home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
cud
/
cud508h.txt
< prev
next >
Wrap
Text File
|
1995-01-03
|
10KB
|
254 lines
Date: 23 Jan 1993 16:14:31 -0700 (MST)
From: <KAPLAN%UABPA@ARIZVMS.BITNET>
Subject: File 8--Talking with the Underground
(Previously published in the Computer Security Institute's
newsletter
- The Alert - and the French Chaos Computer Club's Chaos Digest)
Talking with the underground
by Ray Kaplan and Joe Kovara
Information about system and network vulnerabilities is sparse, not
readily available and carefully guarded by those segments of the
security community that collect and control it. Given that the
legitimate security community won't share information about
vulnerabilities with us, isn't it logical that we include outsiders
(the computer underground or ex-computer criminals) in these
discussions. Amid criticism, we decided to let the community ask
the
advice of experts the crackers who have successfully cracked
computer
networks.
Exploring the details of vulnerabilities
Over 300 participants at 25 sites in US, Canada, Europe and Mexico
joined law enforcement, members of the security community, and
former
members of the computer underground as we explored these questions
in
the November 24, 1992, audio teleconference entitled System and
Network Security: How You Will Be Attacked and What to do About It.
Our guests included Kevin Mitnick and Lenny DiCicco, who
successfully
penetrated a range of networks and telephone systems. They were
both
sentenced in federal court after successfully penetrating Digital
Equipment Corporation's computer network in 1988. They stole the
source code to VMS, Digital's widely used operating system. Their
exploits were profiled in the book Cyberpunk: Outlaws and Hackers
on
the Computer Frontier, by Katie Hafner and John Markoff (1991,
Simon
and Schuster).
Our panelists included Hal Hendershot, head of the FBI Computer
Crime
Unit in Washington D.C.; Don Delaney, Senior Investigator with the
New
York State Police; Computer security consultant Dave Johnson of
Talon
Systems (Los Alto, CA); Robert Clyde, V.P. of the Security Products
Group, RAXCO, Inc.; and Lew, the organizational director of
automation
for a medium size company a former cracker.
The panelists shared their considerable experience and discussed
techniques used to break in to computer networks. Among the
penetration techniques discussed were the uses of psychological
subversion, telecommunications monitoring techniques, and the
exploitation of known system and network bugs. Despite the
popularity
of these attack techniques, they are little known outside of the
computer underground and the computer security community.
Panelists issue stern warnings about telecommunications security
Don Delaney stated that tremendous loss of money from both toll and
Private Branch eXchange (PBX) fraud is whats happening in the
telecom
area. Since the security of a PBX is the responsibility of its
owner,
such losses are not being absorbed by the telephone companies
involved. These losses have been known to force the owners of
compromised PBXs into bankruptcy. Delaney joins us in saying that
its
not a matter of if you will be hit, but when.
According to DiCicco, compromising the telephone system gave he and
Kevin the ability to attack systems without the fear of discovery
-
telco tracebacks were simply ineffective. They could attack
networks
at many different points of entry all over the country. This is
why
no one could keep them out, even though their victims knew their
systems and networks had been compromised. If all of this does not
scare you, consider Lenny's admission that at one point he and
Kevin
had compromised over 50 telco switches in the United States,
including
all of California, parts of New Jersey, New York and New Hampshire.
At one point they even controlled all three of the switches that
provided phone service to Manhattan.
Yes, the law is ready to help - but the threat is a tough,
sophisticated, international one.
Threats from abroad? Yes, the threat does exist according to Hal
Hendershot of the FBI. Robert Clyde reports getting many calls
from
people trying to solve security problems. In keeping with what we
know of reported computer crimes, most sites see problems from
insiders: employees, consultants and vendors. Robert reports that
two companies publicly spoke of being approached by former East
German
agents for hire for as little as $10,000 at a September conference
in
Sweden where he spoke in 1992. We appear to be seeing the
criminalization of hacker activity that many have long feared:
hackers
and ex-foreign intelligence agents for hire.
James Bond is alive and well, thank you
In late 1992 Don Delaney reported the first case he's seen of James
Bond techniques. Remote surveillance can be done by intercepting,
decoding and displaying the Radio Frequency (RF) emanations of
various
computing devices such as terminals and network cabling. Delaney
reports that in late 1992, an antenna was put up on the balcony of
a
19th floor room in New York's Helmsley building pointing at
Chemical
Bank. He indicated that it was being very carefully adjusted
before
being locked into position. By the time they were able to
investigate, the antenna and its manipulator had vanished -
presumably
having successfully gathered the intelligence that they were after.
This is no longer gee, we knew it was possible, but holy shit, it's
happening now. Imagine someone reading your terminal screen from
across the street.
Management's show me attitude
Dave Johnson insists that his biggest problem when he was at
Lockheed
was getting corporate management to understand that there is a
problem. One of the areas in which this type of conference can
really
help is understanding the enemy. Management simply doesn't
understand
the thinking of hackers. Since it makes no sense to them, they
tend
to deny its existence until theres proof. Of course, the proof is
usually very expensive: once a system has been compromised the work
of
cleaning it up is a long, hard and complicated. A well-connected
system or network makes an excellent platform from which to launch
attacks on other hosts or on other networks.
A major problem for Digital in securing their network against Kevin
Mitnick and Lenny DiCicco was that only one vulnerable system on
Digitals EASYnet was needed. From there, they were able to
penetrate
other systems. Even nodes that were known to have been penetrated
and
were secured were penetrated repeatedly by using other vulnerable
nodes to monitor either users or network traffic accessing the
secured
nodes. While at Lockheed, Dave Johnson implemented policies,
awareness training and widescale authentication for all external
access, including dialup lines and telnet connections using
challenge-response tokens or smart cards. He does not trust the
phone
system and assumes that it has been compromised. Kevin Mitnick and
Lenny DiCicco illustrated just how vulnerable the phone system was
in
1988 and the MOD bust in July 1992 shows that things have not
improved. Kevin reminds us that you must assume the telephone
system
is insecure: even robust challenge-response systems can be
compromised.
You simply have to play the telecommunications game for real.
Kevin
reminds us that unless you use encryption, all bets are off. As an
example of how deep, long lived and dedicated a serious attack can
be,
consider that Kevin and Lenny were in DEC's network for years.
They
knew exactly what DEC and telco security were doing in their
efforts
to catch them since they were reading the security personnel's
email.
They evaded the security forces for over 12 months and they had a
pervasive, all powerful, privileged presence on DEC's internal
network. I've seen the enemy and them is us (this is a quote from
Pogo).
Mitnick insists that people are the weakest link. According to his
considerable experience, you don't even need to penetrate a system
if
you can talk someone on the inside into doing it for you. Why
bother
breaking in to a computer system if you can talk someone in
accounts
payable into cutting you a check? Using the finely tuned tools of
psychological subversion, practiced social manipulators can get
most
anything that they want from the ranks of the generally
unsuspecting
(uncaring?) employees that inhabit most of our organizations today.
The only cure is a massive and complete educational program that
fosters loyalty, awareness and proper skepticism in every employee.
In the end
Perhaps the strongest message from everyone was that you can't
trust
the phone system. Telephone companies have been, and continue to
be,
compromised. While Mitnick & DiCicco's penetration of DEC's
internal
network happened in 1988, the 1992 MOD bust showed us that the same
techniques are still being used successfully today. Data and
voice,
including FAX transmissions, are subject to eavesdropping and
spoofing. Encryption is absolutely required for secure,
trustworthy
communications.
The coupling of social engineering and technical skills is a potent
threat. Most sites that have addressed technical security are
still
wide open to penetration from people who have well-practiced social
engineering skills. However, in all, you don't even need social
engineering skills to get into most systems.
Are your systems and networks secure? Are your systems and
networks
at risk? What will you do if you are attacked? Although the
questions seem simple, they are not. Future teleconferences will
explore both the questions and the answers in more detail.
++++
Ray Kaplan and Joe Kovara have been independent computer
consultants
for more than a decade. They specialize in operating systems,
networks
and solving system and network security problems. Ray Kaplan is
also
a well known writer and lecturer. He is a regular contributor to
Digital News and Review and other computer trade publications.
Tapes and handout materials for the System and Network Security
teleconference series are available from Ray Kaplan, P.O. Box
42650,
Tucson, AZ USA 85733 FAX (602) 791-3325 Phone (602) 323-4606.
Downloaded From P-80 International Information Systems 304-744-2253
