channels go, it would be better to speak
to the Australian Federal Police, who are investigating phoenix and electron
at the moment. I believe that they know the identities of both these guys (
even I know who electron is).
Try calling Superintendent Ken Hunt,
Currency Branch, AFP
Melboune.
Phone is +61 3 607 7777
Melbourne has a public holiday today, so I couldn't call him to open the way
for you, but when you call him, you can mention that Brian Travis of OTC
gave you his number, through me. The super can call Brian about if he sees the
need.
Let me know if you have trouble, and please let me if have success, as I'd
like to keep track of as much as legally possible and/or practical.
Hope this helps,
Mike.
From: D.MCDONELL (DM) Delivered: Sat 10-Mar-90 8:18 Sys 198
To: M.ROSENBERG (MICHAELR)
Subject: Reply to: Hacker
Mail Id: IPM-198-900309-155230700
Steve, please see Mark's comments below. Is there an official
channel (network security types) on your domestic network side
that can be used to take formal action against this hacker?
Can you facilitate for us?
Thanks,
--Dave
From: M.HULBERT (MARK) Delivered: Fri 9-Mar-90 12:23 EST Sys 198
To: D.MCDONELL (DM)
Subject: Reply to: Hacker
Mail Id: IPM-198-900309-111480354
In Reply To: IPM-198-900309-084961263
I need alternative, official channels. We need to make some
provisions for tracing etc which will require some "official
blessings."
Don't take me wrong, Mike has been an excellent asset but
we need to see if we might identify this hacker and
arrange for some apprehension if plausible.
Mark
From: D.MCDONELL (DM) Delivered: Fri 9-Mar-90 9:26 EST Sys 198
Forward: M.HULBERT (MARK)
Subject: Hacker
Mail Id: IPM-198-900309-084961263
Mark, do want to continue going through Michael Rosenberg of OTC Dialcom,
or would you prefer alternative, official channels?
From: M.ROSENBERG (MICHAELR) Delivered: Fri 9-Mar-90 2:03 EST Sys 6007
Forward: D.MCDONELL (DM)
Subject: Hacker
Mail Id: IPM-6007-900309-153371098
Dvae
I have been helping Robert and Mark with tracing NUA's and in all
cases the NUI has been hacked and the customer name is useless. It would
be much simpler if you could go through me because I should be able to get
it all done through some channels. More effort would be req'd to set up
official channels.
Let me know if this is ok.
Mike
From: S.BERLECKY (STEVEB) Delivered: Fri 9-Mar-90 14:13 AEST Sys 6007
Forward: M.ROSENBERG (MICHAELR)
Subject: Hacker
Mail Id: IPM-6007-900309-128050426
From: D.MCDONELL (DM) Delivered: Fri 9-Mar-90 3:21 Sys 198
To: S.BERLECKY (STEVEB)
Subject: Hacker
Mail Id: IPM-198-900308-111400742
Steve, our security team needs assistance in tracking
a hacker who is giving us a lot of problems over here.
Can you advise a contact in your domestic networks side
that could aid us in identifying this Australian user?
Any tips you can provide are appreciated.
Thanks,
--Dave
To: ROBERT (198:ROBERT)
From: M.ROSENBERG (MICHAELR) Delivered: Tue 13-Mar-90 17:48 AEST Sys 6007 (140)
Subject: Reply to: Reply to: Reply to: Reply to: SYSTEM ACCESS VIOLATION
Mail Id: IPM-6007-900313-160270263
In Reply To: IPM-198-900312-085970211
Robert,
I can tell you what cities the NUI belongs in ,m that is all.
Austpac NUI's/tie lines have a numbering convention based on where they are
registered, not from where the call is made. Also, all the NUI's used are
stolen, the address provides no clue as to who is really using it.
anyway, this is the scheme. Austpac is respresented b the 5052. The next
1-3 digits are the telephone area code of the tie line or registered NUI
user.
so:
50522xxxxxxxxx is a sydney number
50523xxxxxxxxx is a melbourne number
50527xxxxxxxxx is a brisbane number
50529xxxxxxxxx is perth
505262xxxxxxxx is canberra
etc.
5053 numbers areotc data access and you will have to call me to findx out about
those because there is no such geographical relationship between the number
and the user.
Hope this helps,
Mike
From: R.RUSSIN (ROBERT) Delivered: Tue 13-Mar-90 0:33 Sys 198
orward: M.ROSENBERG (MICHAELR)
Subject: Reply to: Reply to: Reply to: SYSTEM ACCESS VIOLATION
Mail Id: IPM-198-900312-085970211
Michael,
Can you assist in this question.
Thanks,
Robert
From: M.HULBERT (MARK) Delivered: Mon 12-Mar-90 8:09 EST Sys 198
To: R.RUSSIN (ROBERT)
Subject: Reply to: Reply to: Reply to: SYSTEM ACCESS VIOLATION
Mail Id: IPM-198-900312-073460945
In Reply To: IPM-198-900311-202750722
Bert,
Please contact Mike Rosenberg in Australia and see if he can
determine the actual access city from the address through his channels
in Australia.
Looks like a busy weekend for you - thanks for the commitment.
Mark
From: R.RUSSIN (ROBERT) Delivered: Sun 11-Mar-90 22:31 EST Sys 198
To: M.HULBERT (MARK)
Subject: Reply to: Reply to: SYSTEM ACCESS VIOLATION
Mail Id: IPM-198-900311-202750722
In Reply To: IPM-5006-900311-198930318
Zohar,
Yes I know. However they just started coming into the U.S. from the
425130000215 address over this weekend. Before that the hacker was coming straight
to the U.S. from the Austrakian CSC Infonet address 31370090059. Since January
he has come in from the following network addresses you may want to screen your
systems for. They are: 31370038209007, 505234289983, 505270589986 and the
31370090059 listed above. Most of February and March until this weekend he
was coming in only from 31370090059. Once on he would netlink out and attack
other accounts on the same system, other systems within the ringnet and out
into the Telenet and other public data networks globaly.
This hacker goes by the name Raster Biter and I have captured many of his
CPL's that you have seen him use to launch attacks at NUI's.
If you are the point of contact over their in Israel for our Licensee their
then, I will advise you of future activity as well.
Robert Russin Deputy Security Officer BT TYMNET (Dialcom)
From: Z.LEVITAN (ZOHAR) Delivered: Sun 11-Mar-90 15:06 EST Sys 5006
To: R.RUSSIN (ROBERT)
Subject: Reply to: SYSTEM ACCESS VIOLATION
Mail Id: IPM-5006-900311-198930318
In Reply To: IPM-198-900311-100590271
Robert,
Please note that although they are accessing your systems from
425130000215 they have been accessing Israel from the Australian
address in my original letter.
BTW have you advises TYMNET networks of the accesses to other
computers on their network.
Zohar
From: R.RUSSIN (ROBERT) Delivered: Sun 11-Mar-90 18:32 Sys 198
To: Z.LEVITAN (ZOHAR)
Subject: SYSTEM ACCESS VIOLATION
Mail Id: IPM-198-900311-100590271
This hacker has been working all weekend around the Licensee Dialcom
systems. He has been netlinking to the U.S. from 425130000215 as well.
Just a heads up to everyone that we have heavy activity and to keep a close
watch on your systems.
Thanks Zohar for the heads up on your end.
Robert
From: R.MILLER (RONM) Delivered: Sun 11-Mar-90 8:39 EST Sys 198
Forward: R.RUSSIN (ROBERT)
Subject: SYSTEM ACCESS VIOLATION
Mail Id: IPM-198-900311-077921232
FYI...
From: Z.LEVITAN (ZOHAR) Delivered: Sun 11-Mar-90 8:38 EST Sys 5006
To: R.MILLER (RONM)
Subject: SYSTEM ACCESS VIOLATION
Hi,
This is to alert you to the fact that we are suffering a security
breach.
The party is accessing from X.121 address 5052 38189955
He has ben running a programme on our system that has been
scanning NUA on Telenet. He has been scanning the range
3106097285 to 3106159999. We have found him NETLINKing to
3106003503 and 3106003525
Please advise your and TYMNET security people. We will pass on
further info if any comes to hand.
I an be reached by phone in Tel Aviv on 7532406 (+972 3 7532406)
until 10:00 EST today or from 12:00 on 490498 (+972 3 490498).
Zohar
To: L.WACHBROIT (LILLIANW)
Cc: M.HULBERT (MARK)
Bc: MICHAELR (6007:MICHAELR)
From: R.RUSSIN (ROBERT) Delivered: Fri 16-Mar-90 0:55 Sys 198 (215)
Subject: Reply to: Reply to: Reply to: Reply to: Reply to: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION
Mail Id: IPM-198-900315-088460610
In Reply To: IPM-198-900315-041761057
Lillain,
Thanks for the info. I had the accounts on system 41
and 57 shutdown within a day or two after they cracked the accounts.
I have a COMIMPUT stream that I edit each week and change the date
range which checks for incoming and outgoing access on Network
addresses that have been frequented by hackers. Now normal users
also use these same paths. I look for anything unusual and investigate
further in detail if something catches my eye. I will give you this
file but, remember it applies to the hacking we had in the U.S. It
can be used as a guide for other licenesee's who want to plug in
the addresses they happen to be dealing with. Anyway here it is.
Robert
COMO BERT
DATE
SYS
/* INTERNATIONAL ACCESS CHECK INCOMING...
NUSAGE -U ? -D 03/11-03/14 -NET 5052&5053&31370038209007&31370090059 &
3106007028&208&425130000215 &
-NOMIN -I NA TR CON NET BAUD
DATE
SYS
/* INTERNATIONAL ACCESS CHECK OUTGOING...
NUSAGE -U ? -D 03/11-03/14 -NET 5052&5053&31370038209007&31370090059 &
3106007028&208&425130000215 &
-NOMIN -I NA TR CON NET VNET BAUD ISG VISC -VOUT
DATE
SYS
/* DOMESTIC ACESS CHECK INCOMING...
NUSAGE -U ? -D 03/11-03/14 -NET 311020500018&311030100254&311030100253 &
311080500018&3110617&3110422000&3110233&311031300062&311020100074 &
311080100054 &
-NOMIN -I NA TR CON NET BAUD
DATE
SYS
/* DOMESTIC ACESS CHECK OUTGOING...
NUSAGE -U ? -D 03/11-03/14 -NET 311020500018&311030100254&311030100253 &
311080500018&3110617&3110422000&3110223&311031300062&311020100074 &
311080100054 &
-NOMIN -I NA TR CON NET VNET BAUD ISG VISC -VOUT
DATE
COMO -E
This when run as a como during non-prime time hours will create
a file called BERT. I recommend that this phantom be run on all
systems in the ring and when they complete to load all the
como files into one file to be printed and reviewed.
I hope this helps you out.
Robert
From: L.WACHBROIT (LILLIANW) Delivered: Thu 15-Mar-90 4:38 EST Sys 198
Forward: R.RUSSIN (ROBERT)
Subject: Reply to: Reply to: Reply to: Reply to: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION
Mail Id: IPM-198-900315-041761057
More on our friendly hacker. Note some of the addresses he came in on...
From: Z.LEVITAN (ZOHAR) Delivered: Thu 15-Mar-90 2:14 EST Sys 5006
To: L.WACHBROIT (LILLIANW)
Subject: Reply to: Reply to: Reply to: Reply to: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION
here you are:
User Name Date Time Net Addr Con Hrs Chars I/O
BIC011 07 14:18 31103010025357 0:01 63 440
BIC011 07 14:33 31103010025357 0:25 1127 7131
BIC011 08 6:15 31103010025357 6:08 18480 122105
BIC011 08 13:03 31103010025357 4:32 4613 134250
BIC011 09 0:13 31103010025357 0:00 0 0
BIC011 09 1:44 31103010025357 3:55 285 1076
BIC011 09 8:04 31103010025341 0:08 170 2408
BIC011 09 8:07 (local) 0:00 0 0
BIC011 09 8:11 505238189955 0:37 881 8842
BIC011 09 8:36 (local) 4:43 0 0
BIC011 09 8:42 (local) 0:00 0 0
BIC011 09 8:43 (local) 0:00 0 0
BIC011 09 8:44 (local) 0:00 0 0
BIC011 09 8:48 (local) 0:00 0 0
BIC011 10 6:35 31103010025341 0:05 224 1501
BIC011 10 7:18 505238189955 10:30 24677 317582
BIC011 10 7:24 (local) 0:00 0 0
BIC011 10 7:25 (local) 0:00 0 0
BIC011 10 7:26 (local) 0:00 0 0
BIC011 10 7:26 (local) 0:00 0 0
BIC011 10 7:27 (local) 0:00 0 0
BIC011 10 7:27 (local) 0:00 0 0
BIC011 10 7:27 (local) 0:00 0 0
BIC011 10 7:28 (local) 0:00 0 0
BIC011 10 7:28 (local) 0:00 0 0
BIC011 10 7:35 (local) 0:00 0 0
BIC011 10 8:11 (local) 0:00 0 0
BIC011 10 8:13 (local) 2:53 0 0
BIC011 10 9:24 (local) 3:10 0 0
BIC011 10 13:42 (local) 0:00 0 0
BIC011 10 13:43 (local) 6:17 0 0
BIC011 11 6:54 31103010025341 0:00 0 0
BIC011 11 8:59 505238189955 1:48 8643 38058
BIC011 11 9:04 (local) 3:46 0 0
BIC011 11 11:23 505238189955 1:27 6355 49422
BIC011 11 13:11 9000000904 0:07 384 4166
BIC011 11 13:24 505238189955 0:00 0 0
BIC011 11 15:12 505238189955 2:19 11576 60613
BIC011 53:04 93264 750175
BWC001 07 13:30 31103010025357 0:42 1057 143595
BWC001 11 23:48 505238189955 10:49 36273 834483
BWC001 12 2:08 (local) 37:19 0 0
BWC001 48:50 37330 978078
101:54 130594 1728253
From: L.WACHBROIT (LILLIANW) Delivered: Wed 14-Mar-90 14:04 Sys 198
To: Z.LEVITAN (ZOHAR)
Subject: Reply to: Reply to: Reply to: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION
Mail Id: IPM-198-900314-063460362
In Reply To: IPM-5006-900314-125770656
For the ids he broke into, include date, time and "NET" (we want to
see what address he came *from*...)
From: Z.LEVITAN (ZOHAR) Delivered: Wed 14-Mar-90 6:58 EST Sys 5006
To: L.WACHBROIT (LILLIANW)
Subject: Reply to: Reply to: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION
Mail Id: IPM-5006-900314-125770656
In Reply To: IPM-198-900314-037610725
Hi,
Please let me the nusage options that you would like us to run for you.
Zohar
From: L.WACHBROIT (LILLIANW) Delivered: Wed 14-Mar-90 11:11 Sys 198
To: Z.LEVITAN (ZOHAR)
Subject: Reply to: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION
Mail Id: IPM-198-900314-037610725
In Reply To: IPM-5006-900313-195330414
Ick! Can you send us the NUSAGE files on this guy?
From: Z.LEVITAN (ZOHAR) Delivered: Tue 13-Mar-90 14:41 EST Sys 5006
To: L.WACHBROIT (LILLIANW)
Subject: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION
Mail Id: IPM-5006-900313-195330414
In Reply To: IPM-198-900313-099950306
HE
Potentially an Australian who has been spending hours on Dialcom
Systems.
He has written some CPL's, found a couple of 'undocumented'
commands and security weaknesses.
1. The person found a command DOPH which was set in 1985 to
minimum seclev 0 that allows anyone to spawn a phantom.
2. He found that on most systems any user can 'ATTACH' to CATINF
and gaily go about creating sufufds that he fills with CPL's, and
the result files of hundreds of search for computers on the PSS
networks and the attempts to 'access' these systems using files
of passwords.
The hacker has been fairly clever doing loop the loop. It
appears from one listing we got running NUSAGE, that he arrived
from system 135 and went to visit system 135 and 163. The latest
accesses have been from Australia and he has been running riot
with a CPL that does a loop from X to infinity with TYMNET NUA's.
If he gets a connected message he writes the result to a file etc
etc.
Hope this makes some sense - I have been up since 03:30 this
morning and logged to check if our guest got back passed the
doors we closed.
Zohar
From: L.WACHBROIT (LILLIANW) Delivered: Tue 13-Mar-90 18:07 Sys 198
To: Z.LEVITAN (ZOHAR)
Subject: Reply to: CATINF PROTECTION & ACCESS VIOLATION
Mail Id: IPM-198-900313-099950306
In Reply To: IPM-5006-900313-150900268
Zohar,
I feel like I came into the middle of a movie -- who is "he"? And what
did "he" do? How about explaining this from the beginning?
Confused of Camden
From: Z.LEVITAN (ZOHAR) Delivered: Tue 13-Mar-90 9:45 EST Sys 5006
To: L.WACHBROIT (LILLIANW)
Subject: CATINF PROTECTION & ACCESS VIOLATION
Mail Id: IPM-5006-900313-150900268
HI,
On our system he created the a SUBUFD CATINF>POST>MAIL. We have attempted
to reset protections for CATINF so that users with SECLEVS below 5 could
not attach, but without success.
Could you please let us know what needs to be done in order to protect
this UFD from 'attach'.
We have looked at his last CPL and found that he accessed your system
163 and was having a go at prefix EPX with passwords 'DIALCOM', 'QWERTY'
and 'TEST'. We would appreciate your letting us know this information
for our system if you find it in any of his files.
Many Thanks
Zohar
Fo: MICHAELR (6007:MICHAELR)
Cc: M.HULBERT (MARK)
From: R.RUSSIN (ROBERT) Delivered: Fri 16-Mar-90 0:32 Sys 198 (35)
Subject: HACKERS POINT OF ORIGIN
Mail Id: IPM-198-900315-085970463
Mike,
Our hacker is attacking the Israel Licensee now.
He comes in their system from 5005, 5052 and 38189955.
This morning around 5:30 AM U.S. time the hacker
was online using a hacked account netlinking out
to 3106 008510 which is a Tymnet address. Mark Hulbert will
advise Tymnet Network Security. I just wanted to pass
this information on to you in case it can help you.
Thanks,
Robert
From: M.HULBERT (MARK) Delivered: Thu 15-Mar-90 7:14 EST Sys 198
Forward: R.RUSSIN (ROBERT)
Subject: HACKERS POINT OF ORIGIN
Mail Id: IPM-198-900315-065180725
Would you provide this information to Michael Rosenberg and see if
he might be able to add some further inromation to it?
Mark
From: Z.LEVITAN (ZOHAR) Delivered: Thu 15-Mar-90 6:11 EST Sys 5006
To: M.HULBERT (MARK)
Subject: HACKERS POINT OF ORIGIN
Mail Id: IPM-5006-900315-118820069
HI,
The blokes at our PSS service have determined that the hacker is
working from a line registered to a company called Austac with
phone number +61 2 233-3677 (i.e. somewhere in Sydney).
Zohar
Fo: BTG072 (10080:BTG072)
Fo: BTG109 (10080:BTG109)
Fo: MICHAELR (6007:MICHAELR)
Fo: E.LONG (ELLEN)
Fo: M.HULBERT (MARK)
Cc: R.MYERS (159:BERTA)
Cc: ZOHAR (5006:ZOHAR)
Cc: R.RUSSIN (ROBERT)
From: R.RUSSIN (ROBERT) Delivered: Mon 12-Mar-90 2:16 Sys 198 (40)
Subject: SYSTEM ACCESS VIOLATION
Mail Id: IPM-198-900311-100590271
This hacker has been working all weekend around the Licensee Dialcom
systems. He has been netlinking to the U.S. from 425130000215 as well.
Just a heads up to everyone that we have heavy activity and to keep a close
watch on your systems.
Thanks Zohar for the heads up on your end.
Robert
From: R.MILLER (RONM) Delivered: Sun 11-Mar-90 8:39 EST Sys 198
Forward: R.RUSSIN (ROBERT)
Subject: SYSTEM ACCESS VIOLATION
Mail Id: IPM-198-900311-077921232
FYI...
From: Z.LEVITAN (ZOHAR) Delivered: Sun 11-Mar-90 8:38 EST Sys 5006
To: R.MILLER (RONM)
Subject: SYSTEM ACCESS VIOLATION
Mail Id: IPM-5006-900311-140840652
Hi,
This is to alert you to the fact that we are suffering a security
breach.
The party is accessing from X.121 address 5052 38189955
He has ben running a programme on our system that has been
scanning NUA on Telenet. He has been scanning the range
3106097285 to 3106159999. We have found him NETLINKing to
3106003503 and 3106003525
Please advise your and TYMNET security people. We will pass on
further info if any comes to hand.
I an be reached by phone in Tel Aviv on 7532406 (+972 3 7532406)
until 10:00 EST today or from 12:00 on 490498 (+972 3 490498).
Zohar
To: MICHAELR (6007:MICHAELR)
Cc: M.HULBERT (MARK)
Cc: R.RUSSIN (ROBERT)
From: M.HULBERT (MARK) Delivered: Thu 22-Feb-90 23:46 Sys 198 (45)
Subject: Reply to: System 48
Mail Id: IPM-198-900222-069750143
In Reply To: IPM-6007-900222-152690115
Michael,
The Westinghouse Wespac network is a private network owned and operated by Westinghouse. The addresses for
the network are 3110422.
Systems 48 and 49 are Westinghouse systems but we have not noted
any hacker activity of late but will recheck our most recent
series of scans of our systems.
I would appreciate any added information on what specifics the
individual you're talking to has on the possible penetrations.
Also, treat this information on Wespac with discretion.
Mark
From: M.ROSENBERG (MICHAELR) Delivered: Thu 22-Feb-90 1:56 EST Sys 6007
To: M.HULBERT (MARK)
Subject: System 48
Mail Id: IPM-6007-900222-152690115
Robert, Mark,
My contact in OTC's paket switching exchange has asked me if I knew
what 311042200048 was and if it was Dialcom or not. After I told him
that it was system 48, he asked me if I could ask you some things..
He doesn't have any firm evidence, but I know that he is asking questions
because he intercepted a coversation with electron during which he
mentioned things about penetrating Westinghouse security.
I think that system 48 is Westinghouse (y/n?) and, if so, is it known
amongst any one there by the name Westpac? Do you know of any obvious
security breaches in 48 and 49 that concern Australia or you think come
from Australian hackers.
I know that these are vague questions and the time scale that he is
speaking of is a couple of months ago. Also, I understand that there
are things that I may not be privy to know, that is fine. Basically, is there
anything that may interest Australia about security breaches on 48 and 49?
I assure you of course that the person asking these questions spends most
of time tracking hackers that don't originate from my system and is asking
me these questions because he is trying to fill in holes in his intercepted
information.
Hope you can help,
Thanks,
Michael.
Fo: MICHAELR (6007:MICHAELR)
Cc: M.HULBERT (MARK)
From: R.RUSSIN (ROBERT) Delivered: Wed 21-Feb-90 1:43 Sys 198 (77)
Subject: Suspect activity from sys 75
Mail Id: IPM-198-900220-087370915
Michael,
Here is some additional info I received from BTGOLD
that may help you in your inquiry.
Robert
From: D.DOVEY-PRICE (BTG300) Delivered: Mon 19-Feb-90 7:09 EST Sys 10080
Forward: R.RUSSIN (ROBERT)
Subject: Suspect activity from sys 75
Mail Id: IPM-10080-900219-109471015
Robert,
I 've done some investigating on this matter and have found one of our
customers accessing address 5053200000, but only on 22/1 and 26/1 and not
on 25/1. Enclosed are the times for you to compare.
The company name is ARTSLINK.
Hope this info is of some use to you.
Diana.
User Name Date Time Net Addr
MUS074 22 3:36 5053200000
MUS074 22 18:02 5053200000
MUS074 22
User Name Date Time Net Addr
MUS074 26 12:40 5053200000
From: J.KENNEDY (BTG109) Delivered: Mon 19-Feb-90 10:33 GMT Sys 10080
Forward: D.DOVEY-PRICE (BTG300)
Subject: Suspect activity from sys 75
Mail Id: IPM-10080-900219-094970964
Diana
As Vicky isn't in, please could I ask you to have a look
at this suspect activity. I have 2 requests from teh US, one from
Robert, the other from Mark Hulbert - so they are obviously
concerned!.
Thanks very much
Julie
From: R.RUSSIN (ROBERT) Delivered: Fri 16-Feb-90 16:52 GMT Sys 198
orward: J.KENNEDY (BTG109)
Subject: Suspect activity from sys 75
Mail Id: IPM-198-900216-106761270
Here is a question that could be better answered at your end.
Robert
From: M.ROSENBERG (MICHAELR) Delivered: Fri 16-Feb-90 0:35 EST Sys 6007
To: R.RUSSIN (ROBERT)
Subject: Suspect activity from sys 75
Mail Id: IPM-6007-900216-149240236
Dear Berta,
could you forward this message to the appropriate person in BT.
A user on system 07 was accessed from system 75, and while I think
that the usage was not at all indicative of a hacker, she is adamant that noone
on BTG should know her password.
Could you ask BTG to check for calls to system 07 (5053200000,5053200050
or 505211134999) from 023421920100475 on
22/1 1:17-11:40 UTC
17:40 25/1 - 05:34 26/1 UTC
and tell me (if possible) who the user was and if that account is suspect.
I'll say again that it looks to me as if the person knew the pw and
only used OTC Intelnet, but I must check it out. I'd like to know who
the user was so that I may tell my user the name of the person/company to
see if I can jog her memory on someone who can use her account.
Thanks,
Michael
To: MICHAELR (6007:MICHAELR)
Cc: M.HULBERT (MARK)
Cc: R.RUSSIN (ROBERT)
From: R.RUSSIN (ROBERT) Delivered: Thu 8-Feb-90 13:45 Sys 198 (58)
Subject: Reply to: Activity from Australia on System 41
Mail Id: IPM-198-900207-195640975
In Reply To: IPM-6007-900208-095270350
Michael,
Yes we know about the activity on 41. Thanks for advising us as well.
The hacker goes by the handle Raster Biter. They have been onto a few different
account on 41 since November. I discovered this afternoon after reviewing my weekly
nusage security check that they penetrated the account 41:UGA006 coming in from
CSC Infonet 31370090059 and AUSTPAC 505270589986. Once on they are then using our
Prime system to netlink back out into the Telenet world. I have been in contact
with Telenet Security and also the Royal Canadian Mounted Police since they were
beating on some Canadian systems from 41.
It appears the hacker(s) are establishing many points of entries on various PDN's
around the globe. They spend long hours on many of the systems they have netlinked
out to from our systems. I feel that since all of their incoming addresses to U.S.
Dialcom are from the above two addresses I would tend to think that the hackers
are Australia based. The access is mostly late night too. There is one other
CSC Infonet address they come in from but, I am at home now and don't have it
written down with me. When I get in to work tomorrow I will send it to you.
Since November they have hit accounts on 41, 50, 52 and 57. We have curtailed
their access so far from all but 41. I find them on one account and have the
password changed then the next week they show up on another account. However
they are all accounts that were retrieved sometime from a directory listing
since they all belong to the same client who has many prefixes on 41. The
others on 50, 52 and 57 I believe were from accounts listed in another
captured directory. The system manager for the account still hasn't told
us if the passwords to the hacked accounts had any relation to entries
in the mail directory.
Well I have to go now and finish some more of my end of month report.
Stay in touch and thanks for the heads up.
Robert
From: MIKE.ROSENBERG (MICHAELR) Delivered: Wed 7-Feb-90 18:34 EST Sys 6007
To: R.RUSSIN (ROBERT)
Subject: Activity from Australia on System 41
Mail Id: IPM-6007-900208-095270350
Dear Robert/Mark, assuming that you are both still emplyed by Dialcom....
Our packet switch guys have informed me of much activity to system 41
over the last few days.
I suggest you look for accesses from 505234289983 on :
2/7 0135 to 1811 UTC for a start.
Check for other accesses during feb. of course, but you should find accesses
on at least the 2nd and 6th as well.
You you also check an access from 505291989999 on 2/7 11:00 UTC please. It
was only 4 minutes long so it is probably OK.
This suspect NUI is not going be be blacklisted by OTC because furtive
investigations are under way into his activities.
Hear from you shortly,
Regards,
Michael.
To: E.LONG (ELLEN)
To: M.AUSCHWITZ (MONICA)
Cc: M.HULBERT (MARK)
Cc: R.RUSSIN (ROBERT)
Bc: MICHAELR (6007:MICHAELR)
From: R.RUSSIN (ROBERT) Delivered: Thu 1-Feb-90 6:05 Sys 198 (22)
Subject: System 41 Hacker Penetration
Mail Id: IPM-198-900131-126420709
Monica,
The account UGA024 on system 41 was penetrated
again. The last penetration was on January 11th which I discovered
and made notification. The account has since been penetrated
on January 29th 7 hrs & 7 min, 30th 7 hrs & 33 min and the 31st
4 hrs and 2 min.
After the last reported hit back on the 11th the password was
never changed and the hacker came back onto the account again.
I changed the password myself this morning after I discovered
the problem. The incoming network addresses are 31370090059 ,
31370038209007 which are CSC Infonet and 505234289983 which
is Australia Telecom AUSTPAC.
You will need to notify TCN that there account was hit and
since they never changed the password the last time I don't
know how you want to handle the credit part.
The password is NELLE
Robert
To: ROBERT (198:ROBERT)
Cc: MICHAELR (6007:MICHAELR)
Cc: S.PATEL (BTG197)
From: V.LUNDBERG (BTG072) Delivered: Wed 21-Feb-90 4:03 Sys 10080 (9)
Subject: Security checks.
Mail Id: IPM-10080-900220-153471089
Robert,
I am going on holiday for just over 2 weeks, therefore if you have any
urgent need for our help please could you contact in the first instance
Sandy, BTG197.
(Of course you also have Julies id if you need her too.)
Many thanks,
Vicky.
To: ROBERT (198:ROBERT)
Cc: MARK (198:MARK)
Bc: NET006
From: M.ROSENBERG (MICHAELR) Delivered: Thu 29-Mar-90 18:28 AEST Sys 6007 (93)
Subject: Reply to: Suspect activity from sys 75
Mail Id: IPM-6007-900329-166320230
In Reply To: IPM-198-900220-087370915
Dear Robert,
I have been checking this message and just realised that this
is a nusage of accesses of system 75 FROM system 07. I needed to know
who on system 75 called either 5053200000 or 5053200050 or 505211134999 on
the times and dates specified below. I know that no one should have
been able to do this without netlink but someone did, so could you ask
Dialcom UK to do an nusage of all OUTGOING calls to these addresses and tell
me who the customer was.
Thanks
Michael
From: R.RUSSIN (ROBERT) Delivered: Wed 21-Feb-90 1:43 Sys 198
orward: M.ROSENBERG (MICHAELR)
Subject: Suspect activity from sys 75
Mail Id: IPM-198-900220-087370915
Michael,
Here is some additional info I received from BTGOLD
that may help you in your inquiry.
Robert
From: D.DOVEY-PRICE (BTG300) Delivered: Mon 19-Feb-90 7:09 EST Sys 10080
Forward: R.RUSSIN (ROBERT)
Subject: Suspect activity from sys 75
Mail Id: IPM-10080-900219-109471015
Robert,
I 've done some investigating on this matter and have found one of our
customers accessing address 5053200000, but only on 22/1 and 26/1 and not
on 25/1. Enclosed are the times for you to compare.
The company name is ARTSLINK.
Hope this info is of some use to you.
Diana.
User Name Date Time Net Addr
MUS074 22 3:36 5053200000
MUS074 22 18:02 5053200000
MUS074 22
User Name Date Time Net Addr
MUS074 26 12:40 5053200000
From: J.KENNEDY (BTG109) Delivered: Mon 19-Feb-90 10:33 GMT Sys 10080
Forward: D.DOVEY-PRICE (BTG300)
Subject: Suspect activity from sys 75
Mail Id: IPM-10080-900219-094970964
Diana
As Vicky isn't in, please could I ask you to have a look
at this suspect activity. I have 2 requests from teh US, one from
Robert, the other from Mark Hulbert - so they are obviously
concerned!.
Thanks very much
Julie
From: R.RUSSIN (ROBERT) Delivered: Fri 16-Feb-90 16:52 GMT Sys 198
orward: J.KENNEDY (BTG109)
Subject: Suspect activity from sys 75
Mail Id: IPM-198-900216-106761270
Here is a question that could be better answered at your end.
Robert
From: M.ROSENBERG (MICHAELR) Delivered: Fri 16-Feb-90 0:35 EST Sys 6007
To: R.RUSSIN (ROBERT)
Subject: Suspect activity from sys 75
Mail Id: IPM-6007-900216-149240236
Dear Berta,
could you forward this message to the appropriate person in BT.
A user on system 07 was accessed from system 75, and while I think
that the usage was not at all indicative of a hacker, she is adamant that noone
on BTG should know her password.
Could you ask BTG to check for calls to system 07 (5053200000,5053200050
or 505211134999) from 023421920100475 on
22/1 1:17-11:40 UTC
17:40 25/1 - 05:34 26/1 UTC
and tell me (if possible) who the user was and if that account is suspect.
I'll say again that it looks to me as if the person knew the pw and
only used OTC Intelnet, but I must check it out. I'd like to know who
the user was so that I may tell my user the name of the person/company to
see if I can jog her memory on someone who can use her account.
Thanks,
Michael
To: M.ROSENBERG (MICHAELR)
Cc: C.HAPANGAMA (OTC264)
From: A.LOWTHER (OTC157) Delivered: Mon 8-Aug-88 9:32 AEST Sys 6007 (52)
Subject: VMS HACKING
Mail Id: IPM-6007-880808-085830292
Dick Weaver sent me this some time ago. It indicates that we really
do need to be on our mettle as far as VMS security is concerned. Dean
Gingell is a bit inclined to accept that VMS security is so good
that it is inpenetrable!!
Tony.
From: R.WEAVER (OTC248) Delivered: Fri 11-Mar-88 16:38 AEST Sys 6008
Subject: VMS Passwords: Hackers' Attacks ? ?
Mail Id: IPM-6008-880311-149750909
From: ecs140w020@deneb.ucdavis.edu
Subject: VMS password hacker
===================
Date: 6 Mar 88 12:06:58 GMT
Sender: uucp@ucdavis.ucdavis.edu
Lines: 18
Bunkersoft of Mountain View has a VMS password hacker
available for $30 (source code) from
Bunkersoft
PO Box 4436
Mountain View CA
94040-4436
The method used is a brute force attack. However, because of the
nature of the VMS password file, SYSPRV or CMKRNL is required for
a short window of time before running. I ran this program on my
installation at work; it found 35% of all passwords. *** *** ***
***
Since HPWD is a proprietary DEC code, a batch file is given to
extract this information from LOGINOUT.EXE. I believe this program
is aimed at security managers etc.
ecs140w020@deneb.ucdavis.edu
ucdavis!deneb!ecs140w020
... ... ... ... ... ... ... ... ...
Well how about that then ! Will we need to worry about security
like Minerva worries? Think we need a copy of this "hacking tool" ?
Richard Weaver Ext 5134
(Manager, New Services Development)
11 March 88
+
END OF DOCUMENT
| ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved. |