==Phrack Inc.== Volume Four, Issue Thirty-Nine, File 12 of 13 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue XXXIX / Part Three of Four PWN PWN PWN PWN Compiled by Datastream Cowboy PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN New Phones Stymie FBI Wiretaps April 29, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Simson L. Garfinkel (Christian Science Monitor)(Page 12) "Legislation proposed by Justice Department would change the way telecommunications equipment is developed in the United States." For more than 50 years, wiretapping a telephone has been no more difficult than attaching two clips to a telephone line. Although legal wiretaps in the United States have always required the approval of a judge or magistrate, the actual wiretap has never been a technical problem. Now that is changing, thanks to the same revolution in communications that has made car phones, picture telephones, and fax machines possible. The only thing a person tapping a digital telephone would hear is the indecipherable hiss and pop of digital bits streaming past. Cellular telephones and fiber-optic communications systems present a would-be wiretapper with an even more difficult task: There isn't any wire to tap. Although cellular radio calls can be readily listened in on with hand-held scanners, it is nearly impossible to pick up a particular conversation -- or monitor a particular telephone -- without direct access to the cellular telephone "switch," which is responsible for connecting the radio telephones with the conventional telephone network. This spring, the Federal Bureau of Investigation (FBI) unveiled legislation that would require telephone companies to include provisions in their equipment for conducting court-ordered wiretaps. But critics of the legislation, including some members of Congress, claim that the proposals would expand the FBI's wiretap authority and place an undue burden on the telecommunications industry. Both sides agree that if provisions for monitoring communications are not made in the planning stages of new equipment, it may eventually become impossible for law enforcement personnel to conduct wiretaps. "If the technology is not fixed in the future, I could bring an order [for a wiretap] to the telephone company, and because the technology wasn't designed with our requirement in mind, that person could not [comply with the court order]," says James K. Kalstrom, the FBI's chief of engineering. The proposed legislation would require the Federal Communications Commission (FCC) to establish standards and features for makers of all electronic communications systems to put into their equipment, require modification of all existing equipment within 180 days, and prohibit the sale or use of any equipment in the US that did not comply. The fine for violating the law would be $10,000 per day. "The FBI proposal is unprecedented," says Representative Don Edwards (D) of California, chairman of the House Judiciary Subcommittee on Civil and Constitutional Rights and an outspoken critic of the proposal. "It would give the government a role in the design and manufacture of all telecommunications equipment and services." Equally unprecedented, says Congressman Edwards, is the legislation's breadth: The law would cover every form of electronic communications, including cellular telephones, fiber optics, satellite, microwave, and wires. It would cover electronic mail systems, fax machines, and all networked computer systems. It would also cover all private telephone exchanges -- including virtually every office telephone system in the country. Many civil liberties advocates worry that if the ability to wiretap is specifically built into every phone system, there will be instances of its abuse by unauthorized parties. Early this year, FBI director William Sessions and Attorney General William Barr met with Senator Ernest F. Hollings (D) of South Carolina, chairman of the Senate Commerce Committee, and stressed the importance of the proposal for law enforcement. Modifying the nation's communications systems won't come cheaply. Although the cost of modifying existing phone systems could be as much as $300 million, "We need to think of the costs if we fail to enact this legislation," said Mr. Sessions before a meeting of the Commerce, Justice, State, and Judiciary Subcommittees in April. The legislation would pass the $300 million price-tag along to telephone subscribers, at an estimated cost of 20 cents per line. But an ad-hoc industry coalition of electronic communications and computer companies has objected not only to the cost, but also to the substance of the FBI's proposal. In addition, they say that FCC licensing of new technology would impede its development and hinder competitiveness abroad. Earlier this month, a group of 25 trade associations and major companies, including AT&T, GTE, and IBM, sent a letter to Senator Hollings saying that "no legislative solution is necessary." Instead, the companies expressed their willingness to cooperate with the FBI's needs. FBI officials insist that legislation is necessary. "If we just depend on jaw-boning and waving the flag, there will be pockets, areas, certain places" where technology prevents law enforcement from making a tap, says Mr. Kalstrom, the FBI engineer. "Unless it is mandatory, people will not cooperate." For example, Kalstrom says, today's cellular telephone systems were not built with the needs of law enforcement in mind. "Some companies have modified their equipment and we can conduct surveillance," he says. But half of the companies in the US haven't, he adds. Jo-Anne Basile, director of federal relations for the Cellular Telecommunications Industry Association here in Washington, D.C., disagrees. "There have been problems in some of the big cities because of [limited] capacity," Ms. Basile says. For example, in some cities, cellular operators had to comply with requests for wiretaps by using limited "ports" designed for equipment servicing. Equipment now being installed, though, has greatly expanded wiretap capacity in those areas. "We believe that legislation is not necessary because we have cooperated in the past, and we intend on cooperating in the future," she adds. The real danger of the FBI's proposal is that the wiretap provisions built in for use by the FBI could be subverted and used by domestic criminals or commercial spies from foreign countries, says Jerry Berman, director of the Electronic Frontier Foundation, a computer users' protection group in Cambridge, Mass. "Anytime there is a hearing on computer hackers, computer security, or intrusion into AT&T, there is a discussion that these companies are not doing enough for security. Now here is a whole proposal saying, 'Let's make our computers more vulnerable.' If you make it more vulnerable for the Bureau, don't you make it more vulnerable for the computer thief?" Civil liberties advocates also worry that making wiretaps easier will have the effect of encouraging their use -- something that the FBI vehemently denies. "Doing a wiretap has nothing to do with the [technical] ease," says Kalstrom. "It is a long legal process that we must meet trying all other investigations before we can petition the court." Kalstrom points out the relative ease of doing a wiretap with today's telephone system, then cites the federal "Wiretap Report," which states that there were only 872 court-approved wiretaps nationwide in 1990. "Ease is not the issue. There is a great dedication of manpower and cost," he says. But digital wiretapping has the potential for drastically lowering the personnel requirements and costs associated with this form of electronic surveillance. Computers could listen to the phone calls, sitting a 24-hour vigil at a low cost compared with the salary of a flesh-and-blood investigator. "Now we are seeing the development of more effective voice-recognition systems," says Edwards. "Put voice recognition together with remote-access monitoring, and the implications are bracing, to say the least." Indeed, it seems that the only thing both sides agree on is that digital telephone systems will mean more secure communications for everybody. "It is extremely easy today to do a wiretap: Anybody with a little bit of knowledge can climb a telephone poll today and wiretap someone's lines," says Kalstrom. "When the digital network goes end-to-end digital, that will preclude amateur night. It's a much safer network from the privacy point of view." - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - FBI Fight With Computer, Phone Firms Intensifies May 4, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Taken from Los Angeles Times (Business, Part D, Page 2) "Spy Agencies Oppose Technology That Will Prevent Them From Tapping Into Data And Conversations" Top computer and telecommunications executives are fighting attempts by the FBI and the nation's intelligence community to ensure that government surveillance agencies can continue to tap into personal and business communications lines as new technology is introduced. The debate flared last week at a House Judiciary Committee hearing on foreign intelligence agencies' attempts to gather U.S. companies' secrets. The committee's chairman, Representative Jack Brooks (D-Tex.), called the hearing to complain that the FBI and the National Security Agency (NSA) are hurting companies' attempts to protect their communications. The issue has been heating up on two fronts. Phone companies have been installing digital equipment that frustrates phone tapping efforts, and computer companies are introducing new methods of securing data transmissions that are almost impossible for intelligence agencies to penetrate. The controversy centers, in part, on an FBI attempt to persuade Congress to force telephone companies to alter their digital networks, at a possible cost of billions of dollars that could be passed on to ratepayers, so that the FBI can continue performing court-authorized wiretaps. Digital technology temporarily converts conversations into computerized code, which is sent at high speed over transmission lines and turned back to voice at the other end, for efficient transmission. Civil liberties groups and telecommunications companies are fiercely resisting the FBI proposal, saying it will stall installation of crucial technology and negate a major benefit of digital technology: Greater phone security. The critics say the FBI plan would make it easier for criminals, terrorists, foreign spies and computer hackers to penetrate the phone network. The FBI denies these and other industry assertions. Meanwhile, the NSA, the nation's super-secret eavesdropping agency, is trying to ensure that government computers use a computer security technology that many congressmen and corporate executives believe is second-rate, so that NSA can continue monitoring overseas computer data transmissions. Corporations likely would adopt the government standard. Many corporate executives and congressmen believe that a branch of the Commerce Department that works closely with NSA, the National Institute of Standards and Technology (NIST), soon will endorse as the government standard a computer- security technology that two New Jersey scientists said they penetrated to demonstrate its weakness. NIST officials said that their technology wasn't compromised and that it is virtually unbreakable. "In industry's quest to provide security (for phones and computers), we have a new adversary, the Justice Department," said D. James Bidzos, president of California-based RSA Data Security Inc., which has developed a computer- security technology favored by many firms over NIST's. "It's like saying that we shouldn't build cars because criminals will use them to get away." "What's good for the American company may be bad for the FBI" and NSA, said Representative Hamilton Fish Jr. (R-N.Y.). "It is a very heavy issue here." The situation is a far cry from the 1950s and 1960s, when companies like International Business Machines Corporation and AT&T worked closely with law- enforcement and intelligence agencies on sensitive projects out of a sense of patriotism. The emergence of a post-Vietnam generation of executives, especially in new high-technology firms with roots in the counterculture, has short-circuited the once-cozy connection, industry and government officials said. "I don't look at (the FBI proposal) as impeding technology," FBI Director William S. Sessions testified at the Judiciary Committee hearing. "There is a burden on the private sector . . . a price of doing business." FBI officials said they have not yet fumbled a criminal probe due to inability to tap a phone, but they fear that time is close. "It's absolutely essential we not be hampered," Sessions said. "We cannot carry out our responsibilities" if phone lines are made too secure. On the related computer-security issue, the tight-lipped NSA has never commented on assertions that it opposes computerized data encryption technologies like that of RSA Data Security because such systems are uncrackable. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - For more articles on this same topic, please see: Phrack 38, File 11; The Digital Telephony Proposal. _______________________________________________________________________________ FBI Seeks Compiled Lists For Use In Its Field Investigation April 20, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Ray Schultz (DMNews)(Page 1) Special Thanks: The Omega and White Knight Washington, D.C. -- The Federal Bureau of Investigation, in a move that could spell trouble for the industry, reported is seeking commercial mailing lists for use in its investigations. Spokespersons for both MetroMail Corporation and Donnelley Marketing confirmed that they were approached for services within the last two weeks and other firms also received feelers. Neither of the identified firms would discuss details, but one source familiar with the effort said the FBI apparently is seeking access to a compiled consumer database for investigatory uses. The FBI agents showed "detailed awareness" of the products they were seeking, and claimed to have already worked with several mailing list companies, according to the source. Metromail, which has been supplying the FBI with its MetroNet address lookup service for two years, did not confirm this version of events. Spokesperson John Tomkiw said only that the firm was asked by the FBI about a "broadening" of its services. The firm has supplied the bureau with a full listing of its products and services, but has not yet been contacted back and is not sure what action it will take, said Tomkiw. Donnelley was also vague on the specifics of the approach, but did say it has declined any FBI business on the grounds that it would be an inappropriate use of its lists. FBI spokesperson Bill Carter was unable to provide confirmation, although he did verify that the FBI uses MetroNet to locate individuals needed for interviews. If the database scenario is true, it would mark the first major effort by a government agency to use mailing lists for enforcement since the Internal Revenue Service tried to use rented lists to catch tax cheats in 1984. "We have heard of it," said Robert Sherman, counsel to the Direct Marketing Association and attorney with the firm of Milgrim Thomajan & Lee, New York. "We'd like to know more about it. If it is what it appears to be, law enforcement agents attempting to use marketing lists for law enforcement purposes, then the DMA and industry would certainly be opposed to that on general principles." Such usage would "undermine consumer confidence in the entire marketing process and would intrude on what otherwise would be harmless collection of data," Sherman said. RL Polk, which has not been contacted, said it would decline for the same reasons if approached. "That's not a proper use of our lists," said Polk chairman John O'Hara. "We're in the direct mail business and it's our policy not to let our lists be used for anything but marketing purposes." According to one source, who requested anonymity, the FBI intimated that it would use its subpoena power if refused access to the lists. The approaches, made through the FBI training center in Quantico, VA, reportedly were not the first. The FBI's Carter said the MetroNet product was used for address lookups only. "If a field office needs to locate somebody for an interview, we can check the [MetroNet] database as to where they reside and provide that information to the field office," he said. However, the product was cited as a potential threat to privacy last year by Richard Kessel, New York State Consumer Affairs Commissioner. In a statement on automatic number identifiers, Kessel's office said that "one firm offers to provide 800-number subscribers immediate access to information on 117-million customers in 83-million households nationwide. "The firm advertises that by matching the number of an incoming call into its database, and an 800 subscriber within seconds can find out such information as whether the caller has previously purchased items from their companies." Kessel included a copy of a trade ad for MetroNet, in which the product is presented as a direct marketing tool. Under the headline "Who am I?" the copy reads as if it is by an imaginary consumer. "The first step to knowing me better is as easy as retrieving my phone number in an Automatic Number Identification environment," it says. "Within seconds you can search your internal database to see if I've purchased from you before. And if it's not to be found, there's only one place to go -- to MetroNet. "MetroNet gives you immediate access to information on 117-million consumers in 83-million households nationwide: recent addresses; phone numbers; specific demographics and household information." Tomkiw defended the product, saying its primary focus is "direct marketing. We're always sensitive to those types of issues." MetroNet works as an electronic white pages, but does not contain "a lot of demograhpic data," he said. "It's primarily used by the real estate and insurance industries." The 1984 IRS effort reportedly was a failure, but it created a public outcry and much negative publicity for the industry. Though Polk, MetroMail and Donnelley all refused to rent their lists for the effort, the IRS was able to locate other lists through Dunhill of Washington. Most industry sources say that such efforts are doomed to fail because lists are useful only in identifying people in aggregate, not as individuals." _______________________________________________________________________________ Do You Know Where Your Laptop Is? May 11, 1992 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Robert Kelly (InformationWeek) Are your executives carrying computers with critical data? If so, company secrets are vulnerable It was an expensive round of window shopping. On December 17, 1990, David Farquhar parked his car in downtown London to browse through an automobile showroom. A Wing Commander in Great Britain's Royal Air Force, he was enjoying a few moments away from the mounting pressures leading up to the Gulf War, which would begin less than a month later. But Farquhar made a huge mistake: He left his laptop computer in his car. And although he was gone a mere five minutes, by the time he returned, the laptop had been stolen -- as had U.S. General Norman Schwarzkopf's plans, stored in the computer's disk drive, for the upcoming Allied strike against Iraq. Farquhar paid dearly for his carelessness. Soon after the red-faced Wing Commander reported the incident, he was court-martialed, demoted, and slapped with a substantial fine. The computer was anonymously returned a week later- with the disk drive intact. Farquhar may feel alone in his dilemma and rue the wrong turn his life has taken, but such episodes are anything but isolated. Though electronic security sources say it's too soon to keep score yet on the exact number of laptop thefts, anecdotally, at least, it appears a computer crime wave is underway. According to electronic data experts, during the past 18 months, as laptop purchases have soared, theft has taken off also. For instance, at the Computer Security Institute (CSI), an organization that ironically comprises corporate security experts, a half-dozen members have already reported their company laptops stolen, says Phil Chapnick, director of the San Francisco-based group. And there are probably more that aren't speaking about it, he adds: "Victims prefer to maintain a low profile." So do the perpetrators, obviously. But a picture of who some of them are is beginning to emerge, says John Schey, a security consultant for the federal government. He says a roving band of "computer hit men" from New York, Los Angeles, and San Francisco has been uncovered; members are being paid upwards of $10,000 to steal portable computers and strategic data stored on those machines from executives at Fortune 1,000 companies. Federal agents, Schey adds, are conducting a "very, very dynamic and highly energized investigation to apprehend the group." U.S. law enforcement authorities refuse to comment on the issue. Laptop theft is not, of course, limited to the United States. According to news reports, and independently confirmed by InformationWeek, visiting executives from NCR Corp. learned that reality the hard way recently when they returned to their rooms after dinner at the Nikko Hotel in Paris to find the doors removed from their hinges. The rooms were ransacked, turned upside down, but the thieves found what they were looking for. All that was taken were two laptops containing valuable corporate secrets. Paul Joyal, president of Silver Spring, Maryland, security firm Integer and a former director of security for the Senate Intelligence Committee, says he learned from insiders close to the incident that French intelligence agents, who are known for being chummy with domestic corporations, stole the machines. Joyal suspects they were working for a local high-tech company. An NCR spokesman denies knowledge of the incident, but adds that "with 50,000 employees, it would be impossible to confirm." Similar thefts, sources say, have occurred in Japan, Iraq, and Libya. It's not hard to figure out why laptop theft is on the rise. Unit sales of laptops are growing 40% annually, according to market researchers Dataquest Inc., and more than 1 million of them enter the technology stream each year. Most of the machines are used by major companies for critical tasks, such as keeping the top brass in touch when they're on the road, spicing up sales calls with real data pulled from the corporate mainframe, and entering field data into central computers. Because of laptops, says Dan Speers, an independent data analyst in West Paterson, New Jersey, "there's a lot of competitive data floating around." And a perfect way to steal information from central corporate databases. Thieves are not only taking laptops to get at the data stored in the disk drives, but also to dial into company mainframes. And sometimes these thieves are people the victims would least suspect. One security expert tells of "the wife of a salesman for a Fortune 500 manufacturing firm who worked for a direct competitor." While her husband slept, she used his laptop to log on to a mainframe at his company and download confidential sales data and profiles of current and potential customers. "The husband's job," says the security expert, "not the wife's, was terminated." Such stories, and there are plenty of them, have led many U.S. companies to give lip service to laptop theft, but in almost all cases they're not doing much about it. "Management has little or no conception of the vulnerability of their systems," says Winn Schwartau, executive director of InterPact, an information security company in Nashville. That's not surprising, adds CSI's Chapnick: "Security typically lags technology by a couple of years." Playing Catch-Up Still, some companies are trying to catch up quickly. Boeing Corp., Grumman Corp., and Martin Marietta Corp., among others, have adopted strict policies on portable data security. This includes training staffers on laptop safety rules, and even debriefing them when they return from a trip. One company, sources say, was able to use such a skull session to identify a European hotel as a threat to data security, and put it on the restricted list for future trips. Conde Nast Publications Inc. is taking the the issue even more seriously. The New York-based magazine group's 65-member sales force uses laptops to first canvas wholesalers, then upload data on newsstand sales and distribution problems to the central mainframe. To ensure that the corporate database isn't poisoned by rogue data, "we have a very tight security system," says Chester Faye, Conde Nast's director of data processing. That system's centerpiece is a program, created in-house at Conde Nast, that lets the mainframe read an identification code off of the chip of each laptop trying to communicate with it. "The mainframe, then, can hang up on laptops with chip IDs it doesn't recognize and on those reported stolen by sales reps," says Faye. And some organizations hope to go to even greater lengths. InterPact's Schwartau says a government agency in Great Britain wants to build a device that attaches to a user's belt and disconnects communication to a mainframe when the laptop deviates 15 degrees vertically. The reason: To protect corporate data if the person using the laptop is shot and killed while dialing in. Users say they're taking such extreme measures because the vendors don't; most laptops arrive from the factory without adequate security protection. Most require a password before booting, but thieves can decipher them with relative ease. Some also have removable hard drives, but again, these can be stolen with similar impunity and therefore provide little protection. Ironically, none of this may be necessary; experts emphasize that adding security to a laptop will not serve to price it out of existence. By some estimates, building in protection measures raises the price of a laptop by at most 20%. Beaver Computer Corp. in San Jose, California, for example, has a product to encrypt the data on a laptop's hard drive and floppy disks. With this, the information can't be accessed without an "electronic key" or password. BCC has installed this capability on its own laptop, the SL007, which seems to have passed muster with some very discriminating customers: Sources close to the company say a major drug cartel in Colombia wants some of these machines to protect drug trafficking data. Equally important is the need to protect data in the host computer from hackers who have stolen passwords and logons. Security Dynamics Technologies Inc. in Cambridge, Massachusetts, offers the credit card-sized SecurID, which can be attached to most laptops. SecurID consists of a $60 device that is connected to the laptop, and additional hardware (Cost: $3,800 to $13,000) installed on the host. SecurID continuously changes the logon used to dial into the host; by the time a hacker gets around to using a stolen logon, for instance, it will be obsolete. But what if all measures fail? You can always insure the hardware; can you insure the data? Not yet, but soon, says Nashville-based newsletter Security Insider Report. An upstart startup will soon begin offering data insurance policies that may include coverage of information lost when a portable computer is stolen. Company Cooperation >From protection to insurance, however, no measure can work unless laptop owners take the problem seriously. And that doesn't always happen. Case in point: In the late 1980s, the Internal Revenue Service approached Schwartau's firm to develop a blueprint for securing the confidential data that travels over phone lines between the 30,000 laptops used by field auditors and IRS offices. Schwartau came up with a solution. But the IRS shelved its security plans, and has done nothing about it since, he charges. Even those who should know better can run afoul of the laptop crime wave. About 18 months ago, Ben Rosen, chairman of laptop maker Compaq Computer Corp., left his machine behind on the train; it was promptly stolen. Rosen insists there was no sensitive data in the computer, but he did lose whatever he had. Unlike Schwarzkopf's plans, the laptop was never returned. _______________________________________________________________________________ Downloaded From P-80 International Information Systems 304-744-2253 12yrs+