[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | -={ H A C K E R S }=- |
| Notice: | Write locked - see NOTED::HACKERS |
| Moderator: | DIEHRD::MORRIS |
|
| Created: | Thu Feb 20 1986 |
| Last Modified: | Mon Aug 03 1992 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 680 |
| Total number of notes: | 5456 |
196.0. "More Worms" by CYBORG::ALLEN () Fri Jan 24 1986 18:41
Check this one out......
Caution this is a long note.....
I think this guy has some points but think he's overreacting.......
Does anybody has any Vax worms ????? :-)...
RISKS-LIST: RISKS-FORUM Digest Saturday, 7 Dec 1985 Volume 1 : Issue 27
FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
Peter G. Neumann, moderator
This is part one of a two part series written by Gary North about software
worms and viruses. Gary North is an investment newsletter publisher and
presents an interesting perspective of the problem from a non-technical
point of view. Enjoy.
Andrew J. Piziali, x8584.
---------------------------------------------------------------------------
Gary North's Remnant Review
Matt. 6:33-34
---------------------------------------------------------------------------
Vol. 12, No. 20 379 November 1, 1985
What you are about to read will shock you. It shocked me as I did the research
on the project. It so completely shocked me that I am lifting the copyright on
this issue and the one to follow. Reprint them in any form you choose.
Second, I am sufficently scared about what I've uncovered that I am going to
make this request. I will pay $1,000 to the first person who blows what I
regard as significant holes in my thesis, and who consents to a 90-minute taped
interview for FIRESTORM CHATS. If you can't do this, but you can put me in
contact wth anyone who can refute me or show an effective way out of the
problems I raise, I WILL GIVE YOU A ONE YEAR RENEWAL TO REMNANT REVIEW FOR
LOCATING THE FIRST SUCH PERSON FOR ME, AND I WILL PAY THE INDIVIDUAL $1,000 TO
DO THE 90-MINUTE TAPED INTERVIEW WITH ME, plus provide supporting evidence. And
let me say, it will be the happiest check-writing session of my life. I
DESPERATELY WANT TO BE PROVED WRONG. Mail me your (his) outline.
I am going public with this story because it is unlikely that any conventional
news source will touch it, unless pressure is brougth to bear. The reason is
this: the problems are too horrendous even to be discussed by appropriate
officials, unless they have specific answers. But they don't. What I present
here cannot be smoothed over by a press release abount having set up a
blue-ribbon study panel.
I literally stumbled into this information. I had read about one tiny aspect of
it. I made a few extrapolations. Then I got worried. The problem looked as
though it would have major implications. Little did I know!
Every dark cloud has a silver lining, they say. Well, every silver lining has
its dark cloud. This is a "dark cloud" report about the high tech silver
lining.
I am not trying to be deliberately gloomy, but this problem can only get worse,
unless someone (and I don't know who) can figure out an answer. I don't like to
present problems in REMNANT REVIEW for which I have no answers. This time I
have to do what I don't like to do. If you've got some answer, WRITE!
I am hoping that by going to my reader I may locate one or more people who can
provide decent counsel. Congress hasn't the foggiest idea of the threat that is
now developing to the whole Western world. When I began this research porject,
neither did I. Those who know the facts are so close to the problem that they
may have grown jaundiced -- or else they are people who are the source of the
problem, and they don't want it solved. The technicians remain silent, or
discuss it only in "the inner circles" where the issues are understood.
Policy-makers need to know.
ELECTRONIC AIDS (Part I)
Scenario: Paul Volcker is handed a telegram as he enters the monthly meeting of
the Federal Open Market Committe. Every other member of the FOMC, which sets
monetary policy for the U.S., is also handed an identical telegram. The
telegram reads as follows:
THIS MORNING (a rural bank is named) SUFFERED A MAJOR FAILURE IN ITS
COMPUTER SYSTEM STOP ALL DATA IN THAT COMPUTER HAS BEEN SCRAMBLED
BEYOND RECOGNITION STOP WHEN BANK OFFICIALS ATTEMPT TO CALL UP THE
RECORDS FROM ITS BACK UP COMPUTER TAPES THEY WILL FIND THAT THESE BACK
UP TAPES ARE ALSO SCRAMBLED STOP ON MONDAY AFTERNOON THREE OTHER
SMALL BANKS WILL SUFFER THE SAME FATE STOP ONE WILL BE IN NEW YORK
CITY STOP ONE WILL BE IN LOS ANGELES STOP ONE WILL BE IN CHICAGO
STOP PLEASE MEET AGAIN ON TUESDAY AFTERNOON STOP WE WILL GIVE YOU
INSTRUCTIONS AT THAT TIME
Volcker calls the appropriate bureaucrat at the Federal Reserve Systems's
headquarters, and he asks if there are any reports from the named bank. A few
minutes later, the official calls back. The bank's management confirms the
breakdown. The bank is attempting to install the back-up tapes. Volcker orders
him to call back and stop the tapes from being installed. The bank complies.
The tapes are then shipped to the Federal Reserve Bank under armed guard. When
the FED's computer specialists acquire the same operating system and try to
bring up the data, the system crashes. No usable data.
Tuesday morning, one by one three banks call the FED, the FDIC, and the
Comptroller of the Currency's office, each with the same frantic tale. They
have been working all night, but their computer records are scrambled. They
cannot open at 10 a.m. They have only an hour to make a decision. What should
they do? The FED instructs them to remain closed. They are also instructed to
keep their mouths equally closed.
The T.V. networks are tipped off, but no one at any bank says anything. Lines
appear in front of each bank. Governers in all three states call frantically to
Washington. They all remember Ohio and Maryland. What is the FED going to do?
The FOMC, the Board of Governors of the FED, each regional president, and a team
of computer experts meet at the New York FED's offices. At three in the
afternoon, a telegram is delivered to Volcker. It is brief. It says:
WORMS
"What the @%* is this?" he yells to no one in particular. The computer men turn
white. They do their best to tell him what it means. They are finished
answering his questions in about 45 minutes. Another telegram arrives. It
says:
ON FRIDAY AFTERNOON THE CHASE MANHATTAN BANK WILL EXPERIENCE A SIMILAR
COMPUTER FAILURE STOP ITS BACK UP TAPES WILL BE EQUALLY USELESS
STOP IT WILL NOT BE ABLE TO REOPEN ON MONDAY MORNING STOP ON
TUESDAY MORNING CITICORP WILL SUFFER A SIMILAR FAILURE STOP ON
WEDNESDAY MORNING BANK OF AMERICA AND THREE OTHER MAJOR BANKS WILL ALSO
SUFFER A BREAKDOWN STOP WE CAN PROVIDE YOU WITH THE CORRECTION FOR
EACH COMPUTER STOP THE PRICE WILL BE THE REMOVAL OF DIPLOMATIC
RECOGNITION OF THE ILLEGITIMATE STATE OF ISRAEL BY THE UNITED STATES
AND AN END TO ALL ECONOMIC AID TO ISRAEL STOP TO PROVE THAT WE CAN DO
THIS WE WILL SCRAMBLE ALL THE RECORDS OF CHASE MANHATTAN BRANCH BANK
XYZ TOMORROW MORNING STOP
The next morning, all of the records of Chase Manhattan's branch bank are turned
into random numbers. That afternoon, the President of the United States breaks
off diplomatic relations with the state of Israel. The banks stay open. No
crash of the data occurs. This time.
This is hypothetical scenario. It is NOT hypothetical technologically. This is
the terrifying message of this issue the REMNANT REVIEW. what I have described
here is conceivable technologically. On a small scale, it has already been
threatened. Let's start with the historical and then go the the possible.
WORMS
Earlier this year, I read a very interesting article on a major problem racing
computer software (programs) development companies. A program comes on one or
more 5.25-inch plastic discs. It takes only a few seconds to copy a program on
one disc to a blank disc which costs $3. Yet these programs normally run at
least $250, and usually sell at $495, and sometimes cost thousands. Very few
are less than $100. So you have a major temptation: make a $500 asset out of a
$3 asset. Insert the $500 program into drive A, write "COPY A:*.* B:" and hit
the "enter key"; sixty seconds later, you have a $500 program in drive B.
There are ways to make this copying more difficult. The companies code the
programs, and force you to have a control disc in drive A at all times. These
"copy protected" programs are a hassle for users. We cannot put them on a "hard
(big) disc" easily, and sometimes the control disc dies for some reason. Then
what? Your data are locked in your hard disc or on a floppy disc, but you can't
get to the data because the control disc is not functioning. You order a
replacement. Weeks go by.
Last year, several firms came up with a solution. It is called a WORM. A worm
is a command which is built deep into the complex code which creates the program
itself. These are incredibly complex codes, and it is easy to bury a command in
them. They cannot be traced.
What does the worm do? It "eats" things. Say that you are a software thief.
You make a copy of a non-copy-protected disc, either to use on a second
computer, or to give (or sell) to a friend. The programs works just fine. But
when the programs is copied to a new disc, the worm is "awakened." It bides its
time, maybe for many months, maybe for years. The programs's user is blissfully
unaware that a monster lurks inside his pirated program. He continues to enter
data, make correlations, etc. HE BECOMES COMPLETELY DEPENDENT ON THE PROGRAM.
Then, without warning, the worm strikes. Whole sections of the data dispppear.
Maybe the data storage disc is erased. Maybe it is just scrambled. Even his
back-up data discs have worms in them. Everything he entered on those discs is
gone. Forever.
Can you imagine the consternation of the user? He has become dependent on a
booby-trapped program. His business could simply disappear. For the savings of
$500 (stolen program), he could lose everything he has.
Several firms threatened to insert worms into their programs. But then they
backed off. They are afraid that lawsuits initiated against them might go
against them in court. The could be hit for damages suffered by the thieving
victims. Juries might decide that the punishment (a bankruptcy) was too much
for the crime (a $500 theft).
So far, no worms are lurking in any commercial software programs -- as far as I
know and the industry knows, anyway. But what if a disgruntled programmer were
to hide one in a master copy of, say, Lotus 1-2-3, the most popular business
program on the market? What if ten thousand copies a month go out for, say,
three years? Then, without warning, every company that has started using them
loses three years of data? They sue Lotus. Lotus goes bankupt paying lawyers.
NO COMPANY IN THE INDUSTRY IS WILLING TO TALK ABOUT THIS SABORAGE THREAT
PUBLICLY. Obviously.
LARCENISTS
I just happened to stumble across an article on worms in a computer magazine.
It occurred to me that it might be possible to use the worm technique as a form
of deliberate sabotage rather that just as a copy protection device. But what
did I know? I'm not a computer expert.
I know a computer expert, however. I mean, a REAL expert -- one of those people
you occasionally read about. In the world of business, they're called "space
cadets." They operate somewhere in between the asteroid belt and Jupiter. But
this one is different. He's a businessman, too.
I got him to sit down with me to discuss the problem of worms. It turned out
that he has a real fascination for the topic. He tells me that there are
advanced design worms, called 'viruses' by 'hackers' -- computer freak
programming genuises. "The software virus is the most terrifying thing I've
ever come across," he told me. And then he showed me why. My initial scenario
is based on only a portion of his estimation of the treat. It gets a lot worse.
He gave me a 90-minute FIRESTORM CHAT interview. He must remain anonymous. He
used to be a software developer for programs that were used in the U.S. banking
system, by is now employed in a highly sensitive job in a related industry.
Therein lies his problem. IF HE WERE TO TELL THE STORY OF WHAT HE IS CAPABLE OF
DOING TO THESE BANKS, HIS FIRM MIGHT LOSE A LOT OF SALES. He can't "go public."
Let's call him Tom.
Let me summarize briefly some of the details he gave to me. they floored me.
They're going to floor you.
1. JACKPOTTING
The rush is on in the banking world to get automated teller machines (ATM's)
into shopping malls, supermarkets, and in front of every bank. We've all seen
them. Just walk up, punch in your card number, ask for cash, and you get it.
In a busy location, one of these machines can hold as much as $250,000 in cash,
mostly small bills. These machines are controlled by computer. They are hooked
up to the bank's computer system, usually by phone lines. This local line, Tom
tells me, is what computer freaks call THE LOOP. The loop is wide open to
tampering. He says that what computer thieves are doing is to hook up a cheap
Apple II computer, tie into the phone lines, break into the ATM, and get it to
empty itself. This is "jackpotting."
He tells me that banks are getting hit by ATM thieves continually, but nothing
is getting to the press. The banks have yet to show a profit with the ATM's so
far, which is understandable. They are hoping to get their machines placed in
key locations, so "market share" is crucial to their plans. They are suffering
horrendous losses in the short run in the hope that long-run profits will pay
off, if and when a defense is developed.
The banks are saying nothing because of their fear that if the extent of the
losses gets into the press, they will be forced by pressure from depositors --
bank runs -- to cancel the ATM's. The losses are horrendous, he says. At
present, there is no known defense, given the communications technology.
2. ROUNDING OFF
This is the "preferred" computer bank theft system. Someone on the inside who
has access to the software, takes advantage of the banks' need to round off
numbers. The programs carry numbers out to 13 places. Banks can't use all that
space. so when they balance the books (interest rates at, say, 9.873), they just
don't count every tenth of a cent. The program is assumed to round off the
numbers randomly. What does the bank care? But the thief has set up bank
accounts that absorb those random tenths or hundredths of a cent. In millions
of dollars worth of transactions (federal funds, etc.), programmers in some
cases have stashed away hundreds of thousands of dollars -- maybe millions --
over a few years. No one knows how much of this goes on.
How could a bank spot this? The books would always balance to the penny. How
would the accountants ever know?
I think of a story the Adam Osborne tells in his paperback book, RUNNING WILD.
The president of a large firm was looking out his window one day, and he noticed
two Rolls Royce cars parked next to each other. He enquired as to the owners.
They were two men in the data processing department. He called in
investigators, and the cars and the men disappeared. They fled to Brazil and
took their cars with them; Brazil has no extradition treaty with the U.S. Years
later, as Osborne was writing the story, the firm still hadn't figured out what
they has done.
ARSONISTS
These are the fearful ones, far more than the larcenists. These are the
practical jokers who get into a major data bank and trash things. It's a kind
of multimillion dollar "Kilroy was here" graffiti.
How easy is it to get in? Incredible easy. The boy in "War Games" really could
have broken into most firms telephone-connected computers. Computer programs
exist that allow the user to hook up his computer to a phone line and randomly
dial numbers until they hear the tell-tale whine of a computer line. It then
notes the phone number and goes on its way, searching out more lines.
They can do it by long distance, free of charge. The phone company has a tough
time tracing those who use various sorts of electonic black boxes to call
anywhere on earth at no charge. Some people get caught, of course. "The tip of
the iceberg," says Tom.
How do they get in? Easy; few systems are protected, once you locate the line.
If one is, he says, you create a deliberate error. Most programs then collapse
the protective shell, and the hacker finds himself inside the heart of the
system. Tom has designed a program which keeps this from happening to his
company's programs, but few companies have anything like it.
It's very easy to get in if someone has "logged on" -- opened his terminal's
connection to the main computer -- if the system is connected to phone lines.
Or anyone in the company can just tap in, if someone has left his desk and left
the computer on. It's common to forget and leave an open terminal.
He showed me. He says anyone can get fired for leaving a computer on. He
demonstrated his point. With 40 computers on line, he ran a quick search and
found two of them "logged on," despite the fact that it was after hours. "All
the security in the world can't do anything if a computer line is open. It's
like a burglar alarm; it's worthless if you leave the door unlocked or leave the
keys lying around." That janitor you hired. Is he a computer illiterate? Or a
plant?
Once inside, what can you do? Steal a fortune? Yes, if you really know the
system. He told me he could easily steal $3 million from a local bank, even as
an outsider. He would then offer to give it back AND KEEP HIS MOUTH SHUT ABOUT
HOW EASY IT WAS if the bank would pay him 10% of the take. He thinks most banks
would capitulate for fear of the publicity. In any case, he knows that he
probably wouldn't get caught.
How about creating a new identity? The grade-changing scene in "War Games" is
true. You cound even create a new identity, give yourself high grades in any
academic discipline, just by breaking into a university's data base. There is
very little security here, he says.
But for sheer vindictiveness, for sheer envy, consider the possibilities of a
virus-implanter. He gets inside the computer for a major communication link:
telephones, large information data base, bank wire transfer, or whatever. Then
he lays the egg: a tiny, untraceable brief instruction. Inside a huge data base
are just a few characters. These float inside a system, seeking to devour
certain kinds of data, or executing certain routines.
There is a game played by computer freaks called "Core War." They try to
implant these killer messages, which seek out each other and battle one another.
If you find one morning that yours has been consumed, you lost the battle. That
was probably the origin of worms and viruses.
TERRORISM
Say that a revolutionary terrorist group, or some anti-Zionist group gets a
"ringer" into the system. He might be a computer genius type. Everyone knows
they are either orientals, dark-skinned people with accents, or teenagers. The
firms don't hire teenagers, but they hire a lot foreigners. They may even check
the guy's credentials. Electronic credentials. (Ha!). Then they turn the guy
loose in the system.
The virus is implanted deep inside the system. It can then be transferred to
any other bank's computer by means of EFT (electronic funds transfer). Maybe it
is triggered when someone with a peculiar and and address opens a bank account.
Three days later: bam. The data disappear. They haul out the back-up tapes.
Bam. The virus is on them, too. It is a process of INFECTION, CONTAMINATION,
AND INCUBATION. There is no known defense. Not yet. This is the bottom line.
ANTIBODIES
The designer of a virus can also design an "antibody". The antibody is a
counter-virus agent which seeks it out and destroys it. But like other
antibodies, it must be specific. The only way today that an antibody system can
be created is to know what kind of a virus is involved beforehand.
Tom says that people are now selling antibodies at very high prices. Who is
paying? Big companies that suspect that there is a virus present in their
computers. In all probability, THE GUY SELLING THE ANTIBODY CREATED AND
INJECTED THE VIRUS. But how can any businessman prove it? So he pays the
blackmail.
NATIONAL DEFENSE
A Soviet agent or American spy working for the Soviets penetrates any of a dozen
computers used by the military. He plants a virus. The computers talk to each
other, and the virus spreads to all of them. It tells them to execute a certain
routine when a certain command is entered at a missile-controlling terminal.
That command might interfere with a routine which activates a missile or
launches it. Upon reading that command, the virus shuts down the computer, or
scrambles the executing program, or scrambles the data. No more "launch on
warning." No more launch at all. Dead metal.
Scenario: The President of the United States receives a telephone call on the
"red phone" -- the direct link to Moscow. He lifts the receiver and says
"Hello."
"Mr. President, this is Michael Gorbachev. You must recognize my voice. I
have very little time. I will come directly to the point. You have refused to
back down on your threat to implement your Strategic Defense Initiative. You
intend to go ahead with space-based weapons. My military staff informs me that
they think that the United States has the technology to implement it, and that
it would place my nation's military strategy in jeopardy. We cannot allow you
to do this."
"If we allow you to deploy the SDI, it will be too late for us to respond
effectively. Therefore, we are taking the initiative today. I issued orders
this morning to put Soviet military units on immediate alert. We are abiding by
your biblical rule to announce the initiation of hostilities before striking.
Neither the Japanese nor the Germans gave us this courtesy. If you do not come
to terms with us, we will launch a first strike against your nation in three
hours. We will delay for one day, if you agree to follow a precise procedure
that I will outline shortly."
"At one time we feared nuclear retaliation. We no longer do. Within two hours,
you will know why not. I suggest that you instruct your ballistic missile team
to prepare your missiles for a strike. Then, to prove to yourself that we no
longer are concerned about retaliation, launch one or two of them. As far as I
am concerned, launch all of them. But please instruct your senior military
commanders to report back to you concerning the effects of their instruction. I
suggest that you try launching three or four as a test. We don't care which
ones."
"Mr. President, let me tell you what is going to happen. As soon as anyone
attempts to launch a missile, that missile's computer guidance system will shut
down. It will lock up tight, and you will not be able to unlock it within the
time you need to respond to our attack. Two hours and thirty minutes from now,
you finally unlock your frozen computers."
"I suggest that you contact your senior officers now. You will have to mobilize
them within 60 minutes. The test should take about 30 minutes. I will
telephone you again in 90 minutes to present our terms of surrender." Click.
The President calls the Joint Chiefs. If he is lucky, he will be able to locate
two of the three in time. They will be paralyzed. Who wouldn't be? But in all
likelihood, they will at least test Gorbachev's theory. They will order one or
two missiles launched. The computer guidance system on both will shut down the
system. They will try two or three more, with the same result. They will
attempt to launch one from a submarine, with the same result.
The President brings in senior Congressional officials and the remaining Joint
Chiefs member to the White House.
Exactly 90 minutes after he had hung up, Gorbachev telephones back. He presents
his list of demands. First, the immediate removal of U.S. troops from Europe.
Second, the withdrawal of personnel from Diego Garcia Island in the Indian
Ocean. Third, the breaking of diplomatic relations with Red China and Taiwan.
Fourth, the removal of all troops from Korea. Fifth, a moratorium on all debts
owed to U.S. banks by the Soviet Union and its client states. Sixth, the
removal of all Minuteman III missiles from their silos. Seventh, the return of
all U.S. submarines to port. If he agrees, and the orders are delivered within
two hours, the Soviet Union will delay launching a first strike. The President
complies.
They might do it with our communications satellites, Tom says. You might do it
with any aspect of U.S. data transmission. The virus could sit dormant in a
system for years, and no one would know. Triggered, it would then strike.
THE WEST'S VULNERABILITY
The West has become increasingly dependent on computers. We can no longer
function without them. The Third World hasn't. Neither has the U.S.S.R. Their
technology is still pre-computer. They are inefficient, but they are far less
vulnerable.
Tom says that the world of computers presumes that almost everyone is
essentially honest, and that all the brightest programmers must be honest. They
aren't. Thus, the entire system -- banks, national defense, large and small
businesses, public utilities -- have opened themselves to attack. The attackers
are invisible.
"Nothing I have seen in all my years of computers scares me as much as this
does," he says. "The system has been designed in terms of a far older set of
standards, especially with respect to security. It is totally vulnerable."
He compares it to plague, or venereal disease. People copy each other's
software to save a few bucks. They use public access data bases. They use
"loops"-- the phone lines. Yet these transmission belts of information can
become transmission belts of collapse.
This is what I have harped on for twenty years: the potential for a collapse of
the division of labor. We become rich by means of a brilliant technology, yet
we become dependent on it to an extent that no previous society ever has.
Centralized institutions are most vulnerable, but because we use public
transmission lines, from microwave transmissions to cables in the ground, each
local unit is vulnerable. Those who would choose to bring down the system need
only plant electronic viruses in a handful of major common-use data bases or
transmission sources, and five years or ten years later, the disease hits.
It could brings down the system if technological defenses are not developed.
Nothing on the immediate horizon points to a solution, he says. The silence of
those who should know what to do indicates that they don't know what to do, but
they don't want panic to spread.
-------------------------------------------------------------------------------
Gary North's Remnant Review
Matt. 6:33-34
-------------------------------------------------------------------------------
Vol. 12, No. 20 380 November 15, 1985
ELECTRONIC AIDS (PART 2)
(Again, note that this issue of REMNANT REVIEW is not copyrighted. Reproduce
it in any form you choose. This information needs wide dispersal.)
Maybe you saw the article buried somewhere in your newspaper. I saw it in the
New York Times (Oct. 19):
A group of at least 23 teen-age computer users broke into a
Chase Manhattan Bank computer installation by telephone in
July and August and "significantly damaged" bank records, the
Federal Bureau of Investigation said yesterday.
And where were these teenagers located? In San Diego, ACROSS THE CONTINENT!
It gets even more ludicrous:
Federal officials said that most of the offenders were
probably too young to be prosecuted.
Robert D. Rose, the Asst. United States Attorney handling
the case, said: "We're not yet sure what we are going to do.
But these things can get out of hand -- it did get out of
hand -- and we have to treat them seriously."
Treat WHAT seriously. "These THINGS?" What things? If they can't legally
treat the electronic trespassers seriously, just what is the man talking about?
He is talking about the topic, above all other topics, that bank and government
officials don't want to face: THE VULNERABILITY OF THEIR COMPUTER RECORDS.
I have seen no follow-up on this story in the conventional press. A brief
article did appear in the computer-oriented tabloid, INFOWORLD (Oct. 28). It
turns out that the students had broken into the files of Interactive Data Corp.
of Waltham, Massachusetts, which maintains the bank's financial records. The
break-ins were discovered in late July. They had obtained the toll-free 800
number which was restricted (ha!) to Interactive data subscribers. As late as
October 9, an illegal entry was observed. In short, IT TOOK TEN WEEKS AFTER
THE BREAK-INS WHERE DISCOVERED TO PUT A STOP TO THEM.
The response of the bank's bureaucracy was predictable. It will ever be thus:
"Bank officials are claiming that the FBI exaggerated the nature of the
activities of the suspected individuals. A spokesperson for Chase Manhattan
said that Interactive's customers were not prevented from accessing their
accounts and that none of Interactive's data was altered or manipulated in any
way." In response, FBI supervisory agent John Kelso said that the FBI has
sworn affidavits from bank officials that say data has been manipulated or
damaged. "That sounds pretty serious to me," he volunteered.
Here is the capper: Interactive Data has 25,000 subscribers who are tied into
that toll-free phone line. Try keeping tight security on a system with 25,000
users. Chase Manhattan couldn't. If they can't, who can?
And if Chase Manhattan Bank was vulnerable to 23 teenagers who are too young to
prosecute, consider its vulnerability to JUST ONE ENVY-DRIVEN GENIUS who knows
all about electronic viruses. The students who did this were apparently just
goofing around. But what if just one malevolent computer freak decided to "get
even" with Chase Manhattan? What if he had phoned in just once or twice,
implanted a long-dormant data-killing virus, and quit? What if he had tied its
detonation to, say, a calendar clock in the Interactive computer? If it took
security forces from July until early October 15 to raid the 23 students'
homes, they would never have spotted one break-in. They could not have traced
it, either. Conclusion: we have a risk-free opportunity for electronic arson.
We face a potential electronic epidemic. AND WHEN I SAY "WE," I MEAN THE
ENTIRE FINANCIAL SYSTEM OF THE WEST.
Sure, all the bank "spokespersons" in the world will tell you, "no problem."
But there is a problem. A horrendous problem.
At this point, it REALLY gets interesting. Chase Manhattan Bank has just
announced that we will be able to set up our own personal electronic banking
facilities with them by buying an expanded version of Managing Your Money,
Andrew Tobias' home financial management program. Citicorp and Bank of America
have opted for Dollars and Sense, a rival program. You will be able to pay
monthly bills electronically, balance your "checkbook," monitor your net worth,
buy and sell stocks, etc., etc., etc., just be dialing Citicorp or Chase
Manhattan. Fantastic! But despite all the assurances, I get nervous. Yes, I
know no one will be able to break in and tamper with the numbers. But 23
teenagers shouldn't have been able to do it, either. And now we're talking
about a lot more subscribers than 25,000.
Obviously, the master program used by the banks will prohibit easy entry.
Unfortunately, someone has to write the program. Can you imagine the blackmail
possibilities? Some hot-shot programmer could build in a bomb, and then
threaten to detonate it. In fact, he could merely pretend to have inserted a
virus. Who would want to call his bluff? Not Chase Manhattan, I would bet.
CORE WARS REVISITED
In May of 1984, A.K. Dewdney published an article in Scientific American's
"Computer Recreations" column. It was a light-hearted piece on how computer
experts can get involved in playing this exciting game of "blow up your
opponent's defenses." You know: RECREATION! In the March 1985 issue, he wrote
a follow-up. It begins:
When the column about Core War appeared last May, it had not
occurred to me how serious a topic I was raising. My
descriptions of machine-language programs, moving about in
memory and trying to destroy each other, struck a resonant
chord. According to many readers, whose stories I shall
tell, there are abundant examples of worms, viruses and other
software creatures living in every conceivable computing
environment. SOME OF THE POSSIBILITIES ARE SO HORRIFYING
THAT I HESITATE TO SET THEM DOWN AT ALL (emphasis added.)
It turns out that the French have been enjoying a novel on the international
implications, SOFTWAR: LA GUERRE DOUCE, by Breton and Beneich. A translation
is scheduled for publication here by Holt, Rinehart & Winston. The study
revolves around the sale of a high-power computer to the Soviet Union. The
U.S. allows its export because it has a "software bomb" in it. When the U.S.
Weather Service announces a certain temperature at St. Thomas in the Virgin
Islands, the program proceeds to subvert every piece of software in the Soviet
Union.
A pair of Italian programmers were "inspired" by the translation of Dewdney's
original article to dream up a virus (a virus is a computer-to-computer killer,
whereas a worm is resident in one man's computer). They figured out that by
infecting a disk operating system disk (these start computers and tell them
what to do with programs and electronics), and then installing it on disks used
by the biggest computer shop in the city, they could create an epidemic. They
decided not to do it. In short, the only restraint is SELF-RESTRAINT.
A high school student in Pittsburgh wrote a virus which was more subtle than a
data-destroying virus, which at least tells us that we have a problem. His
virus created a plague of very subtle errors in the disk operating system.
"All of this seems pretty juvenile," he wrote, but "Oh woe to me! I have never
been able to get rid of my electronic plague. It infested all of my disks, and
all of my friends' disks. It even managed to get onto my math teacher's
graphing disks." He wrote a program to destroy the virus (an "antidote") but
it is not anywhere near as effective as the virus is.
Warning: do not copy disks from your friends' copies. This act of piracy could
cost you plenty.
A COMMERCIAL WORM
Just a few days after I wrote "Electronic AIDS, Part I," I read a column in the
WASHINGTON TIMES, the conservative (Moonie-owed) daily newspaper. One of the
reporters has a computer. He had purchased a newly released program from
Microsoft Co., called "Access." Understand that Microsoft supplies the disk
operating system which is used by the IBM PC, the most popular microcomputer.
In other words, this is no backyard company. It is one of the two or three
software giants in the U.S. (Its owner is under age 30, which tells you
something about who is pinoeering the microcomputer revolution.)
As he was setting up his computer to take advantage of this telecommunications
program, a warning flashed on his screen: "The weed of crime bears bitter
fruit. Now trashing your program disk." Wham! He lost all his files --
probably a couple of year's worth of work. Sure, he was probably smart enough
to have made back-up copies, but think of the risk. And what if it had been a
worm that kept silent for a few years, infecting all of his back-up disks?
He called Microsoft, and they gave him the runaround. They told him that they
were not responsible. Some programmer had put in the worm in order to zap
program pirates, but the journalist insisted that he was an original buyer.
Tough luck, they told him. Obviously, they didn't know that he was a reporter.
Then he published his article. All of a sudden, the victim was not some
average buyer. He was big trouble. Things started moving. INFOWORLD (Oct.
28) reports that Microsoft has admitted that a programmer put in the worm, but
without permission. The offending text has now been removed, we are assured.
But what if it had sat in the master for three years? HERE IS THE PREMIER FIRM
IN THE SOFTWARE BUSINESS, AND IT HAD AN UNAUTHORIZED PROGRAMMER INSERT A WORM.
This is not idle speculation. It has already happened, verfiying my
hypothetical scenario within a few days after I published it.
Can you imagine the absolute havoc that a dormant worm or virus could create if
it were imbedded in all updates of Microsoft's masters of PC DOS and MS DOS,
the operating systems for all IBM microcomputers and IBM compatible
microcomputers? It could cost the U.S. economy billions, and some
microcomputer-dependent firms wouldn't survive. Any Microsoft spokesman who
says, "it's impossible; it could never happen" has to explain how it already
did happen to "Access."
ADAM OSBORNE'S WARNING
You may know the name Adam Osborne. He invented the revolutionary portable
computer, the Osborne 1. Before there was an Osborne 2, the company went
bankrupt. Compaq, the most successful first-year firm in U.S. history (over
$100 million in sales in its 12 months of operations) and others built
imitations that were far superior.
That isn't my point, however. Adam Osborne was "present at the creation" of
the microcomputer industry. He created Osborne publications, and then sold out
to McGraw Hill. He knows what is going on. In his delightful paperback book,
RUNNING WILD, which is a history of the microcomputer (desk top) revolution,
1975-82, he offers this warning. He says that three areas should not be
allowed to be computerized: 1) bank money transfers; 2) the stock market; and
3) elections.
All three are just about fully computerized. Another ten years, or maybe five,
and they will be 100% computerized. Several firms allow microcomputer buying
and selling of stock (e.g., Charles Schwab), and New York Stock Exchange floor
transactions eventually will be fully computerized, at which time it will be
pressured to get rid of the "specialists" who make (and sometimes manipulate)
the market, short-term -- Richard Ney's hated "Wall Street Gang" -- but the
price of getting rid of them may turn out to be horrendously high.
"The great fortunes of the 21st century," Osborne predicts, "will be the
legacies of the great computer thieves of the 20th."
Three years ago, I used a firm to supply computer services I needed. The head
of it was a former businessman, quite young, and a true "space cadet." I've
quoted him in the last issue. I call him Tom. He operated in a world far
removed mentally from the rest of us. He is a nice fellow, a Christian, and a
moral philosopher of sorts.
He ran the operations of the local elections. He did it fairly inexpensively.
He told me why: "I want to keep these elections honest. It would be incredibly
simple to rig the program to produce whatever outcome I wanted in close races.
If I can do it, anyone with enough skill to set up the system could do it."
I asked him if he thought Osborne was correct in his predictions about bank
theft. "It would be a piece of cake for me to steal three or four million from
any local bank. I could go in the next week, offer to give 90% of the money
back, keep 10% as a finder's fee, and promise not to tell the press how easy it
was to steal. They would probably pay me my 10% just to keep me quiet."
Look, these people are geniuses. Worse, they are geniuses in a vary narrow
field technically, which is now being used to control darned near everything.
This unique intellectual-technical skill is the possession of literally a
handful of people, mostly under 35 years of age. They are "fooling around"
with Chase Manhattan Bank's computers. What happens when a few of them stop
fooling around and get deadly serious?
Computer program designers keep telling us that there is no 100% secure way to
defend data banks. Maybe there will be a 98% secure system someday, but not
now. THE SYSTEM RELIES ON THE INTEGRITY OF YOUTH TO DEFEND ITSELF. In short,
SELF-GOVERNMENT is the major defense.
And where have they learned self-discipline? In the public schools?
"NOW YOU'VE DONE IT!"
About four years ago, I read an article in the ROLLING STONE, the tabloid aimed
at rock music fans. It was the only article I ever read in that periodical.
It was a gem.
It described a subculture of students at Stanford University, "hackers." These
people are computer freaks. The mainframe computer at Stanford was cheaper to
use after midnight, so from midnight to 6 a.m., the hackers gathered at their
terminals. They lived on candy bars, junk food, and high-technology dreams.
One of the games they played was breaking into each other's programs. It was
considered the mark of a master hacker to be able to crack another hacker's
defenses. They would spend hours trying. They were "hacker-crackers."
One bright fellow then designed a classic booby trap. He wrote a program which
warned trespassers not to tamper withit. This, of course, alerted every
would-be electronic safe-cracker to the challenge. It was a complex program,
and it took days to crack it. Then, after repeated warnings, the successful
trespasser got a surprise. Japanese letters appeared on his screen. Roughly
translated, the words proclaimed, "Now you've done it!"
At that point, the victim's computer screen went blank. Then the names of all
his own computer files appeared on the screen -- files that may have taken
years to assemble. One by one, they blipped off the screen. In horror, the
victim would stare at the screen, unable to stop the process.
As it turned out, the booby trap was only a practical joke. It really didn't
erase all the victim's files. It only listed the NAMES, and then erased them.
But for a horrifying few minutes, the victim wouldn't know this.
Hackers play games. Very interesting games.
The kind of people who spend six hours, midnight to 6 a.m., trying to break
into each other's programs are different from the rest of us. Among their
ranks are some highly individualistic people. Some of them are libertarians.
I mean anarchists. They are electronic "don't tread on me" sorts of people.
They do not appreciate bureaucracy. They appreciate being pushed around even
less.
The folks at Chase Manhattan really do have a problem. Do you attempt to
prosecute a legally unprosecutable kid? A kid who has already cracked your
computer system? I don't think you do. You play the role of stern but
appreciative banker. "Son, I am impressed by your ability to break in. But
understand, we are honest people. There is a code of honor here. You wouldn't
want to break that code -- of honor, I mean -- would you?" Because if this kid
gets angry, he can do it again. Quietly. And next time, he deposits a virus.
Of course, Chase may hire a programming team to create an unbreakable system.
Sure. "Hire fox A. Give him chain link fence B. Hire him to build fence B
around chicken coop C."
TEEN CHALLENGE
Suppose that the public gets wind of the threat to the whole banking system
which is posed by viruses? What do the bankers (or anyone else) announce to
the public? "We want to assure you that our computer program is impenetrable.
No one can break in. It is foolproof."
Here is a challenge -- rather like the Stanford program that announced: "Do not
trespass." These kids see breaking in as a challenge, a kind of sport. They
do not regard it as vandalism, even if it costs a company millions of dollars
to unscramble. They may be ethical in other respects, but they think of "core
wars" as a game.
How would you like to be the 60-year-old banker who doesn't know a byte from
usury, but whose public relations department tells him to inform the public
that nobody can crack his bank's code? To cite Mr. T in "Rocky III," that bank
is dead meat. So are its depositors.
But if he keeps quiet, and the story still gets out about the vulnerability of
the system, one or two small "virus-demolished" banks could trigger a collapse
of the system, as people do the only smart thing: run for CASH. The whole
fractional reserve banking system would deflate; only the FED's printing
presses could "save the day," in a wave of fiat money.
What I am saying is this: I THINK THAT WE WILL SEE THE END OF FRACTIONAL
RESERVE BANKING IN OUR DAY. At the very least, I think we will see it subjected
to tremendous shocks. People will lose faith in electronic promises made by
bureaucrats who do not know anything about the monsters that their efficient
computers can be turned into.
ATTACK ON MARTINSBURG
Now, let's take it a step farther. Some day some state or Federal bureaucrat
is going to step on the toes of some genius entrepreneur who has created a
software development firm. The bureaucrat will try to wrap this enterpreneur
in red tape. Or maybe -- just maybe -- he will try to sock him with a tax bill
that the entrepreneur regards as unfair.
In Martinsburg, West Virginia, there is a large computer. It is owned and
operated by the Internal Revenue Service. Into it, over the next five years,
the IRS apparently intends to deposit all the records it can assemble on every
US taxpayer. This computer data base will be the biggest in the world. It is
the tool by which the IRS hopes to increase taxpayer compliance. And it may
succeed. For a while.
This is one reason for saving all letters to and from the IRS. If the IRS
becomes dependent on its computer system, which is likely, then any
short-circuiting of its data base could create havoc for tax collecting. If
word gets out that a major failure has hit the IRS, the tax revolt could
multiply overnight. You would see the deficit become astronomical. If the IRS
continues to tie its "voluntary" compliance program to the myth of "the
all-seeing computer," then news of the computer's scrambling could backfire.
It is possible that the story of the IRS data base is a myth. Maybe they
aren't going to build it. But if the public believes that such computer power
is at the disposal of the IRS, and taxpayers then learn either that the system
has been blown, or that it was mythical from the start, the tax revolt could
spread like an epidemic. The elctronic epidemic could trigger a tax revolt
epidemic.
He who lives on the cutting edge of technology eventually dies on the cutting
edge of technology.
"PEOPLE ARE BASICALLY GOOD"
Let's return to my taped interview with "Tom." In a 90-minute interview, we
covered a lot of ground. But one topic which stands out in my mind is our
discussion of the presupposition which goes into the creation of a computer-
based society. The computer people have all adopted the assumption which
undergirds modern science, namely, that participants are well-meaning, that
they will not fake their experiments, and that they will play fair. If
scientists had to check every aspect of every article, science could not
advance very fast.
What about the computer industry? The whole system rests on faith: "Men are
not malevolent.. They are not envy-driven. They will not deliberately seek to
destroy the work of some random victim." Tom says categorically thay this
assumption is false. There are bad people with tremendous computer skills, and
that modern society has not restructured its economic institutions to protect
itself.
Here is one example of a break-in technique. Someone phones into a computer
which has been left open temporarily by some user. The lock is unlatched; he
needs no key to get in. He then seeks to penetrate te inner core of the
program, such as a bank's program. He creates a deliberate error, which all
too ofter triggers a kind of electronic explosion. The protective shell
self-destructs, and the invader now finds himself inside the system, where far
fewer defense mechanisms exist.
Tom designed his own firm's defense against this tactic. His program
automatically records the source of the error, and throws the user out of the
program. The program has protection against deliberate errors, but most of
them don't, he says. A major error simply simply collapses the program's outer
shell.
In my previous issue, I speculated that a Soviet spy or agent could penetrate
U.S. computers. Note: I did not assume that he would simply phone in; I
assumed that a disloyal programmer, or a team, could plant the virus as
insiders. From there, the virus would spread though the system through normal
telecommunications. Several people have written in to tell me that a wrecker
cannot destroy the system by penetrating it from the outside. They may be
correct. But when informed that I am assuming an INSIDE JOB by someone with
access to a major computer, the critics have admitted that this might be
possible.
The weed of crime bears bitter fruit: FOR HONEST, COMPUTER-DEPENDENT PEOPLE.
FEDERAL FUNDS
The Federal Funds bank transfer lines allow banks to borrow money overnight.
Hundreds of billions of dollars go across these lines every working day. The
bank's computers communicate with each other by means of this
telecommunications hook-up. What if someone were to plant a long-delay virus
in the software which operates these transfers? And what banker ahs even
thought about this problem?
What if this scenario were to take place: A virus triggers the disruption of
bank records -- not a total breakdown initially, but disruptions in the data?
It might be weeks or months before auditors recognized the extent of the
problem.
As rumors begin to leak out about complex accounting or other data-management
problems of major banks all over the U.S. (including off-shore branches), the
various banking regulatory agencies would be swamped with crises and outside
rumors. Then, all at once, bank computers begin breaking down.
The rumors then explode. The lines appear in front of banks. The only answer
at this point is to print up paper money. It would be printed by the hundreds
of billions in order to offset the deflationary effects of bank runs (paper
money which is pulled out but redeposited in another bank).
YOU COULD TOPPLE THE FRACTIONAL RESERVE BANKING SYSTEM ALL OVER THE WORLD. The
entire payments system could easily become engulfed in chaos. Debits and
credits would no longer be meaningful. A pure paper money inflation would
replace the manipulated "fine-tuned" monitary inflation of modern central
banking.
All of a sudden, market-created alternative currencies would be revived. It
would the be METALLIC CASH that talks loudest. Silver dimes are not
electronic. They can't be infected electronically. They still circulate when
banks are "temporarily closed, due to circumstance beyond our control."
The loss of efficiency would be initially horrendous, I would guess. The
division of labor would break down. You could that have the crash that lurks
in the minds and suspicions of average depositors. Who says it cannot happen?
A lot of public relations firms hired by the banks -- computer illiterates in
high places?
What we have is AN INTERNATIONAL BANK MONEY WIRE SYSTEM which is TOTALLY
VULNERABLE to some vindictive programmer. There is little doubt in my mind
that the bankers are desperatesly fearful of this sort of vandalism. It could
topple people's confidence in the fractional reserve banking system, and
confidence is the only thing which keeps it going.
CONCLUSION
Technologically, there is no solution at this point. I have no heartening
message. Maybe later; not now. Keep precious metal coins. Don't assume that
it an't happen here. It can. The only thing holding it back is the
restraining hand of God, through the temporary self-restraint of a
technological priesthood.
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 196.1 | | TONTO::EARLY | | Fri Jan 24 1986 20:41 | 16 |
| re: .0
Sounds like someone 'pirated' this article from a Dave Barry interview.
If you think back a few years, there have always been , and always will be,
alarmists who make a living givin the 'worriers' something to worry about.
Software people have a hard enough task to make the program meet MIL-TDD-41.
(Make_It_Like The_Damn_Drawing For_Once )
Bob
|
| 196.2 | | DELNI::GOLDSTEIN | | Fri Jan 24 1986 21:00 | 16 |
| WOW!
I'm glad to see this padouk has an easy solution: Hire only white
people! Sorta gives away his leanings a bit, doesn't it? It wasn't
until the very end that I realized he was a professional Gold Bug,
trying to instill fear in the heart of people who would really rather
deal in commodity barter only, using metallic commodities at hopelessly
inflated prices.
Now with regards to his technical assertions, I'm no VMS expert.
Obviously MS-DOS has the security of a paper bag. I don't know about
MVS and the other OSs used in bank computers, but I suspect there's
more protection. VMS, with its hardware-assisted mode protection,
seems relatively inert to viruses, unless they're put there in kernel
mode (i.e., an inside job).
Any other comments?
|
| 196.3 | | SPEEDY::BRETT | | Sat Jan 25 1986 00:05 | 7 |
| He seems totally incapable of distinquishing between code and data too.
/Bevin
PS: I predict that until at least VMS V6 there will be a known way of getting
all privileges from an account with none. I can do it on V4.3 (reported
to those who need to know in VMSland).
|
| 196.4 | | NY1MM::SWEENEY | | Sun Jan 26 1986 15:56 | 14 |
| Most of .0 has appeared elsewhere.
I've written software for the banks, and known quite a bit about the security
of their systems.
The only surefire way to get money out is to use inside information in order
to circumvent the usual controls at TWO banks simultaneously. One to perform
a routine interbank transfer and then one other to divert the arriving money
to an account that can withdraw cash.
By the way, if millions and millions of dollars were being lost, banks would
be failing. There's no way losses of that magnitude can be concealed.
Pat Sweeney
|
| 196.5 | | VAXUUM::DYER | | Mon Jan 27 1986 13:01 | 3 |
| Cute article. The guy uses hacking and such as a
springboard for right-wing propaganda.
<_Jym_>
|
| 196.6 | | PAUPER::AUGERI | | Mon Jan 27 1986 15:40 | 16 |
| But if extremists (regardless of color or race) were to make a concerted
effort to infiltrate financial or other institutions with the goal of
causing damage as described in the original article, I would think that
considerable damage could be done. As a programmer that has been in a
position to have to modify other programmer's code I know it can be very
difficult to figure out what some of the code does. I would think that it
would be quite easy to plant a worm that produced meaningless backup
tapes, something that would not be detected until some other event
required using the backups.
I think he has gone overboard in his alarm, but at the same time, there
are several weaknesses in even the most sophisticated OSs. For example,
as Bevin (is he bragging, or what? :-)) points out, even VMS, which has
had to deal with an international computer network, has security flaws.
Mike
|
| 196.7 | | AJAX::CALLAS | | Mon Jan 27 1986 16:51 | 9 |
| I think it's silly. It's easier to go to a hardware store and make some pipe
bombs than it is to trash an OS. Now, admittedly, some banks do some awfully
stupid things (like transmitting to and from ATMs on unencrypted lines), but
some banks are also lax on more traditional security too. If I wanted to destroy
the western world's banking structure, I would not do it with the computers.
It's not as an effective expenditure of time and effort as more traditional
means are.
Jon
|
| 196.8 | | MOSAIC::CAMPBELL | | Mon Jan 27 1986 18:27 | 17 |
| The bit about scrambled backup tapes (going back years!) is also bunk.
Any computer system that handles money and which can't be permitted
to be down for more than a few hours has contingency plans that include:
- Checking backup tapes periodically (weekly or monthly) to make
sure the tapes can be read (tape drives do go bad, you know)
- Arrangements with a backup site -- a similarly configured but
geographically removed site -- which could take over the load
in the event of a physical disaster, like fire or flood. These
arrangements usually include an actual test, once a year or so,
in which the backup site actually runs (usually in parallel with
the original site) a real workload.
MIS managers like to keep these plans quiet, for obvious reasons. (Want
to trash a bank bad? Firebomb the DP building AND the backup site.)
But they do exist -- at DEC as well as at financial institutions.
|
| 196.9 | | GRAFIX::MUNYAN | | Mon Jan 27 1986 20:05 | 8 |
| Re: .8
The place I used to work had two backup sites arranged. Very few (I think
3 people) knew who there were). The systems were identically configured
all the way down to the tape drives.
Steve
|
| 196.10 | | REX::MINOW | | Mon Jan 27 1986 23:50 | 13 |
| ... take down the western world with computers? ...
Not as hard as you might guess. The Bank of New York's wire-transfer
computer went down for a day or so a couple of months ago. It caused
a noticable hiccup in the banking system (the prime rate dropped and
lots of platinum futures got traded). Details were published in
the Wall Street Journal, and disucssed in the ARPA Risks Digest.
There was a Swedish "crime-novel" published a few years back with
some quite reasonable scenarios. If I can find my copy, I'll post
the juicy details.
Martin.
|
| 196.11 | | SUBA::WALL | | Tue Jan 28 1986 12:13 | 15 |
| Everyone assumes that this sort of shennanigans would transpire over some
kind of remote access. How about one bad apple on the programming staff?
Admittedly, that business with the backup tapes is quite a lot of horse
puckey unless the entire operations staff is asleep at the switch, but an
inside job of this sort really could be devastating.
I used to have a summer job as an operator for the State of Rhode Island.
That means all the files on taxation, public assistance, motor vehicle
registration, and any other public business were at my fingertips. Not to
mention all those wonderful Big Blue transaction processing systems that
do updating on the fly. And all the state's checks were in a room about
fifty feet away. I couldn't have wiped eveything out, but I could have
made it go away for about three weeks.
Dave Wall
|
| 196.12 | Yea, sure | CLT::COWAN | Ken Cowan, 381-2198 | Sun Feb 23 1986 00:38 | 17 |
| RE: .0
I don't believe a word of it.
First, as pointed out earlier, data isn't code. Second, a
sophisticated worm would take alot of code. You can't hide
a large piece of code that easily.
What I think is possible is for a mad programmer to put bugs in
a system such that it suddenly stops working. All I see that doing
is pissing people off. Maybe you shut a company down for a couple
of days, so what?
I believe that there will always be lots honest intelligent people who
would get big kicks out of thwarting an extortionist.
KC
|
| 196.13 | hmm.. interesting issue on SW Security | PRSIS3::DTL | Paris, France | Sun Feb 23 1986 07:38 | 7 |
| A visit in this file is worth the time.
Interesting root topic and replies. Do you mind if I move this
discussion in the new SECURITY_INFORMATION conference on PRSIS3::?
(that is I extracted the whole thing already :-)
Didier
|
| 196.14 | | RANI::LEICHTERJ | Jerry Leichter | Wed Feb 26 1986 12:19 | 49 |
| A couple of points:
With regard to the IDC (the Waltham bank clearing company) problem: A friend
of mine works for them, in exactly the group that does that stuff. They know
exactly what the hackers did. No, they did not do any damage; in fact, they had
almost no read access. They dialed into a system whose phone number was "sec-
ret" - hah, tens of thousands of people knew it - and they knew how to get past
the first level of prompts - again, using information known to thousands of
people. They could get to a prompt that, if they knew the password, could get
them in further - the kind of thing that scares people who don't understand
what's going on - but they had no idea how to go further.
With regard to screwing up backup tapes: It's not as impossible as you think.
If I were doing this, I wouldn't write garbage on the tape - I'd encrypt the
stuff going to the tape. Until the time-bomb exploded, the decrypter would
work, and no one would be the wiser, unless they, by some chance, chose to
look at the raw data on the tap[e. After the time-bomb explodes, the tape
contains just random bits. The encryption routines might be big, but a user
who's concerned about security, and encrypts stuff himself, is even MORE
vulnerable: I'd modify the KEY he enters. Now, even an inspection of the tape
does no good - you EXPECT to see random junk; it's encrypted - and breaking
the encryption is hard - after all, it's the encryption the user paid good
money for.
Of course, the victim can take his backup copies of the backup program and
try to run it in an environment that looks "pre-time-bomb" - e.g., set
the system time back. But there are so many things the program can trigger on
(e.g., if there are mass restores of stuff with dates ON THE TAPE beyond
three months BEFORE the time-bomb would otherwise explode) that it would be
easy to reduce the victim to having to read the compiled machine code and
try to figure out what was going on. Considering how hard it is to understand
the commented source code, even if there is no attempt at concealment, I would
not envy anyone this task.
A nice general comment on security I saw on some net group: With a secure
system, the hacker is like a bull in a china shop: You can always buy new
china, but the bull is dead meat. Prevention is always prefered, but if your
system stands a very good chance of DETECTING and tracing breakins, and you
are visibly tough on those you catch, very few people will be tempted to try
anything. That's the way traditional security systems have ALWAYS worked.
(For example, in every army since the beginning of time, local paymasters have
tried to collect salaries for phantom soldiers. It's just about impossible to
prevent them from doing it. However, over a period of time, you can almost
always detect the fraud - when the paymaster is replaced, or the unit is re-or-
ganized, or when time goes by and those phantoms either seem never to retire
or retire but keep disappearing. Then, you go back and clobber the guy who
did it - and you make sure every paymaster knows about this. Relatively
few will tempt fate.)
-- Jerry
|
| 196.15 | Time bombs can be detected | LATOUR::AMARTIN | Alan H. Martin | Wed Feb 26 1986 12:51 | 20 |
| I assert that BACKUP time-bombs are unlikely to go undetected if installed
in the manufacturer's distributed copy of the software for popular O/S's.
I've seen a lot of messages over the past few years asking for programs
that run on VMS and Unix to read PDP-10 BACKUP and DUMPER tapes.
Presumably there are programs that read VMS BACKUP tapes on Unix, and
Unix tar tapes on VMS. Hell, customers who own both systems would assert
that DEC itself ought to provide them.
Once you get such programs out into the field, it would be impossible
to release a new copy of, say VMS BACKUP which secretly encrypts user
data without someone noticing rather soon when they tried to move data
to a Unix system. You also get the same protection from people who
try to interchange data by writing it with a Vn BACKUP, and giving it
to a site that has not upgraded, and tries to read it with Vn-1.
Also, I believe that part of the standard procedure for fire-storage
of archival tapes off-site is to try to read them off-site. This means
that time-bombs only perpetrated at one site are dectable if you already
are taking reasonable care.
/AHM
|
| 196.16 | Random thoughts on security | NERSW5::BEELER | | Thu Feb 27 1986 21:40 | 23 |
| I felt that a couple of things should be said here.
First, of all the operating systems that I have worked with
VMS,AOS/VS,WANG/VS,SOME IBM and even some of the other dec operating
systems VMS is the only one that stores passwords that are not
plaintext.
This makes it easy to get all accounts/passwords obviously..
Second, most of these people relied on the fact that the
cli was present before logging in ala RSX,PRIMOS. This is a
great gateway into the OS as opposed to USERNAME:
Being on the staff of computer center for a large local
university lots of security problems were seen but when
found fairly easy to fix. Most of these relied on
Discovered usernames, default password for prived accounts
PRE 4.0 VMS was a problem.
Would not periodic updates of the OS software wipe out any
modified code that had been placed there?
A book published by one of the computer crackers {see crime does
pay!!} relied on most of the above mentioned methods.
|
| 196.17 | | 2LITTL::RASPUZZI | Michael Raspuzzi | Fri Feb 28 1986 16:09 | 6 |
| Re .16: TOPS-20 V6.1 can be set up so that passwords can be encrypted
for security reasons. The password is still stored as a mess of
text on disk in the same place it always is. VMS does not leave
you a choice, it always encrypts (I'm all for encryption anyway).
Mike
|
| 196.18 | isn't this a security issue? let's move it. | PRSIS3::DTL | Paris, France | Sat Mar 01 1986 08:50 | 7 |
| re: .14... Seems that there are trwo discussions on the same subject
going on. Jerry, I suggested your encrypted scenario too.
See PRSIS3::SECURITY_INFORMATION, notes #9 and #10 for more on Worms
and time bombs.
Didier
|