Item forwarded by D.WHITESIDE2 to M.LASKY2 Item 0622126 91/05/25 12:26 From: MITCH.WAGNER Mitch Wagner To: D.WHITESIDE2 Donald A. Whiteside Sub: New Uploads BY MITCH WAGNER It's hardly the Cuckoo's Egg or the Internet Worm, but it's still an intriguing little unsolved mystery. Maybe you can figure out whodunit, and why. I can't. Here are the clues: On the night of Sunday, April 14, physics students at Purdue University engaged in that time-honored collegiate tradition known as ``pulling an all-nighter'' were in for a rude surprise. It came in the form of a piece of E-mail, purporting to come from their systems administrator, stating that ``because of security faults,'' users were required to change their passwords to ``systest001.'' The E-mail gave helpful instructions on how users could change their passwords, and concluded, politely but firmly: ``This change should be done IMMEDIATELY. We will infrm you when to change your password back to normal, which should not be longer than ten minutes.'' The official-sounding memo was a scam, said Kevin Miller, Unix system manager for the Purdue University Physics Department. Two of his users fell for it, he said. Once they did, some unidentified cracker logged in using the systest001 password, and began to search the system for security holes. The cracker also set into motion a program that would have started another, even more ambitious break-in of the Purdue network, had it not been spotted by a suspicious user. That script flashed a message on the screen of every logged-in user, asking to please play-test a version of Tetris_a popular video game_on the local system. But the so-called Tetris game ws actually a script that prompted users for their log-in passwords, and_if the log-in password was given_mailed that password to an off-campus mail drop. The systest001 and Tetris scams at Purdue University are examples of several similar break-ins that ave been happening nationwide. Gene Spafford, an assistant professor of computer science at Purdue who specializes in security and computer ethics, called the cracking attempts ``the most amusing attempts at a break-in recent memory.'' Tetris' initia point of origin, he noted, could not be better calculated to create panic in the military mindset. ``Tetris was developed in the Soviet Union; it's one of the products of the Soviet software industry,'' he said. He said, however, that he believes the ironies are coincidental, because he believes the hackers are too unsophisticated to have thought of the ironies themselves. Elsewhere in the country, the systest001 memo and Tetris scam were apparently found independently. Purdue was the only site we could locate where the two scams were linked and running on the same machine. The Computer Emergency Response Team at Carnegie-Mellon University has put out an advisory on both scams, urging users to alert their systems administrators if anyone asks for their password, or asks them to change their password. The cracker doing this bit of social engineering is taking advantage of the fact that it's really easy to create UUCP mail that appears to come from just about anywhere_a trick that's called ``spoofng'' by the cognoscenti. Indeed, it's a traditional April Fool's Day prank to flood USENET with all sorts of messages that appear to come from well-known net personalities_including a warning against April Fool's Day spoofs signed by Spafford that Spafford himself never wrote. CERT technical coordinator Ed DeHart said that he believes that the systest001 and Tetris scams were fairly small. ``I don't think it's widespread. It's a gut-level feeling, talking to people and based on the number of reports we've had so far,'' he said. DeHart said he has no idea who the author of the scam is. Neither do I_but I have one more clue. I sent some mail to the mail drop used in the Tetris scam, stating in veiled terms my desire to do an article ``about Turboetris'' and asking for information about ``why you did what you did.'' The next morning, I got a response that expressed interest in the offer. Whoever it was that sent the mail refused to give out a real name, only an alias he or she uses on bulletin-board systems. The correspondent promised to get back to me by phone if I agreed to his or her terms, and left a time to call. I did so. And heard nothing until last week. At that time, I talked to people purporting to be the Tetris hackers_there were two of them_at some length, but our conversation covered so much ground that it would be better to save it for next issue's column. So we'll do so. (Mitch Wagner is a senior editor at UNIX Today!) BY MITCH WAGNER ``Beta Raider'' says he and a friend started to break into computer systems about a year and a half ago, when they were about 14. That was when his Dad got him a PC, an IBM AT clone with a 286 processor. ``I just started using it for hmework and all that jazz,'' said the 16-year-old Beta Raider. ``Then my dad got a modem, and then I called local public-domain BBSes, and then I got into pirate boards, where I started talking about things like hacking and the concept of hacking security.'' Last month, a scam which Beta Raider authored was the subject of an advisory from the Computer Emergency Response Team (CERT) at Carnegie-Mellon University. He sent mail to users urging them to try out a new version of the popular computer game Tetris. The game was nonexistent, and the mail was part of a confidence job that resulted in users having their login IDs and passwords mailed to a mail drop on a different system, for pickup by Beta Raider and his friend. I got in touch with Beta Raider by thesimple expedient of sending mail to that mail drop. We chatted two or three times on the phone. I don't know his real name, and the only really significant personal details I know about him are his age, the fact hat he lives in a suburb near Washington, D.C., and that he attends a public high school. (Actually, that's not entirely true. I do know one more significant thing about him: that he's not paranoid enough. He let drop a couple of other things that could be used to track him down really easily, thigs which I'm withholding in the interest of protecting sources.) Beta Raider, like most of his brethren in the computer underground, says that when he breaks into a system, he's not in it for personal gain. Breaking in is an end in itself, a means of lerning about computers, and a means of gaining entree into other systems. ``It's a puzzle. I like to crack security,'' he said. He likes to work from accounts that have no files in them except for system login files. That's an indication that he won't be disturbed at his work; that the legitimate owner of that account has been away for a while. From that base, he looks around the system. ``Usually I'm looking either for technical notes, source code, or more access,'' he said. Occasionally, if he finds an interesting piece of unpublished software documentation or tips, he'll post it to the bulletin boards_but nothing, he said, that the company woudln't want out anyway. He's also looking for .netrc files, which tell him how to log onto other systems remotely. ``If the system that I'm currently on is large enough, usually one person would have access to any other system,'' he said. Beta Raider is aware that there's currently stiff penalties against computer crimes, but he says he doesn't worry, becase he's careful and because what he does is not that serious. ``I've talk to most of the major hacks across the country, but what they've done, you can really take notice of it,'' he said. Beta Raider says he doesn't know what he wants to do when he rows up. ``My Mom wants me to become a lawyer, my Dad wants me to do bioengeineering or something or other,'' he said. ``I want to do something with computers. For what it's worth, I left the interviews finding it difficult to imagine Beta Raider as he villains some computer security advocates would have us believe populate the computer underground. I also couldn't picture him as a heroic desperado of the electronic frontier, which is the picture that hip publications like MONDO 2000, Rolling Stone or The Village Voice like to paint. He just seemes to be a bright, friendly kid_a good kid fundamentally. And he's out there doing what a lot of bright, friendly good kids have always done: getting into mischief. (Mitch Wagner is a senior editor at UNIX Today!) ---------- Downloaded From P-80 International Information Systems 304-744-2253