GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools

Trace: hcknews.hac
archive:news:hcknews.hac

CGA SOFTWARE PRODUCTS GROUP ON COMPUTER CRIME

INTERNAL COMPUTER CRIME PROVES GREATER THREAT THAN 'HACKERS' 

  NEW YORK, July 17 /PRNewswire/ -- For every outsider who accesses

Pentagon telephone numbers or makes fraudulent credit card purchases, like the seven New Jersey teenagers arrested recently, it is estimated that far greater numbers of disgruntled or dishonest employees damage their employers' computer systems internally every day. 

  "Teenage 'hackers' are just the tip of the computer crime

iceberg," says Carol Molloy, a computer security specialist with CGA Software Products Group, Holmdel, N.J. "These computer crimes get the spotlight because the perpetrators get caught and the victims are willing to prosecute." 

  More insidious data fraud and malicious damage occurs inside

corporations than any hacker ever committed, Molloy continues. "Employees have far greater access to sensitive information, and many times are so well acquainted with procedures and security features that they leave no trail at all," she adds. "Unhappy employees can leave a programming 'time bomb' in a computer that causes trouble long after they are fired or leave for another job." 

  Carelessness, rather than malice, often causes even more

problems, according to Molloy. "Many computer security systems are based on passwords, and people can be very lax about protecting them." 

  Employee computer crimes, however, receive far less attention

than outside break-ins, Molloy says, because victimized organizations are unwilling to publicize the matter through arrest and prosecution. "Revealing damage from internal sources doesn't do much for a company's image," she says. 

  "Customers, corporations feel, will start to wonder about just

how secure relevant information may be and may decide to go elsewhere. Also, insurance premiums often go up afte2 a theft is revealed." 

  The question facing data processing and information managers is

not whether a security system should be installed, but how to go about it, says Molloy. "Many organizations believe that security is solely the concern of the managers," she says. "They don't realize that implementing security requires extensive internal support." 

  Security systems also demand ongoing maintenance, she says.

"Just installing the system doesn't mean data is secure from then on," she points out.

UPI Dmestic News Wire Wednesday July 17, 1985

More may be charged in ``hacker ring, prosecutor says NEW BRUNSWICK, N.J. (UPI) _ More people may be charged with using home computers to make free long-distance calls and reportedly try to break into Pentagon computers, a prosecutor said Wednesday. Meanwhile, the executive director of the state chapter of the American Civil Liberties Union charged the Middlesex County Prosecutor's Office with ``trampling on the rights of one of the seven youths charged in the scheme Tuesday. 

   The youths used their computers and electronic ``bulletin boards''

to exchange information on computer codes, including some that would cause communications satellites to ``change position and possibly interrupt intercontinental communications, Middlesex County Prosecutor Alan Rockoff said. ``Though it may sound like a copycat of (the movie) `WarGames,' things like this are happening in our society, Rockoff said, accusing the youths of obtaining thousands and ``possibly millions of dollars in telephone and informational services. A spokesman for American Telephone & Telegraph Co. said there was no indication that any of its satellites had been moved, or that even an attempt to move them was made. Assistant Prosecutor Frank Graves said investigators still had ``six more computers and 9 million floppy discs to look through. 

   ``We had 300 names in one computer and we charged seven,'' Graves

said. ``We have no idea what's in the other computers and won't know for a while. The youths, whose names were withheld because of their ages, are charged with juvenile delinquency by reason of conspiracy to commit theft. South Plainfield police detective George Green said four of the defendants operated electronic bulletin boards, which are used for the exchange of legitimate information by hundreds of people. The youths also had a special code that provided illegal access to restricted information, Green said, and only those who used these parts of the bulletin boards were arrested. Rockoff said the investigation began in April when postal officials informed the South Plainfield police that someone using a post office box under a fictitious name apparently had been using a computer to gain illegal access to the computer of a Connecticut credit company. Rockoff turned over the results of the investigation to the Secret Service since the bulletin boards contained telephone numbers in a military defense communications system in the Defense Department, The New York Times reported Wednedsay. Plainfield patrolman Michael Grennier, a computer expert, said the youths also were able to break into an American Telephone & Telegraph computer after obtaining a manual from a AT&T trash bin. The investigation led to a South Plainfield youth, whose computer was seized in June. After Grennier and Green spent about 100 hours looking through his computer, the other six were arrested Friday _ in Hillsdale, Westwood, Warren Township, Martinsville, Dover and Edison. But Jeffrey Fogel of the ACLU office in Newark said the Dover youth, whom he declined to identify, was unfairly singled out. ``He has an electronic bulletin board and arresting him and seizing his computer amounts to seizing a printing press, Fogel said. ``It would be like if someone put a stolen credit card number in a newspaper classified. Would you close down the newspaper? NEW HACKER CASE RAISES FEARS: Computer hackers "have the capability of doing a great deal of damage," says Rep. William J. Hughes, D-N.J., commenting on the case of 7 N.J. youths charged with breaking into Pentagon computers and stealing satellite codes. Hughes is sponsoring federal computer crime bills to help fight the problem. (USA TODAY, July 18, P.1A) KAYPRO WINS PC COMPARISON: The Kaypro IIx personal computer is the best machine for home use costing less than $1,500, says Consumer Reports. It beat the Apple IIe Professional and the discontinued TRS-80 Model 4P. Kaypro was picked for its disk capacity (800 kilobytes) and the large amount of software that comes with it. (Consumer Reports, August, P.467) COMPUTER CALLS ABSENT STUDENTS: Kettering, Ohio, school officials are using a Texas Instruments computer to call the homes of absent students as part of the state's Missing Children Act. System makes 75 calls an hour. Computer voice tells parents their child is absent and asks for a response, which is recorded like an answering machine. (USA TODAY, P.5B) From PR NEWSWIRE Thursday July 18, 1985 DOWTY ELECTRONICS SAFEGUARDS U.K. DEFENSE SECRETS UK "SHOULD BE SAFE" FROM DATABASE BURGLARS NEWBURY, England, July 18 /PRNewswire/ – British Ministry of Defence secrets need never be at risk from home computer "hackers" – microchip technology's equivalent of cat burglars – an electronics expert claimed today. Following disclosures of teenage hackers breaking into military information banks at the Pentagon – the U.S Defense Department headquarters – Bruce Brain, general manager and director of Dowty Electronics' Information Technology Division, said: "It need never happen here." The U.K. faced similar problems to America, said Brain. "But the introduction of Dowty's 'Horatius' dialback data security system – an anti-hacker box – means that no-one would be able to break into sensitive or confidential databases, even with the knowledge of ex-directory phone numbers. "Horatius allows only authorized users to access a computer system, and they must also call from a pre-cleared phone number within an agreed time-frame," he explained. Horatius – designed and manufactured in the U.K. – is selling well, says Dowty, which is currently negotiating to introduce the system to the U.S.A through its New Jersey-based subsidiary, Dowty RFL Inc. PAPER FINDS 2 HACKER BOARDS: 2 electronic bulletin boards have been found to contain access codes for computers at military, research facilities. The boards, "Fatland" and "Dark Side of the Moon," - both based in Virginia -held access numbers for the Naval Ship R&D Center, NASA's Ames Research Center. No arrests reported. (Online Today) NEW JERSEY HACKER CASE MAY BE A TEST OF SYSOPS' FREE SPEECH PROTECTION The attorney for one of seven New Jersey teenagers charged with conspiring to use their computers to exchange stolen credit card numbers and make free long-distance calls says he will argue that his client is protected by the constitutional guarantee of free speech. Jeffrey E. Fogel, executive director of the New Jersey chapter of the American Civil Liberties Union, told BULLETIN BOARD SYSTEMS that he an associate will defend a teenager who operated the Private Sector BBS. "We are relying on his representation that all he did was run a bulletin board, that he didn't make a calls or use stolen credit card numbers," Fogel said. If that is true, he added, "I don't think there is any liability." The defendants, all under 18, were charged July 16 with juvenile delinquency based on an underlying charge of conspiracy to commit theft. Police confiscated the computers and software of some of the defendants. Middlesex County Prosecutor Alan A. Rockoff told reporters that the individuals exchanged information that would allow them to access commercial computers without authorization and that some of them had codes that could cause communications satellites to change position. However, spokesmen for AT&T and other carriers said their systems are secure and denied that any satellites had been moved. Rockoff said the investigation began in April when postal officials informed police that someone using a post office box under a fictitious name apparently had been using a computer to gain illegal access to the computer of a Connecticut credit company. Fogel said he believes that the prosecution will have to show that his client actually used the credit card numbers or telephone access codes to prove his case. Allowing the information to be posted on his client's bulletin board, he said, is not a criminal act. "There's nothing illegal about those messages being there," he said. "Let's say you find an AT&T calling card on the street and you put an ad (listing the number) in the New York Times. I'm confident that the New York Times is not liable. "Bulletin boards are the same as a free press," Fogel said. "They are like electronic magazines in which the users can publish what they choose." Fogel drew an analogy to two well-known free press cases: the publication of plans for a hydrogen bomb in Progressive magazine and publication of the Pentagon Papers by the Times. "What really gets me upset in this case is they seized the 'printing press.' I don't think they had the right to seize his computer, Fogel said. The concept of First Amendment protection for bulletin board operators has yet to be tested in court. Last year Los Angeles sysop Tom Tcimpidis was charged with telephone fraud when Pacific Bell investigators found a calling card number posted on his BBS. But the charges were dropped in February before the case came to trial. Rockoff said his case is the first major prosecution under recent New Jersey law that makes it a crime to obtain data from a computer without authorization. COMPUTER LAWS VARY FOR STATES: Computer break-ins catches states with varying laws. Example: Tapping into computer is felony in California, but no N.Y. law rules "hacker" abuse, except federal statutes on interstate information theft. UCLA student who tapped N.Y. college system faces prison for "malicious computer entry" under Calif. law. (Gannett News Service) L.A. Times, Tuesday, September 3, 1985 San Diego Section (Editorials) ———————————————————————- ``Garbage In, Garbage Out 

   Many people have worried for years about what will happen when government

finds a big computer that can catalogue everything about everybody, every scrap of information - true or false - would then be available at a push of a button. That day is not here yet, but experience with the FBI's National Crime Inform- ation Center, the nation's centralized computer data-base, indicates that such fears for the future are not groundless. 

   A continuing series of FBI audits of the data base has found that it sends

12,000 false or inaccurate reports on individual suspects every day to law- enforcement agencies around the country. It's not really the FBI's fault. The erroneous information that the computer spews out was put in by state and local law enforcers in the first place. There appears to be not much quality control in crime information, and, as one of the oldest lines in computerdom assers, ``Garbage in, garbage out.'' 

   But the information in that computer is more than accounting data or the

marketing forecasts of strategic planners. This is vital personal information that affects people's lives. There have been cases, and not just a few of them in which the wrong person has been arrested and jailed because of bad informa- tion from a computer. Police officers are more likely to take the word of the FBI's computer than of a person who claims it's all a mistake. 

   About 62,000 criminal-justice agencies throughout the country seek infor-

mation from the FBI's crime computer nearly 500,000 times a day. The FBI says that a 2.4% error ratio isn't so bad when you consider that the system results in the apprehension of more than 70,000 wanted felons a year. Tell that to people that have erroneous information about them sent to the local cops. 

   And the police are not the only ones who get this information.  A growing

number of employers, such as day-care centers and schools, also use the FBI crime computer to run background checks on prospective employees. There is a legitimate social need to do that, but, if the information is wrong, a person's livelihood, carreer, and reputation may be irrepairably damaged. 

   As with many ills, it is easier to describe the problem than to fix it.

But it's clear that the accuracy of the information maintained by the FBI needs more scrutiny. 

   Rep.Charles E. Schumer (D-N.Y.) has proposed giving the states more money

to beef up their record-keeping. That would help. But no ammount of effort and attention can ever eliminate all errors from a human system. People have always made mistakes, and always will make mistakes. The trouble is that the computer makes it possible to give those mistakes nationwide distribution. 

   Still, things can be improved, and it is vital to the FBI and to all law

enforcement that they be improved. The future of the National Information Center depends on reducing the error rate so that both the police and the public are confident that information obtained from the computer is correct.

Dutifully typed by Henry Spire, C.I.A. 

            LAWYERS' MICRO USERS GROUP NEWSLETTER
                       September, 1985

COMPUTER SECURITY – DIGITAL PATHWAY'S SECURENET FAMILY OF PRODUCTS

Computer security is on everyone's mind these days. Recently, hackers had at it on several BBS's in the Chicago area. And we read almost daily about Hacker attacks on governmental and or financial institution computers. Digital Pathways Inc. at 1060 East Meadow Circle, Palo Alto, California 94303 (415) 493-5544, through it's Defender II family of products provides a unified approach to preventing unauthorized dial-in access to computers. One of these units is installed between your computer and the telephone line. There is a dial-in/call back feature, so when someone dials up your computer, this device calls the proper telephone number of the caller back. A synthesized voice answers each call-in and requests the caller's ID. The ID is entered via Touch Tone. If the ID is valid, the system looks up the parameters of the user and arranges for a call-back. Prices start at $3,600 at quantity one. Although not inexpensive for a small BBS operation, obviously a law firm using a computer for client contact and/or for lawyers to call in from remote locations should seriously consider this kind of investment.

THE HACKERS - FROM CURIOUS TO CRIMINAL

The original computer hackers who broke into databases and networks were careful to leave no traces of their entry and not to disturb the data. This soon changed as less sophisticated and more malicious computer hackers came on the scene.

The malicious Hacker horror stories have filled newspapers and magazines for over a year. Often the less responsible computer "Hackers" prowl the electronic alleyways at night, when many firms leave their computer systems on and attached to phone lines to transmit large blocks of data when the phone rates are cheaper. With nobody in the office, penetration of data bases which lack proper security is often only a matter of time and patience.

Some Hackers have been amazed to discover that firms which have installed password protection schemes to prevent unauthorized access have failed to change the original password which came with the system - "PASSWORD." What can happen if your system is easy to penetrate? While not all Hackers are data thiefs or vandals, some few malicious modem miscreants have been known to penetrate a computer system and not only steal but also scramble the data.

Imagine switching on your terminal one morning only to discover 300 pages of text had been transformed into a series of seemingly random numbers?

As is often the case, the best sense of Hacking and Hacker morality comes from the literature of that subculture itself. Here are excerpts from three articles in a recent issue (Number 91!) of the original newsletter for Hackers and "Phone Phreaks" called, appropriately "TAP: The Hobbyist's Newsletter for the Communications Revolution." 

                          Dunn and Bradstreet:
                  Do they know something that we don't
                        by BIOC Agent 003 & Tuc

In issue #90, we explained how to use the Dunn and Bradstreet system (which is now known as Dunsprint). A week after the issue was mailed a phellow phreak found out that a copy of the issue had fallen into the hands of our "friends" at D & B. To say the least, they weren't exactly thrilled about it. In fact, they did not even believe that they had a security problem! Well, that just goes to prove that if you are good (or they are incredibly stupid, whichever the case may be) no will know that you are there!

In a big effort to defeat hackers, they called in an outside service to spruce up their "security." Fortunately for us, we were able to find out about the new system! This was really not a problem,, though. First, they had the new dial-ups posted when you logged on. Secondly, they have a nice little place on Telenet! (Where we do most of our "work"–[deleted]) 

                Sorry D & B ....Good news travels fast!
              A lesson in Phreaking and Hacking Morality:
                             by Big Brother

I find it truly discouraging when people, intelligent people seeking intellectual challenges, must revert to becomming common criminals. The fine arts of hacking and boxing have all but died out. Though you newcomers, you who have appeqred on the scene in the last year or two, may not realize it, we had it much better. People didn't recognize our potential for destruction and damage because we never flaunted it, nor did we exercise it.

For hacking, it was the intellectual challenge which drove us to do it. The thrill of bypassing breaking through someone's computer security was tremendous. It wasn't a case of getting a password from a friend, logging on, and destroying and entire database. We broke in for the challenge of getting in and snooping around WITHOUT detection. We loved the potential for destruction that we gave ourselves but never used.

Today, after so much publicity, the fun has turned to true criminality. Publicity we have received is abhorring. From WarGames to the headlined October Raids, to the 414's, the Inner Circle, Fargo 4A, and the recent NASA breakins–not to mention all the local incidents that never made the big newspapers, like breakins at school computers or newspaper computers. TRW credit information services claims hackers used the three stolen accounts to aid them in abusing stolen credit cards. The thrill of entering and looking around has shifted to criminal practicality–how can I make my bank account fatter–how may I use this stolen credit card to its fullest–how could I take revenge upon my enemies. 

                 by Cheshire Catalyst, Managing Editor

The corporate types should realize that if a teenaged hacker is getting into their system, an industrial spy could have logged in regularly for the past 3 years. While I may not particularly care for a TRW or [Citibank] having "Confidential information" about me, I especially don't like the idea of unauthorized people spreading the data around.

There are no quick answers, because computer security is not just a matter of hardware, software, locks, and walls. Security is a people problem. When you put in locks, you watch the people you give the keys to (notice an analogy to encryption here). If these people FEEL they're being watched, they may get "disgruntled". Needless to say, a disgruntled employee is worse than almost anything else you could be combating.

Any of our corporate subscribers who would like to wake up their management to the vulnerabilities of computer systems should be made aware that I am available for lectures and consulting. Just drop me a line at the TAP maildrop, or via MCI Mail (username: TAP), or telex number 650-119-5732.

SUGGESTED PRACTICES TO FOLLOW FOR COMPUTER SECURITY

In light of the importance of a password, the following practices should be followed by every user of a multiuser computer system.

1. DON'T USE A LOGICAL PASSWORD THAT IS EASY TO FIGURE OUT. Someone intent on impersonating you will try the easy password guesses first. For example, I would never use a password consisting of any part of my name or a close family member's name, my address, my auto license, etc. This information is too easy to obtain and if an imposter has targeted you as his "doorway" to the system, he or she can probably get this information. Use a password that is either a combination of letters and numbers that are only meaningful to you (for example, your phone number converted to the first letter assigned to each number on the telephone. Please do not use this method now that it has been published).

2. CHANGE YOUR PASSWORD OFTEN. If your password remains the same for a long period of time, the odds that a persistent imposter will hit hit upon it are greatly decreased. Again, don't get lazy and change your password to one that violates the first consideration.

3. NEVER GIVE YOUR PASSWORD TO ANOTHER USER OR ENTER IT INTO A SYSTEM IF YOU ARE UNCERTAIN AS TO THE REASON FOR THE REQUEST. Otherwise, you may have given someone else the irrevocable authority to act on your behalf. Furthermore, because of the nature of computer systems, you cannot prove that your "agent" was not you. You are initially responsible for everything that that person does while acting as you. There are several methods used by imposters or hackers to acquire a valid user's password directly from the user. One method is to use a system's communication's mode to send a message to another user. This method causes some form of message to appear on the user's screen indicating that something technically meaningless has occurred and the user should reenter the password. The hacker then watches what the user types. Another method involves setting up a program which follows the same technique as above, but the program then stores the password in a file and the hacker will check for a password later. A recently used method is to set up a system to collect passwords. This recently happened in the Chicago area when a bulletin board was set up by hackers. It gave the appearance of legitimacy, but was later used by the hackers to access other system because their users had the same password on several systems. Which leads to the last rule of password usage.

4. NEVER USE THE SAME PASSWORD ON DIFFERENT COMPUTERS. Using the key analogy above, if all of the locks on your personal possessions have the same key, you wouldn't entrust that key to anyone. Why use the same password on several systems? If you do, you run the risk that someone will get your password and then use that information to access all of the systems you access. You will soon be unwelcome on several systems (if not a suspect in a computer crime case).

VIRGINIA LAW HELPS SYSOP GET REVENGE

A Virginia sysop used a new state computer crime law to help prosecute a teenage hacker who invaded and vandalized his bulletin board. 

      Allen Knapp runs Washington Networks from his home in Vienna, VA, and

charges $10 for a system password. Last January, Knapp's board got a call from a 14-year-old Montgomery County, MD, youth who used the handle Phineas Phreak. 

      According to Knapp, Phineas discovered Knapp's own password and

obtained access to the system files and operating program. The caller erased part of the board's stored files and transferred others to his own computer. The youth then called Knapp's answering machine and made several demands for the return of the files. 

      However the answering machine tape allowed the Chesapeake & Potomac

Telephone Co. to trace the call. 

      The boy was charged with a misdemeanor under a section of Vigninia's

computer crime law that is designed to discourage erasing or altering computer data. He was allowed to plead "not innocent" and was sentenced last month to one year probation and ordered to pay Knapp $300 for the damages. 

      Knapp estimated that the files the boy erased or stole represented

about 180 hours of work.

MENSA BBS SEEKS SMART CALLERS

Most sysops check out applicants by verifying their names and telephone numbers. But on the MENSA BBS in Palm Beach, FL, callers face a much tougher screening. 

      All registered users must pass members of Mensa, Intertel or the

Triple Nine Society to receive full system access. 

      Mensa is an international society in which the sole requirement for

membership is a score at or above the 98th percentile on any of a number of standard IQ tests. Qualification for membership may be determined by tests administered by Mensa or by submission of properly certified prior evidence to American Mensa,Ltd., 1701 West 3rd Street, Brooklyn, NY 11223. 

      INTERTEL, Inc., PO BOX 15580, Lakewood, Co., 80215, is a similar

organization that requires members to score in the 99 percentile or above on IQ tests. The Triple Nine Society, 463 Beacon St., Boston, MA, 02115, sets its standards even higher: the 99.9 percentile. 

      "Please do not harass us if you do not qualify for access," say

Molly and "Pops," the boards sysops. 

      The system does invite amateur radio operators to also call in (use

your call sign to log in) and anyone who sends $100 to Connelly Corporation, Box 1164, Palm Beach FL 33480 also can join. 

      Members are invited to swap software and generally get to know each

other through the public message section. 

      The board also serves as a convenient advertising medium for Pops'

classic cars. Among the bargains listed are a 1959 Corvette Roadster for $19,500; a 1962 Corvette Coupe, for $14,500 or a 1963 Corvette convertible. 

      The BBS, a modified RBBS-PC, is open 24 hours at 300, 1200 or 2400

baUd. The number is 305-842-1861. You also can catch Molly on The Source, ST7783. 

/data/webs/external/dokuwiki/data/pages/archive/news/hcknews.hac.txt · Last modified: 1999/08/01 17:08 by 127.0.0.1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki