Computer underground Digest Sun Oct 25, 1992 Volume 4 : Issue 53 Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth / Ralph Sims Copy Editor: Etaion Shrdleaux, Sr. CONTENTS, #4.53 (Oct 25, 1992) File 1--Re: CuD 4.49 - Viruses--Facts and Myths (1) File 2--Re: CuD 4.49 - Viruses--Facts and Myths (2) File 3--Further Disclosures In 911/"Legion of Doom Case" File 4--NY State Police Decriminalize the word "Hacker" (Newsbytes) File 5--Update on Toronto Bust of Early October File 6--SRI Seeks "Phreaks" for New Study File 7--XIOX's Anti-Phone-Fraud Products (Press Release) File 8--CSC "Anti-Telecom Fraud" Device File 9--The CU in the News (from Info Week) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on Genie in the PF*NPC RT libraries; from America Online in the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; in Europe from the ComNet in Luxembourg BBS (++352) 466893; and using anonymous FTP on the Internet from ftp.eff.org (192.88.144.4) in /pub/cud, red.css.itd.umich.edu (141.211.182.91) in /cud, halcyon.com (192.135.191.2) in /pub/mirror/cud, and ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. Back issues also may be obtained from the mail server at mailserv@batpad.lgb.ca.us. European distributor: ComNet in Luxembourg BBS (++352) 466893. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Fri, 23 Oct 92 01:23:48 EST From: spaf@CS.PURDUE.EDU(Gene Spafford) Subject: File 1--Re: Cu Digest, #4.49- Viruses--Facts and Myths (1) In the Digest, #4.49, "Dark Adept" provided a long article on virus facts and myths. Unfortunately, he/she got several "facts" incorrect. I could try to make a point about the danger of correct-sounding material being mistaken for factual simply because it is well-written, and on the difficulty of verifying information presented from behind a pseudonym and without citations, but will leave that for another rant. :-) I'll try to correct a few of the more glaring errors. The interested reader should consult one of the well-researched and documented texts on the market for further details. I'd suggest Ferbrache's excellent text "A Pathology of Computer Viruses" (Springer-Verlag), Hoffman's collection "Rogue Programs" under the Van Nostrand Reinhold imprint, and Denning's "Computers Under Attack" by Addison-Wesley. Also of value are Hruska's "Computer Viruses and Anti-Virus Warfare" and the badly overpriced "Computer Virus Handbook" edited by Highland. The comp.virus newsgroup (Virus-L mailing list) has a very nice FAQ article compiled by several knowledgeable researchers and authors in the area of computer viruses that addresses many of these points and provides pointers to additional information. Now for my comments. > A virus is a tiny program that attaches itself to other programs. It does Viruses do not need to be tiny. > a chance of catching a virus. Data files (files that are not programs, like > text for your wordprocesser) cannot contain viruses. Wrong. Data files can contain viruses in two ways. First, they may contain viruses that are in a non-threatening format. For instance, a text file may contain a virus encoded as hex digits. This is not a threat, per se, but is a virus. This is the pedantic objection. However, it is also possible for a virus to be present in a form that causes it to be interpreted. For instance, a virus can be written in Lotus 1-2-3 macros in a spreadsheet. The spreadsheet is not a program, but is has elements that can be executed and act like a virus. Likewise, a virus can be written in GNU Emacs macros that are automatically executed when a file is read with Emacs (unless the "inhibit-local-variables" variable is set correctly). Viruses can be written for .bat files under DOS, and these are not considered to be programs by everyone. However, they get executed, and that means that a virus can be in one of them. > The only way to activate the virus is to run the program. Including my examples given above, this is not strictly true, either. Some Mac viruses activate when one inserts a disk into the drive and the desktop is read (under System 6.0.x). This does not involve executing a program, but interpreting code present on the disk. Other examples exist, but you get the point. > Another thing is batch files. These are files on IBM PC's that end in ".bat". > These DO NOT contain viruses. However, they could. The viruses would be easy to spot and probably not very effective, but they could be written, just as Unix shell script viruses can be written. (For instance, see Tom Duff's paper in "Computing Systems" of a few years ago.) > Ok. Viruses can only be made for specific machines. By this I mean > that a virus that infects IBM PC's will NOT be able to infect Macs. > There may be a tiny tiny chance if your Mac is running something like > an IBM Emulator that a virus may cause problems, but in general, if > you have a non-IBM compatible computer, and you can't run IBM software, > then you can't catch IBM viruses and vice-versa. Wrong. A virus written in spreadsheet macros or Perl or some other higher-level language will indeed work on any machine that supports an interpreter for that high-level language. Also, we have seen cases of viruses written for DOS machines (Intel 80x86 architecture) able to run on DOS emulators under MacOS -- it isn't a tiny chance, but a real possibility. > For the most part, only personal computers (i.e., IBM PC's and Macs) are > affected by viruses. On IBM's, they are usually limited to DOS, so if > you are running Unix on a 386 you don't really need to worry (yet). Wrong. Boot sector infectors are generally able to spread to Unix disks. Usually they just wipe out the Unix boot sector. This should indeed be a worry. If the Unix disk shares the same boot record format as MS-DOS, it's even more of a worry (luckily, this isn't generally the case). > If you buy the software from > a computer store, you don't have to worry. Once in a million there might > be some type of problem, but in general, store purchased software will > NEVER have a virus. Wrong. Some stores will take software back for refunds after it has been used in machines with viruses. Thus, the store software will be infected. Some stores even put new shrink-wrap over the packages so you can't tell it happened. Other stores will use the software in the store in their machines to demo it or to make sure it works the way you think. Again, this is a source of viruses -- many store systems are badly infected. Finally, there are many incidents where vendors have shipped their software to stores with the disks already infected with a virus. Getting software from a store is NOT a guarantee that it is free from viruses. > There are 3 main types of "anti-virus" software available: > > o Scanners > o Detectors > o Removers This is not how most experts in the field classify such software. > Each virus has what the anti-virus geeks call a "footprint". We "geeks" usually refer to it as a signature. I know of no one reputable who refers to these as "footprints." [Dark Adept then goes on to explain his "detectors" and jumbles together activity monitors and integrity checkers. I won't bother explaining the nuances here -- consult one of the references. However, many of his points are off the mark, especially as regards integrity monitors.] > Nine times out of ten, a disinfector will have to > delete *ALL* the programs that are infected. Gone. Erased. Never to come > back. Some can get out the virus without deleting files, but this is > rare. Not so rare -- several such programs exist and work quite well. In the Mac world, almost all viruses can be successfully disinfected by John Norstad's "Disinfectant". Skulason's F-Prot does a very good job on removing most MS-DOS viruses. It is not rare at all. [Dark Adept then recommends Central Point Software. We can't tell if this is an informed opinion based on comparison, or if Dark Adept is really the president of Central Point and trying to scam us because we have no idea who or what Dark Adept really is. In general, thorough and impartial tests conducted by places like the Hamburg virus research group and by the Virus Bulletin have revealed that Skulason's F-Prot and Dr. Solomon's Toolkit are far and away the most complete and effective anti-virus tools for MS-DOS. Interested readers can consult those mentioned and similar references for details. Neither Skulason nor Solomon are greedy SOBs like some other vendors in the arena (I agree with Dark Adept that there are some notable ones out there). In fact, Skulson's product is free for personal use at home!] > A virus is made up of two basic parts: an infector and a destructor. > The INFECTOR is the part of the program which hides the virus and makes > it spread. The DESTRUCTOR is the mischief maker. This is the part > that draws crazy pictures on your screen or erases a file on you. Not strictly true. Many viruses cause damage because the people who wrote them aren't as clever as they like to think they are, or because new hardware & software configurations have come along that weren't anticipated by the virus author. The result is that the virus causes damage as it tries to spread by overwriting critical data or poking into the wrong memory locations. This is one of the principle reasons that *NO* virus is harmless -- two or three years from now, something that appeared harmless in someone's home system may cause a massive failure in the machines at a business or laboratory with a vastly different set of configuration parameters. > "The first virus was written by..." > No one knows. However, if you were to ask me, I will say the first > virus was written by the first person who made copy-protection. Pure bullshit -- an apologist attempt to justify pirating and/or virus writing. Many copy protection schemes bear no real resemblance to viruses, and in any event they don't replicate themselves into other software. Ferbrache and I both have good evidence that the first PC viruses were written in 1981 (2 years before Cohen thought of the idea). Many people credit Ken Thompson with the first virus because of his Turing Award lecture on trust. Others credit early core wars experimenters. It depends on how you formally define virus. The definition I use sides with the ones who credit Thompson. [Dark Adept then claims that viruses aren't a problem because in all his limited academic experience he has seen only a few cases of viruses. This is like claiming that elephants don't exist because he hasn't seen one in years while living in Illinois. Business and government sites continue to report wide-spread and continuing outbreaks. Viruses exist and they continue to be a significant problem. It's not the end of the world, but it is not getting better and it is real.] > I just hoped I made this virus thing clearer. This is not based > on any virus "expertise" I have, just a thorough knowledge of > computers and my experience with them (which is extensive). I am not a > "virus expert" nor am I a virus author. But next time someone tries to > scare you or calls themselves a "virus professional" call them an idiot. OKay, you're an idiot. > They don't even want to format a hard drive, just have a little > fun programming. Once in a while one of their "projects" might get out > of hand, but they're not there to make your life miserable. Sure I'd be > pissed at em if Flight Simulator got infected, but no biggie. Just clean > up and reinstall. Fun, hell. If I set fire to your house because I wanted to have a little fun, don't get bent out of shape -- it's your own fault for not having sprinklers, right? Just get the insurance money and move somewhere else. If the people who write viruses are so talented and bored, there are lots of other things they could do that would be of benefit to others around them and might be just as much fun. Committing indirect acts of vandalism are not "fun" for the victims nor is it the fault of the people who are conducting research or a business on the systems that get hosed. There are people using their systems for more critical efforts than "Flight Simulator" -- and they don't have time, personnel, or resources to backup their systems every 10 minutes...nor should they be forced to. Virus writing is nothing more than vandalism and is solely the fault of the virus authors. --spaf ------------------------------ Date: Tue, 13 Oct 92 08:09:24 EDT From: "David M. Chess" Subject: File 2--Re: CuD 4.49 - Viruses--Facts and Myths (2) This is a brief reply to the file from The Dark Adept that appeared in CuD 4.49. As an anti-virus weenie myself, I'm speaking from a rather different point of view, obviously. On the other hand, I don't claim to be speaking for the anti-virus weenie community as a whole; this is just a few personal reactions, written during a sanity break from some heavy debugging. Most of the factual stuff in the Adept's file is generally correct (and amusingly phrased!). A few notes: - It's not really just .COM and .EXE files in DOS that can carry viruses. Those are the most common vectors, but since there is a DOS call that will execute a file of any name at all as a program, and some viruses infect when that call is used, you have to look in all your files during a cleanup operation. For instance, if you have a game program in FINOGA.COM, and all it really does is display the game-company logo and then run FINOGA.BNX, some of the most common file-infecting viruses will be able to infect FINOGA.BNX, and if you don't clean it up from there, you're still infected. - It's possible (just barely) to write a virus for a BAT file. But no one's figured out how to do it in a reliable or non-obvious way, so there are no BAT viruses "in the wild", and users don't have to worry about them. The same applies to (for instance) worksheet files for spreadsheet programs; since they can contain things like autostart macros, it's theoretically possible to write a virus that infects them, but there are none in the wild. The Adept writes that viruses are more common on personal computers because they "need access to memory that they shouldn't have, and on a personal computer, there is nothing to stop them from getting it." This is a common misconception. In fact, viruses *don't* need access to memory that they shouldn't have; all they need to be able to do is read and write program files (the same way that your compiler, your patch program, your file manager, and so on, do). Experimental viruses have been written for larger non-personal computers, and they work just fine (ask your local librarian for a list of papers by Fred Cohen from the computer science literature for some good details of this sort of thing). The reason we don't see viruses for larger computers is that software for them does not flow as freely as software for personal computers. Quick, how many people reading this have a diskette in some pocket? OK, now how many have a 9-track tape reel? The Adept's confidence about the cleanliness of store-purchased software is, I fear, somewhat unfounded. There have been numerous reports of legitimately-purchased software accidentally shipped (or infected at the point of sale) with a virus. As software producers and sellers become aware of the problem and better instrumented to prevent it, we can hope it will become increasingly rare. But more than one system has become virus infected even though "all I ever use is shrink-wrapped software, honest!". > Each virus has what the anti-virus geeks call a "footprint". Actually, we anti-virus geeks call it a "signature" or a "scan-id". Most of the rest of the Adept's comments are quite correct. I would observe that most infections in the real world are caused by viruses that have been out for some time, so it's not incredibly vital to have this week's copy of your scanner. This quarter's copy is probably a good idea, though! Also, modern scanners tend to be good at detecting small variants of viruses that they have signatures for, so if someone creates a "new" virus by the usual method of munging an old one, many scanners will still find it. One disadvantage of modification detectors that the Adept doesn't mention is that they are prone to false positives. That is, when you install a new version of HyperWunga, and it changes five-godzillion programs on your disk, the next time you run your modification detector it will of course tell you that lots of programs have changed. How do you know that none of them were changed by a virus rather than WungaInstall? You probably don't. The Adept somewhat underestimates the abilities of virus removers. In fact, a good remover will be able to restore almost all of the objects infected by almost all common viruses to almost their original state; it should *never* delete a file without asking your permission first. Note all those "almost"s, though; many viruses are very buggy, and if *I* had an actual infection on a machine I cared about, I would restore the infected objects from backups, even if I had a remover that claimed to work correctly on that virus. The other choice is to trust both the virus and the remover not to have done anything wrong. A good remover, of course, will know which viruses are buggy, and warn you about the files that might be corrupted. Microcomputer viruses probably don't matter much to the Net, as the Adept points out. We should keep in mind, though, similar things that matter more to the Net: there was this little worm the other December, for instance! Spreading things can impact just about any kind of computer system, if the culture and the connectivity are right. Adept also offers the usual "virus writers are just nice guys who like to write interesting programs" line. May be true; I don't know any actual virus writers. I would, however, like to ask how all that hard-disk-trashing code got in there. Did someone sneak into the Nice Guys' rooms at night and type it in? The people who write destructive viruses clearly have some maladjustments that need to be cleared up before I'd let them near any of *my* offspring. Even viruses that aren't meant to be destructive generally wreak havoc and cause pain as they spread. I have no quarrel with someone who writes a virus just to play with and takes reasonable measures to make sure it never gets to anyone who doesn't want it. But the authors of the viruses that are currently in the wild messing up machines (accidentally or on purpose) don't qualify. I certainly agree that there's been quite a bit of hype in the anti-virus field. As usual, of course, one should blame the marketing departments rather than the coding labs! *8) The world is certainly not about to end, and the average user should probably take about the same level of precautions against viruses that she does against, say, a hard disk failure. Get a couple of good backup programs, and a couple of good anti-virus programs, and use them well! And bring up your kids to have something more interesting to do with a computer than write code that hurts other folks... ------------------------------ Date: Wed, 21 Oct 92 03:23:28 EDT From: mcmullen@MINDVOX.PHANTOM.COM(John F. McMullen) Subject: File 3--Further Disclosures In 911/"Legion of Doom Case" ((MODERATORS' NOTE: We periodically reprint articles from NEWSBYTES, which we consider the best single on-line source of information on the nets. Barbara and John McMullen, the authors of most of the articles we reprint, are perhaps the most capable and incisive computer journalists in the country. They consistently provide indepth, accurate, and comprehensive stories that provide an antidote to the generally mediocre coverage of other media. We have no formal way to commend them for their principled and thorough stories other than say "Thanks!" Newsbytes is a commercial news service with bureaus from Moscow to Sydney, Australia. It publishes a minimum of 30 stories related to technology 5 days a week. It reaches approximately 4.5 million people through electronic distribution including Compuserve, GEnie, America OnLine, AppleLink, DIALOG, Newsnet, Clarinet and various foreign services. It is also distributed to some individual BBS systes for a relatively small charge. For information on pricing, contact Wendy Woods 415 550-7334)) ++++++ NEW YORK, NEW YORK, U.S.A., 1992 OCT 20(NB) -- In a discussion with Newsbytes, Sgt. Kurt Leonard of the Chesterfield County, Virginia Police Department disclosed further information concerning the on-going investigation of alleged 911 disruption throughout the eastern seaboard of the United States by individuals purporting to be members of the hacker group "The Legion of Doom" (LOD). Leonard identified the individual arrested in Newark, New Jersey, previously referred to only as "Maverick", as Scott Maverick, 23. Maverick has been charged with terroristic threats, obstruction of a government function, and illegal access to a computer. He is presently out on bail. Leonard said that David Pluchino, 22 was charged to the same counts as Maverick and an additional count of the possession of burglar tools. Leonard said that Pluchino, the subject of a 1990 Secret Service "search and seizure" action under the still on-going "Operation SunDevil" investigation" possessed information linking him with members of the Legion of Doom. The Legion of Doom connection has become the subject of controversy within the online community. Although Maverick has been quoted as saying that he is a member of the group and that that the group's intent was "to attempt to penetrate the 911 computer systems and inflect them with viruses to cause havoc", members of the group have disavowed and connection with those arrested. "Lex Luthor", one of the original members of the group told Newsbytes when the initial report of the arrests became public "As far as I am concerned the LOD has been dead for a couple of years never to be revived. Maverick was never in LOD. There have been 2 lists of members (one in phrack and another in the lod tj) and those lists ar the final word on membership. We obviously cannot prevent copy-cats from saying they are in lod. When there was an LOD, our goals were to explore and leave systems as we found them. The goals were to expose security flaws so they could be fixed before REAL criminals and vandals such as this Maverick character could do damage. If this Maverick character did indeed disrupt E911 service he should be not only be charged with computer trespassing but also attempted murder. 911 is serious business." Lex Luthor's comments, made before the names of the arrested were released, were echoed by Chris Goggans, a/k/a "Erik Bloodaxe, and Mark Abene, a/k/a Phiber Optik, both ex-LOD members and by Craig Neidorf who chronicled the membership of LOD in his electronic publication Phrack. When the names of the arrested became public, Newsbytes again contacted Lex Luthor to see if the names were familiar. Luthor replied "Can't add anything, I never heard of them." Phiber Optik, a New York resident told Newsbytes that he remembered Pluchino as a person that ran a computer "chat" system called "Interchat" based in New Jersey. Phiber added "They never were LOD members and Pluchino was not known as a computer hacker. It sounds as though they were LOD wanabees who are now, by going to jail, going to get the attention they desire." A law enforcement official, familiar with the SunDevil investigation of Pluchino, agreed with Phiber, saying "there was no indication of any connection with the Legion of Doom." The official, speaking under the condition of anonymity, also told Newsbytes that the SunDevil investigation of Pluchino is still proceeding and, as such, cannot be commented on. Leonard also told Newsbytes that the investigation has been a joint effort of New Jersey, Maryland and Virginia police departments and said that, in conjunction with the October 9th 2:00 AM arrests of Pluchino and Maverick, a simultaneous "search and seizure" operation was carried out at the Hanover, Maryland home of Zohar Shif, a/k/a "Zeke", a 23 year-old who had also been the subject of a SunDevil search and seizure. Leonard also said that, in addition to computers taken from Pluchino, material was found "establishing a link to the Legion of Doom." Told of the comments by LOD members that the group did not exist anymore, Leonard said "While the original members may have gone on to other things, these people say they are the LOD and some of them have direct connection to LOD members and have LOD materials." Asked by Newsbytes to comment on Leonard's comments, Phiber Optik said "The material he's referring to is probably text files that have been floating around BBS's for years, Just because someone has downloaded the files certainly doesn't mean that they are or ever were connected with LOD." (Barbara E. McMullen & John F. McMullen/19921020) ------------------------------ Date: Wed, 21 Oct 92 03:23:28 EDT From: mcmullen@MINDVOX.PHANTOM.COM(John F. McMullen) Subject: File 4--NY State Police Decriminalize the word "Hacker" (Newsbytes) The following appeared on Newsbytes (10/21/92). Newsbytes is a commercial service an its material is copyrighted. This piece is reprinted with the express permission of the authors. ========================================================== ALBANY, NEW YORK, U.S.A., 1992 OCT 21(NB) -- Senior investigator Ron Stevens of the New York State Police Computer Unit has told Newsbytes that it will be the practice of his unit to avoid the use of the term "hacker" in describing those alleged to have committed computer crimes. Stevens told Newsbytes "We use the term computer criminal to describe those who break the law using computers. While the lay person may have come to understand the meaning of hacker as a computer criminal, the term isn't accurate. The people in the early days of the computer industry considered themselves hackers and they made the computer what it is today. There are those today who consider themselves hackers and do not commit illegal acts." Stevens had made similar comments in a recent conversation with Albany BBS operator Marty Winter. Winter told Newsbytes ""Hacker" is, unfortunately an example of the media taking what used to be an honorable term, and using it to describe an activity because they (the media) are too damned lazy or stupid to come up with something else. Who knows, maybe one day "computer delinquent" WILL be used, but I sure ain't gonna hold my breath. Stevens, together with investigator Dick Lynch and senior investigator Donald Delaney, attended the March 1993 Computers, Freedom and Privacy Conference (CFP-2) in Washington, DC and met such industry figures as Glenn Tenney, congressional candidate and chairman of the WELL's annual "Hacker Conference"; Craig Neidorf, founding editor and publisher of Phrack; Steven Levy, author of "Hackers" and the recently published "Artificial Life"; Bruce Sterling, author of the recently published "The Hacker Crackdown"; Emmanuel Goldstein, editor and publisher of 2600: The Hacker Quarterly and a number of well-known "hackers". Stevens said "When I came home, I read as much of the literature about the subject that I could and came to the conclusion that a hacker is not necessarily a computer criminal." The use of the term "hacker' to describe those alleged to have committed computer crimes has long been an irritant to many in the on-line community. When the the July 8th federal indictment of 5 New York City individuals contained the definition of computer hacker as "someone who uses a computer or a telephone to obtain unauthorized access to other computers.", there was an outcry on such electronic conferencing system as the WELL (Whole Earth 'Lectronic Link). Many of the same people reacted quite favorably to the Stevens statement when it was posted on the WELL. (Barbara E. McMullen & John F. McMullen/19921021) ------------------------------ Date: Fri, 23 Oct 92 18:21:12 CDT From: Moderators Subject: File 5--Update on Toronto Bust of Early October When Toronto Metropolitan Police apprehended a 15 year old "computer hacker" in the first week of October for disrupting the Toronto E911 system, the details about the extent of computer use was raised. From initial reports, it appeared that the primary offense involved repeated telephone hoaxes rather than an actual penetration of the E911 computer system itself. Today, a spokesperson for the Toronto Metropolitan Police, the agency in charge of the case, provided further details. The disruption of the system itself involved a series of hoax calls to Toronto emergency services. However, the calls were made by "phone phreaking," in which calls were routed through a series of PBX-Alliance-Meridien systems in the United States. In addition to theft of communication, the youth is being charged on 24 separate counts of mischief and 10 counts of conveying false messages (false alarms to the E911 system). The spokesperson explained that under Canadian law, violations are divided into indictable offenses and summary offenses. The former are equivalent in the U.S. to felony charges, and the latter to misdemeanor charges. The spokesperson indicated that the charges in this case fall under provincial jurisdiction. The Canadian justice system is somewhat different than that of the U.S., which has federal, state, and local jurisdictions. In the U.S., computer crimes may fall under federal jurisdiction involving the Secret Service (for most telecommunications/computer crimes) or the F.B.I. (for crimes in which a federal computer is involved). Although Canada also has tri-level jurisdiction (federal, provincial--centralized authority in each province, and municipal--the equivalent of city police in the U.S.), computer crimes come under the jurisdiction of provincial or municipal police. Because the youth is a minor, the trial will be held in camera (closed session) and records will not be made public. The spokesperson said that, judging from the existing evidence, the youth was acting alone and the case was unrelated to the recent cases in New York/New Jersey. ------------------------------ Date: 20 Oct 1992 18:00:41 -0800 From: "Stuart Hauser" Subject: File 6--SRI Seeks "Phreaks" for New Study A team working with Donn Parker at the SRI is gathering information about the perceived vulnerabilities (and related topics) of the software and control systems of the public switched telephone and data networks from the perspective of the hacker community and other knowledgeable sources. It is an extension of prior research that Donn has been carrying on over the past 20 years into the vulnerabilities of end-user computer systems, also from the perspective of hackers. Like the other projects, this is a pure research study. Our objective is to gather our information through face-to-face, telephone and keyboard interviews of members of the hacker community and its observers in the next two to four weeks. We are not attempting to identify and collect information on criminal activities, but rather on what folks know or hear about the weaknesses and vulnerabilities of the PSTN/PDNs. Below is a more complete brief on our interests. Stuart Hauser *********************************************************** Information Sheet for Participants in SRI's Study of the Public Switched Telephone Network October 1992 SRI International is conducting a study of the security aspects of voice and data communications networks, referred to as "Cyberspace" by some. Specifically, we are looking at the security of the public switched telephone networks and public data networks (PSTN/PDN) from the perspective of the vulnerability of the network management and control software residing in the switching systems and the computers that manage them. This study is part of SRI's ongoing research into information and communications systems worldwide and how they are viewed by the international "hacker" community. We are seeking the views of many experts-including what we have called "good hackers" for many years-on a number of issues relating to the security and vulnerability of the PSTN/PDNs, and on the international "malicious cracker" community. We know that the security of the software that controls the PSTN/PDNs is as important to most hackers as it is to everyone else who is interested in exploring Cyberspace. Consequently, we believe that the good hackers are as interested as we are in helping us and other PSTN/PDN stakeholders understand what the really malicious crackers might see as the weaknesses and vulnerabilities of these networks, what new technologies-including the use of human engineering techniques-they might be planning to use to gain access, and what they might be planning to do next. This study is being led and conducted by Donn B. Parker, who has been conducting this type of research for SRI International and its clients for the past 20 years, and is well known throughout both the good hacker and malicious cracker communities. As in the case of the prior field research of this kind, Mr. Parker and his associates will be gathering information through face-to-face interviews of the members of the hacker community in the United States, Canada, Europe, and several other countries. SRI International is a research and consulting organization that is not owned by any business or government agency; we are not in the law enforcement or criminal investigation business. This is a pure research project to determine the vulnerability and security of the software that manages and controls the PSTN/PDNs. Our interests are very much the same as were those for earlier projects in which our interests were focused on the vulnerability and security of the now widely used computer information systems. We do not work with law enforcement agencies to collect information on any individual or group and we will not reveal the names of our information sources unless the sources ask us to do so. A summary of our findings will be sent to you on request after the study has been completed. By working together in this way, SRI and cooperating information professionals can help protect the major highways of Cyberspace for our respective uses and interests. Donn B. Parker dparker@sri.com (415) 859-2378 ------------------------------ Date: Wed, 21 Oct 92 11:03:12 -0400 From: bx981@CLEVELAND.FREENET.EDU(Larry Schilling) Subject: File 7--XIOX's Anti-Phone-Fraud Products (Press Release) XIOX'S FORT KNOX PRODUCTS COMBAT PHONE FRAUD EXPERIENCED BY U.S. BUSINESSES NEW YORK (OCT. 20) BUSINESS WIRE - Xiox' Fort Knox line of products is aimed directly at reducing the estimated $4 billion of losses to telephone service theft experienced by American businesses each year. And they are the first products that combat telephone "hacking" without requiring businesses to shut off vulnerable PBX features. According to John Hough, noted phone fraud expert and author of "Toll Fraud and Telabuse," business losses from telephone fraud, or "hacking," are estimated at $4 billion per year. Hough, chairman of Telecommunications Advisors Inc. (a Portland, Ore. consulting firm), indicates that the average loss per incident to users exceeds $90,000. Hough's firm estimates that more than 35,000 users will become victims of toll fraud in 1992. Xiox estimates that every business has a one in 18 chance of being hacked. The implications for security, however serious they may be in terms of stolen service costs, become even more formidable when the risk to a company's data is factored in. Many organizations' computer systems are accessible through the telephone lines, and their computer data is only as secure as their phone system. In addition to creating enormous business losses, hackers have forced businesses to shut off valuable and convenient features such as Direct Inward System Access (DISA), Remote System Access, home agent connections and remote diagnostics lines. All these PBX features became access paths to hackers, who re-sell the illegally-obtained services. Businesses experience further "hidden losses" because they can't use the telephone for critical purposes. "Fort Knox products are the most straightforward and economical approach I've seen to enable users to keep their telephone systems both 'open and secure,'" said Ed Freyermuth, telecom manager for PacTel/Meridien Systems. One of the Fort Knox products, Hacker Tracker, gives users the ability to track and trap hackers, opening up the possibility of apprehending them. "Hackers have proliferated over the past ten years, possibly because of their connection to the illegal drug trade," said Wanda Gamble-Braggs, manager of Systems Integrity, Western Division of MCI. "Unlike most crimes, they leave no evidence and are at little risk of being caught. The approach to security taken by the Xiox system is the first one that MCI has seen that gives the user some hope of catching the criminal instead of becoming the next victim." The Fort Knox family of anti-hacker products includes: -- Hacker Preventer, an automated, intelligent system that senses deviation from "normal" telephone usage and cuts off access to hacking attempts. It incorporates proprietary hardware- and software-based technology which attaches to the user's PBX. Price: $10,000 to $28,000, depending on the size of the system needing protection. -- Hacker Tracker is a specialized recording and reporting system incorporating proprietary software for tracking and trapping hackers. Price: $2,195. -- Hacker Deadbolt is a proprietary hardware and software system providing protection for remote maintenance and testing ports of a PBX, voice mail system and other telephone equipment on the customer's premises. It can be upgraded to become Hacker Preventer. Price: $1,295. These products may be purchased separately or together. When installed, the Xiox Fort Knox products become an intelligent agent for monitoring all telecommunications traffic in and out of a system. "At Solectron, we've analyzed the risk of being hacked," commented Dave Tichener, telecom manager for Solectron Inc. "The Fort Knox system represents a very reasonably-priced insurance policy, compared to the potential loss." All Fort Knox anti-hacker products are immediately available. CONTACT: Xiox Corp. Michael O'Connell, 415/375-8188, ext. 228 or Oak Ridge Public Relations, Cupertino, Calif. Ford Kanzler, 408/253-5042 ------------------------------ Date: Fri, 23 Oct 92 09:22:27 PDT From: Lawrence Schilling Subject: File 8--CSC "Anti-Telecom Fraud" Device Greetings. Another telecommunications security product. The technology here is way over my head, so much so that I really don't understand what this release is talking about. Nonetheless I'm tempted to ask: Is the need for security as great as these purveyors say and imply it is? Do these products solve problems or create them or both? Regards. Larry Schilling =START= XMT: 15:38 Thu Oct 22 EXP: 16:00 Sun Oct 25 CSC ANNOUNCES PRODUCT TO CUT FRAUD IN WIRELESS TELECOMMUNICATIONS INDUSTRY EL SEGUNDO, CA (OCT. 22) BUSINESS WIRE - A new software product that combats fraud in the wireless telecommunications industry was announced Thursday by Computer Sciences Corp. (NYSE:CSC). Called FraudBuster, the product was developed by Coral Systems Inc., a Longmont, Colo.-based applications software firm serving the cellular telecommunications market. CSC has exclusive marketing rights to the product and is supporting software development. According to John Sidgmore, president of CSC's telecommunications business unit, CSC Intelicom, ''Right now, about $15 million worth of cellular calls are being made in the U.S. each day -- and of that, fraud is draining about $1.5 million daily from carriers' revenues. FraudBuster is part of a series of offerings by CSC Intelicom and Coral to support wireless carriers with software that addresses needs such as billing, fraud and seamless roaming, which routes calls to a cellular user at any location. According to Coral President Eric Johnson, the teaming of CSC Intelicom and Coral gives wireless carriers access to the full breadth of technologies needed to support a nine-year-old industry that's slated to reach $100 billion by the year 2000. The industry's most compelling problem right now, said Johnson, is fraud. But a second top concern among carriers is how to keep up with fast-changing network technologies. FraudBuster, he said, was designed to address both needs. What makes FraudBuster unique, he noted, is its Unix open-systems architecture that integrates with today's cellular networks and evolving intelligent networks of the future. Proprietary and DOS-based systems, he noted, don't offer that flexibility. FraudBuster is also available now. The product is also unique in its use of artificial intelligence to track subscriber calling patterns. Using a complex set of algorithms, FraudBuster creates a behavioral profile of each subscriber, based on his or her historical usage patterns. Actual calls are then analyzed, and network operators are immediately alerted when calls that are markedly different from the norm occur. The problem with most systems on the market today, said Johnson, is their use of simple, across-the-board checks that don't take into account the unique habits of each user. What's more, checks themselves are too limited, reflecting a single variable -- such as number of calls -- rather than the complex array of factors that can accurately help carriers distinguish a real subscriber from an illegal one. By residing on a carrier's network and operating in real time, FraudBuster can quickly alert a carrier to problems. Carriers can also configure the product to fit their particular needs. For example, FraudBuster's algorithms can be easily tuned to increase its sensitivity to specific types of fraud occurring in a particular market. In addition to combating the most common types of fraud, including clone phones and tumbler phones, FraudBuster can detect new types of fraud as they develop. It can also operate in either a distributed or centralized processing environment. As part of a series of software products being offered by CSC and Coral to the wireless industry. FraudBuster can be used on a stand- alone basis or be integrated with other wireless software solutions such as Coral's Home Locations Register, which offers carriers seamless roaming and pre-call subscriber validation. With headquarters in El Segundo, Computer Sciences is the largest independent provider of information technology consulting, systems integration and outsourcing to industry and government. CSC has more than 26,500 employees worldwide and annual revenues of $2.3 billion. CONTACT: Computer Sciences Corp., El Segundo C. Bruce Plowman/Bill Lackey/Mary Rhodes, 310/615-0311. ------------------------------ Date: 21 Oct 92 20:02:13 EDT From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 9--The CU in the News (from Info Week) Information Week (Oct 5, 1992 p10) reports that AT&T is suing the New York Post for over $90,000 in unpaid long distance charges. The Post claims the charges stem from fraudulent use of its PBX system, but AT&T says that under current FCC regulations customers are responsible for all charges on calls placed from their telephones, period. There are 'rumblings' that a similar suit between AT&T and Mitsubishi is about to be settled. CONGRESS DECLARES SOFTWARE PIRACY A FELONY The Software Copyright Protection Bill (S.893) has been sent to President Bush for his signature. The bill provides for prison terms of up to five years, and fines of up to $250K, for people convicted of infringing at least 10 copies of a copyrighted program or programs with a retail value of $2,500. This applies to both individuals and corporations. (Information Week Oct. 12, 1992 pg 16) MARSHALS GRAB COUNTERFEIT SOFTWARE According to Microsoft Corp., U.S. marshals in California and New Jersey have made the largest-ever seizure of unauthorized computer software, impounding more than 150,000 counterfeit copies of its MS-DOS operating system. The software retails for approximately $60 a copy, bringing the value of the seizure to more than $9 million. (From STReport #8.41) ------------------------------ End of Computer Underground Digest #4.53 ************************************