Date: 23 Jan 1993 16:14:31 -0700 (MST) From: Subject: File 1--Talking with the Underground (Previously published in the Computer Security Institute's newsletter - The Alert - and the French Chaos Computer Club's Chaos Digest) Talking with the underground by Ray Kaplan and Joe Kovara Information about system and network vulnerabilities is sparse, not readily available and carefully guarded by those segments of the security community that collect and control it. Given that the legitimate security community won't share information about vulnerabilities with us, isn't it logical that we include outsiders (the computer underground or ex-computer criminals) in these discussions. Amid criticism, we decided to let the community ask the advice of experts the crackers who have successfully cracked computer networks. Exploring the details of vulnerabilities Over 300 participants at 25 sites in US, Canada, Europe and Mexico joined law enforcement, members of the security community, and former members of the computer underground as we explored these questions in the November 24, 1992, audio teleconference entitled System and Network Security: How You Will Be Attacked and What to do About It. Our guests included Kevin Mitnick and Lenny DiCicco, who successfully penetrated a range of networks and telephone systems. They were both sentenced in federal court after successfully penetrating Digital Equipment Corporation's computer network in 1988. They stole the source code to VMS, Digital's widely used operating system. Their exploits were profiled in the book Cyberpunk: Outlaws and Hackers on the Computer Frontier, by Katie Hafner and John Markoff (1991, Simon and Schuster). Our panelists included Hal Hendershot, head of the FBI Computer Crime Unit in Washington D.C.; Don Delaney, Senior Investigator with the New York State Police; Computer security consultant Dave Johnson of Talon Systems (Los Alto, CA); Robert Clyde, V.P. of the Security Products Group, RAXCO, Inc.; and Lew, the organizational director of automation for a medium size company a former cracker. The panelists shared their considerable experience and discussed techniques used to break in to computer networks. Among the penetration techniques discussed were the uses of psychological subversion, telecommunications monitoring techniques, and the exploitation of known system and network bugs. Despite the popularity of these attack techniques, they are little known outside of the computer underground and the computer security community. Panelists issue stern warnings about telecommunications security Don Delaney stated that tremendous loss of money from both toll and Private Branch eXchange (PBX) fraud is whats happening in the telecom area. Since the security of a PBX is the responsibility of its owner, such losses are not being absorbed by the telephone companies involved. These losses have been known to force the owners of compromised PBXs into bankruptcy. Delaney joins us in saying that its not a matter of if you will be hit, but when. According to DiCicco, compromising the telephone system gave he and Kevin the ability to attack systems without the fear of discovery - telco tracebacks were simply ineffective. They could attack networks at many different points of entry all over the country. This is why no one could keep them out, even though their victims knew their systems and networks had been compromised. If all of this does not scare you, consider Lenny's admission that at one point he and Kevin had compromised over 50 telco switches in the United States, including all of California, parts of New Jersey, New York and New Hampshire. At one point they even controlled all three of the switches that provided phone service to Manhattan. Yes, the law is ready to help - but the threat is a tough, sophisticated, international one. Threats from abroad? Yes, the threat does exist according to Hal Hendershot of the FBI. Robert Clyde reports getting many calls from people trying to solve security problems. In keeping with what we know of reported computer crimes, most sites see problems from insiders: employees, consultants and vendors. Robert reports that two companies publicly spoke of being approached by former East German agents for hire for as little as $10,000 at a September conference in Sweden where he spoke in 1992. We appear to be seeing the criminalization of hacker activity that many have long feared: hackers and ex-foreign intelligence agents for hire. James Bond is alive and well, thank you In late 1992 Don Delaney reported the first case he's seen of James Bond techniques. Remote surveillance can be done by intercepting, decoding and displaying the Radio Frequency (RF) emanations of various computing devices such as terminals and network cabling. Delaney reports that in late 1992, an antenna was put up on the balcony of a 19th floor room in New York's Helmsley building pointing at Chemical Bank. He indicated that it was being very carefully adjusted before being locked into position. By the time they were able to investigate, the antenna and its manipulator had vanished - presumably having successfully gathered the intelligence that they were after. This is no longer gee, we knew it was possible, but holy shit, it's happening now. Imagine someone reading your terminal screen from across the street. Management's show me attitude Dave Johnson insists that his biggest problem when he was at Lockheed was getting corporate management to understand that there is a problem. One of the areas in which this type of conference can really help is understanding the enemy. Management simply doesn't understand the thinking of hackers. Since it makes no sense to them, they tend to deny its existence until theres proof. Of course, the proof is usually very expensive: once a system has been compromised the work of cleaning it up is a long, hard and complicated. A well-connected system or network makes an excellent platform from which to launch attacks on other hosts or on other networks. A major problem for Digital in securing their network against Kevin Mitnick and Lenny DiCicco was that only one vulnerable system on Digitals EASYnet was needed. From there, they were able to penetrate other systems. Even nodes that were known to have been penetrated and were secured were penetrated repeatedly by using other vulnerable nodes to monitor either users or network traffic accessing the secured nodes. While at Lockheed, Dave Johnson implemented policies, awareness training and widescale authentication for all external access, including dialup lines and telnet connections using challenge-response tokens or smart cards. He does not trust the phone system and assumes that it has been compromised. Kevin Mitnick and Lenny DiCicco illustrated just how vulnerable the phone system was in 1988 and the MOD bust in July 1992 shows that things have not improved. Kevin reminds us that you must assume the telephone system is insecure: even robust challenge-response systems can be compromised. You simply have to play the telecommunications game for real. Kevin reminds us that unless you use encryption, all bets are off. As an example of how deep, long lived and dedicated a serious attack can be, consider that Kevin and Lenny were in DEC's network for years. They knew exactly what DEC and telco security were doing in their efforts to catch them since they were reading the security personnel's email. They evaded the security forces for over 12 months and they had a pervasive, all powerful, privileged presence on DEC's internal network. I've seen the enemy and them is us (this is a quote from Pogo). Mitnick insists that people are the weakest link. According to his considerable experience, you don't even need to penetrate a system if you can talk someone on the inside into doing it for you. Why bother breaking in to a computer system if you can talk someone in accounts payable into cutting you a check? Using the finely tuned tools of psychological subversion, practiced social manipulators can get most anything that they want from the ranks of the generally unsuspecting (uncaring?) employees that inhabit most of our organizations today. The only cure is a massive and complete educational program that fosters loyalty, awareness and proper skepticism in every employee. In the end Perhaps the strongest message from everyone was that you can't trust the phone system. Telephone companies have been, and continue to be, compromised. While Mitnick & DiCicco's penetration of DEC's internal network happened in 1988, the 1992 MOD bust showed us that the same techniques are still being used successfully today. Data and voice, including FAX transmissions, are subject to eavesdropping and spoofing. Encryption is absolutely required for secure, trustworthy communications. The coupling of social engineering and technical skills is a potent threat. Most sites that have addressed technical security are still wide open to penetration from people who have well-practiced social engineering skills. However, in all, you don't even need social engineering skills to get into most systems. Are your systems and networks secure? Are your systems and networks at risk? What will you do if you are attacked? Although the questions seem simple, they are not. Future teleconferences will explore both the questions and the answers in more detail. ++++ Ray Kaplan and Joe Kovara have been independent computer consultants for more than a decade. They specialize in operating systems, networks and solving system and network security problems. Ray Kaplan is also a well-known writer and lecturer. He is a regular contributor to Digital News and Review and other computer trade publications. Tapes and handout materials for the System and Network Security teleconference series are available from Ray Kaplan, P.O. Box 42650, Tucson, AZ USA 85733 FAX (602) 791-3325 Phone (602) 323-4606. ------------------------------ From: sc03281@LLWNET.LINKNET.COM(Cheshire HS) Subject: File 2--System Surfing at U-Cal/Davis Downloaded From P-80 International Information Systems 304-744-2253