gcm@mtgzz.UUCP (XMRP20000[khw]-g.c.mccoury) (03/18/88)
From The Star-Ledger(Newark NJ) 3/17/88 TEEN HACKER 'INVADES' NEW SECURE COMPUTER PARIS(Reuters)- A 19-year-old West German hacker has succeeded in breaking into one of the world's top-selling computers, Digital Equipment Corp.'s VAX system, in what experts say is a new blow to confidence in computer security. Computer specialists broke the news yesterday at a computer conference already shocked by the arrest on Sunday of West German hacker Steffen Wernery, 26, as he arrived to take part in a panel debate on system security. Wernery is a member of the Hamburg-based Chaos Computer Club which caused a storm last year when it revealed it had penetrated more than 100 computers around the world, including the network of the U.S. space agency NASA. French police announced later that Wernery had been charged with "theft, destruction and damaging computer goods" and had been jailed pending trial. West German journalist and computer expert Hans Gliss, who was also held briefly by French police when he arrived in Paris on Sunday, said the unidentified 19-year-old from Munich had worked out how to enter VAX computers made by Digital. Gliss said the Munich hacker had breached the VAX system by using material openly available from Digital, which is based in Maynard, Mass. Digital executives were in a meeting and not available for comment, a spokeswoman said. Rudiger Dierstein, of West Germany's national space foundation DFVLR, said the consequences of the Munich hacker's achievement were "terrifying." "This person has given a full description of how to gain access to the system and gain full control. Imagine combining the intelligence of this hacker with a definite criminal intention," he said. "Someone could take control of a satellite as they are all computer-controlled. That is why I tremble when I hear the initials SDI." SDI stands for President Reagan's proposed Strategic Defense Initiative, a space-based computer-guided defense system against nuclear missile attack. Dierstein said the 19-year-old had privately published his work in a pamphlet entitled "Hints on the Use of the VMS Operating System" but police had confiscated all the documents. The VMS(Virtual Memory System) is the main language used in Digital's VAX computers. Experts said other major computer manufacturers like IBM could not afford to be complacent as it was being shown their systems were equally vulnerable. Companies targeted by Chaos Computer Club "hackers" were unaware their systems had been tampered with until the club informed West German authorities. Experts at the Paris conference said Wernery had fixed a meeting with the French subsidiary of the Phillips electronic group - one of the companies penetrated by the hackers - before leaving for France. /************************************* * Grover McCoury * * ATT IS/Communications Laboratories * * Middletown NJ * * -> audio: (201)957-5866 * * -> physical: (MT)4B418 * * -> electronic: ...!ihnp4!mtgzz!gcm * *************************************/
ward@cfa.harvard.EDU (Steve Ward) (03/20/88)
In article <3749@mtgzz.UUCP>, gcm@mtgzz.UUCP (XMRP20000[khw]-g.c.mccoury) writes: > From The Star-Ledger(Newark NJ) 3/17/88 > > TEEN HACKER 'INVADES' NEW SECURE COMPUTER > > PARIS(Reuters)- A 19-year-old West German hacker has succeeded > in breaking into one of the world's top-selling computers, > Digital Equipment Corp.'s VAX system, in what experts say is a > new blow to confidence in computer security. Does anyone know if this is a REAL security hole in VMS or just the usual 1) failure to change default password(s) on sys, maint, user, userp accounts as shipped from DEC. or 2) autologins left activated by local sys manager. or 3) other equivalent act of stupidity. Often these sensational stories are due to vulnerability caused by stupidity. I have never had much trouble in "hacking" a login to a multiuser system when testing for security, usually by just trying the time-honored guess-the-password approach. Of course, hacking to TEST for security on your own computers is quite different from the vandalism and criminalism of attacking someone else's machines, whether one is hacking through cleverness or taking advantage of the lax management of computer systems on all os's that is out there. I know of large numbers of machines that are accessible to the world where the local users object strongly to being forced to periodically change passwords or insist on using any password, including very short passwords, last names, etc. The ability to "hack" a login is inversely proportional to the number of login accounts on the system :-) Of course, all os's exhibit true security hole bugs from time to time. Is this one?
tli@sargas.usc.edu (Tony Li) (03/20/88)
In article <923@cfa.cfa.harvard.EDU> ward@cfa.harvard.EDU (Steve Ward) writes:
Does anyone know if this is a REAL security hole in VMS or just the
usual
1) failure to change default password(s) on sys, maint, user, userp
accounts as shipped from DEC.
or
2) autologins left activated by local sys manager.
or
3) other equivalent act of stupidity.
Yes, this is the result of a real hole. Do you recall the V4.4
SECURESHR bug?
Tony Li - USC University Computing Services "Fene mele kiki bobo"
Uucp: oberon!tli -- Joe Isuzu
Bitnet: tli@uscvaxq, tli@ramoth
Internet: tli@sargas.usc.eduklb@philabs.Philips.Com (Ken Bourque) (03/22/88)
In article <7755@oberon.USC.EDU> tli@sargas.usc.edu (Tony Li) writes: >Yes, this is the result of a real hole. Do you recall the V4.4 >SECURESHR bug? So, is this just somebody breaking into a system which doesn't have the SECURESHR patch, or is it a new hole? Contemplation of the joys of wearing handcuffs should bring new meaning to the lives of malicious hackers. -- Ken Bourque klb@philabs.philips.com ...!{uunet,ihnp4,decvax}!philabs!klb
erd@tut.cis.ohio-state.edu (Ethan R. Dicks) (03/23/88)
In article <7755@oberon.USC.EDU> tli@sargas.usc.edu (Tony Li) writes: >Yes, this is the result of a real hole. Do you recall the V4.4 >SECURESHR bug? I was a system manager for systems running VMS v4.2 -> v4.6. What was the SECURESHR bug? I do not ever remember anything about it (I did not have Usenet access). Thanks, -ethan -- Ethan R. Dicks | ###### This signifies that the poster is a member in Specialized Software| ## good sitting of Inertia House: Bodies at rest. 2101 Iuka Ave. | ## Columbus OH 43201 | ###### "You get it, you're closer."