Item forwarded  by  D.WHITESIDE2 to M.LASKY2

Item    0622126                 91/05/25        12:26

From:   MITCH.WAGNER                    Mitch Wagner

To:     D.WHITESIDE2                    Donald A. Whiteside

Sub: New Uploads

BY MITCH WAGNER
    It's hardly the Cuckoo's Egg or the Internet Worm,
 but it's still an intriguing little unsolved mystery.
    Maybe you can figure out whodunit, and why. I can't.
 Here are the clues:
    On the night of Sunday, April 14, physics students at
 Purdue University engaged in that time-honored collegiate
 tradition known as ``pulling an all-nighter'' were in for
 a rude surprise.
    It came in the form of a piece of E-mail, purporting to
 come from their systems administrator, stating that
 ``because of security faults,'' users were required to
 change their passwords to ``systest001.''
    The E-mail gave helpful instructions on how users could
 change their passwords, and concluded, politely but firmly:
 ``This change should be done IMMEDIATELY. We will infrm you
 when to change your password back to normal, which should
 not be longer than ten minutes.''
    The official-sounding memo was a scam, said Kevin
 Miller, Unix system manager for the Purdue University
 Physics Department. Two of his users fell for it, he said.
    Once they did, some unidentified cracker logged in using
 the systest001 password, and began to search the system for
 security holes. The cracker also set into motion a program
 that would have started another, even more ambitious
 break-in of the Purdue network, had it not been spotted by a
 suspicious user.
   That script flashed a message on the screen of every
 logged-in user, asking to please play-test a version of
 Tetris_a popular video game_on the local system.
   But the so-called Tetris game ws actually a script that
 prompted users for their log-in passwords, and_if the log-in
 password was given_mailed that password to an off-campus
 mail drop.
    The systest001 and Tetris scams at Purdue University are
 examples of several similar break-ins that ave been
 happening nationwide.
    Gene Spafford, an assistant professor of computer
 science at Purdue who specializes in security and computer
 ethics, called the cracking attempts ``the most amusing
 attempts at a break-in recent memory.''
    Tetris' initia point of origin, he noted, could not be
 better calculated to create panic in the military mindset.
     ``Tetris was developed in the Soviet Union; it's one of
 the products of the Soviet software industry,'' he said.
    He said, however, that he believes the ironies are
 coincidental, because he believes the hackers are too
 unsophisticated to have thought of the ironies themselves.
    Elsewhere in the country, the systest001 memo and Tetris
 scam were apparently found independently. Purdue was the
 only site we could locate where the two scams were linked
 and running on the same machine.
    The Computer Emergency Response Team at Carnegie-Mellon
 University has put out an advisory on both scams, urging
 users to alert their systems administrators if anyone asks
 for their password, or asks them to change their password.
    The cracker doing this bit of social engineering is
 taking advantage of the fact that it's really easy to create
 UUCP mail that appears to come from just about anywhere_a
 trick that's called ``spoofng'' by the cognoscenti. Indeed,
 it's a traditional April Fool's Day prank to flood USENET
 with all sorts of messages that appear to come from
 well-known net personalities_including a warning against
 April Fool's Day spoofs signed by Spafford that Spafford
 himself never wrote.
     CERT technical coordinator Ed DeHart said that he
 believes that the systest001 and Tetris scams were fairly
 small.
    ``I don't think it's widespread. It's a gut-level
 feeling, talking to people and based on the number of
 reports we've had so far,'' he said.
    DeHart said he has no idea who the author of the scam
 is.
    Neither do I_but I have one more clue.
    I sent some mail to the mail drop used in the Tetris
 scam, stating in veiled terms my desire to do an article
 ``about Turboetris'' and asking for information about ``why
 you did what you did.'' The next morning, I got a response
 that expressed interest in the offer. Whoever it was that
 sent the mail refused to give out a real name, only an alias
 he or she uses on bulletin-board systems.
    The correspondent promised to get back to me by phone if
 I agreed to his or her terms, and left a time to call. I did
 so.
    And heard nothing until last week. At that time, I
 talked to people purporting to be the Tetris hackers_there
 were two of them_at some length, but our conversation
 covered so much ground that it would be better to save it
 for next issue's column.
    So we'll do so.
    (Mitch Wagner is a senior editor at UNIX Today!)




BY MITCH WAGNER
    ``Beta Raider'' says he and a friend started to break
 into computer systems about a year and a half ago, when they
 were about 14.
    That was when his Dad got him a PC, an IBM AT clone with
 a 286 processor.
    ``I just started using it for hmework and all that
 jazz,'' said the 16-year-old Beta Raider. ``Then my dad got
 a modem, and then I called local public-domain BBSes, and
 then I got into pirate boards, where I started talking about
 things like hacking and the concept of hacking security.''
    Last month, a scam which Beta Raider authored was the
 subject of an advisory from the Computer Emergency Response
 Team (CERT) at Carnegie-Mellon University. He sent mail to
 users urging them to try out a new version of the popular
 computer game Tetris. The game was nonexistent, and the mail
 was part of a confidence job that resulted in users having
 their login IDs and passwords mailed to a mail drop on a
 different system, for pickup by Beta Raider and his friend.
    I got in touch with Beta Raider by thesimple expedient
 of sending mail to that mail drop. We chatted two or three
 times on the phone. I don't know his real name, and the only
 really significant personal details I know about him are his
 age, the fact hat he lives in a suburb near Washington,
 D.C., and that he attends a public high school.
    (Actually, that's not entirely true. I do know one more
 significant thing about him: that he's not paranoid enough.
 He let drop a couple of other things that could be used to
 track him down really easily, thigs which I'm withholding in
 the interest of protecting sources.)
    Beta Raider, like most of his brethren in the computer
 underground, says that when he breaks into a system, he's
 not in it for personal gain. Breaking in is an end in
 itself, a means of lerning about computers, and a means of
 gaining entree into other systems.
    ``It's a puzzle. I like to crack security,'' he said.
    He likes to work from accounts that have no files in
 them except for system login files. That's an indication
 that he won't be disturbed at his work; that the legitimate
 owner of that account has been away for a while.
    From that base, he looks around the system.
    ``Usually I'm looking either for technical notes,
 source code, or more access,'' he said. Occasionally, if he
 finds an interesting piece of unpublished software
 documentation or tips, he'll post it to the bulletin
 boards_but nothing, he said, that the company woudln't want
 out anyway.
   He's also looking for .netrc files, which tell him how
 to log onto other systems remotely. ``If the system that
 I'm currently on is large enough, usually one person would
 have access to any other system,'' he said.
    Beta Raider is aware that there's currently stiff
 penalties against computer crimes, but he says he doesn't
 worry, becase he's careful and because what he does is not
 that serious.
    ``I've talk to most of the major hacks across the
 country, but what they've done, you can really take notice
 of it,'' he said.
    Beta Raider says he doesn't know what he wants to do
 when he rows up.
   ``My Mom wants me to become a lawyer, my Dad wants me to
 do bioengeineering or something or other,'' he said. ``I
 want to do something with computers.
   For what it's worth, I left the interviews finding it
 difficult to imagine Beta Raider as he villains some
 computer security advocates would have us believe populate
 the computer underground. I also couldn't picture him as a
 heroic desperado of the electronic frontier, which is the
 picture that hip publications like MONDO 2000, Rolling
 Stone or The Village Voice like to paint.
    He just seemes to be a bright, friendly kid_a good kid
 fundamentally. And he's out there doing what a lot of
 bright, friendly good kids have always done: getting into
 mischief.
   (Mitch Wagner is a senior editor at UNIX Today!)








----------

Downloaded From P-80 International Information Systems 304-744-2253