- Email: [email protected]
Password fishing on public terminals
Computer Fraud & Security Bulletin
weakest link. For even the most advanced systems today, that weakest link is its management and control. Professor Henry J. Beker Zergo Ltd
CASE STUDY PASSWORD TERMINALS
FISHING ON PUBLIC
Remote computer access by terminal logon is an extremely useful facility, but one which is often used without the caution it requires. A common fear is wire-tapping, both with telephone modems and dedicated lines. However good the central computer’s password system is, it is useless if a hacker can simply connect another modem to the telephone line, and watch while the user types both the password and then the supposedly secure data. This can be circumvented using encryption. Depending on the amount you are prepared to spend, both in terms of the cost of the hardware and the time taken to encrypt the data, varying levels of security are available. For ultimate security there are even algorithms which current computers couldn’t crack within the lifetime of the universe, using all the matter in the universe as the energy supply. The Data Encryption Standard (DES) is based on this kind of algorithm, simplified to allow the US military to crack it freely. Another common fear is devices which detect the radiation emitted by CRTs. It is possible to build a device, for under f 100, using readily available components, which can be tuned to the EMF put out by a monitor or television, and show on a monitor screen an image of whatever is being displayed. Perfect password security and line encryption is
12
January 1990
useless if an eavesdropper can simply sit and watch the secret data as the user types it in, perhaps even recording the whole session on a video recorder. It is common in military applications to use equipment which is completely encased in metal boxes to stop radiation escaping, except of course for the screen of the monitor, which is covered instead with a grid of wires. The monitor, keyboard and computer are not connected together by wires, but instead use cables made from optic fibres so that they emit negligible radiation. Many people work hard designing such security measures, and it is open to question whether it is theoretically possible to produce a system with external access which is totally secure, but in practice this is not the important issue. Computer systems rarely fall victim to a frontal attack against their main security measures; instead it is the little errors, the forgotten details, the careless mistakes, which are the chinks in armour. One example of this occurred at Cambridge University, UK, in the autumn of 1986. The Computing Service there has hundreds of BBC micros around the university, used as terminals to log into the central IBM 3084 mainframe. A few weeks after arriving at the university in October 1986, a first-year student wrote a program which ran in these BBC micros and recorded passwords as they were typed in. The way it worked was very simple. It used a facility of the BBC micro’s Operating System called “Event Notification”. The “FISHES” program, as it was called, ran for only a fraction of a second, and all it did was a single system call, to request to be notified of any characters entering input buffers. Unsuspecting users arriving later were free to run any program they wished, including the terminal emulator PHX, but every time a character entered an input buffer, the Operating System dutifully notified FISHES, as it had been asked to.
01990
Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
January 1990
Of the various buffers in the system,
"IAMAFISH
FISHES was interested in two: the serial port input buffer, and the keyboard buffer. Every
You
are
not
a fish.
time it was notified of a character received by the serial port (from the modem), it took a note of it, and when it saw that the word “Logon:” had arrived, it turned its attention to the
*ISWIMINTHESEA You tell
are
you
my
truly
a
fish
so
I will
secrets:
keyboard buffer. It now monitored each character that the user typed, recording first his user-id, and then his password. Additionally, the student programmed FISHES into EPROMs to plug into the computers, so that he would not have to load it off disk every morning when the computers were first turned on. Secondly, FISHES saved its userid-password
pairs in unused
battery-powered RAM in the computer, so that they would not be lost when the computer was turned off. This meant that the student, who came to be known as “The Fisherman”, did not have to rush back to the computers every evening to pick up the days catch before the computers were turned off. FISHES ran for many months before it was discovered by chance. On 6 March 1987 a diploma student was downloading software out of the computer’s ROM. His automatic ROM-copying program retrieved, as well as the programs he expected, one extra one which was not described in the manuals. Examining the standard ROM header showed the title of the program to be FISHES, so the student tried the HELP command: *HELP
Only
a of
fish the
may black
know box's
the magic.
The student was worried by this so he called the Computing Service. They experimented, and discovered what to type to make the program work:
01990
This example illustrates an important point: no computer in a public place can ever be secure. Legislation may sometimes succeed in punishing culprits, but it doesn’t prevent hacking from happening in the first place, which must be our prime objective. Many people are aware of the risk of Trojan horse programs. It has often been known for people to write programs a few lines long in BASIC which print Login: and then wait for unsuspecting users to arrive. When a victim tries to log on it stores the id and password and then prints a message such as: “Service not available, please try later”. For this reason, users are warned to reboot the machine before using the terminal emulator program. Surprisingly many people believe that this simple precaution will allow them to safely use a public terminal, not realizing that it is ineffective against any thing more complex than the simplest of BASIC programs. A slightly more elaborate hacking technique involves replacing the terminal
FISHES
Surprisingly perhaps, the program responded, although not in an altogether straightforward manner. It said:
secret
and this last line was followed by a list of userids and passwords.
Elsevier Science Publishers Ltd
emulator on the hard disk (or in the workstation’s ROMs) with a modified version which will record users’ passwords. The remedy for this is for all users to carry disks with their own personal copy of the terminal emulator. A solution along these lines was proposed at Cambridge, using “Smart” cards - plastic cards similar in appearance to credit cards, which contain a ROM chip and
13
January
Computer Fraud & Security Bulletin
electrical contacts which allow them to be plugged into a slot in the workstation.
7990
Expecting to rely on legislation to catch the culprit after the event is futile. There is no protection other than caution at all times.
It is clear however, that even this D. D. Harriman
elaborate solution would not affect the FISHES program. It does not know, nor even care, what terminal emulation software is being run, it simply monitors the characters coming from the modem and the keystrokes typed by the user. The user could even sit down, turn the
BOOK REVIEW
computer on, and write their terminal emulator in BASIC, and FISHES would be unaffected. At an even lower level, it would be
Title: The Complete Authors:
Computer
Virus Handbook
David Frost and /an Beale
possible to build a radio transmitter and place it inside the keyboard. A bug detector might find that, but it wouldn’t find one which simply recorded keystrokes for a few weeks until its owner returned to collect it. No amount of software security will defend against these kind of attacks. The lesson then, is that you can never trust any terminal, workstation or personal computer in a public place. Even a cleaner in the office in the morning could switch your computer keyboard for a bugged one, or copy a fishing program from floppy onto your hard disk. Your computer system can never be totally
ISBN: 0 2273 03255 0 Publisher: Pitman Publishing, London, WC2E 9AN, UK. Price: f 14.95 (172~~.
728 Long Acre,
hardback)
This is the second edition of a book which started its life about a year ago as a selection of loose leaves. The work has now become more complete and has gained the respectability of a hard bound volume. The book starts with an introduction to viruses, answering questions like “What is a virus”, “How can a virus get into a system”,
secure. The best you can do is to ensure that
“virus symptoms” etc. This is followed by a survey of the legal aspects of viruses and
your security measures are consummate with
infections. A list of 20 IBM-PC viruses, 9
the level of effort that a hacker is likely to put into trying to break them. If you store sensitive
assorted operating systems is included. Each
Macintosh viruses and 10 viruses attacking
information on computer, then you must take
virus is described and its mutations are listed.
security seriously, and be aware of its
The book then catalogues some 25 anti-virus
limitations.
products for IBM-PCs, as well as an assortment of Macintosh software. A glossary
The FISHES program was the work of a naive student who made no attempt to hide it,
of terms and some other useful information is included at the end. No index is provided.
even making it respond to HELP commands. A serious hacker with malicious intent could easily write a program which was virtually impossible to find, and totally impossible to trace. The program could even be spread automatically using a virus to carry it.
14
Examining the list of viruses, I was intrigued to see Flushot 4 included as a virus. It is, actually, a non-replicating Trojan horse. An oversight, I thought. Alas, a few pages later we meet Larry the Lounge Lizard. Again, a Trojan horse and not a virus - but this time the fact is acknowledged by the authors, who
01990
Elsevier Science Publishers Ltd
weakest link. For even the most advanced systems today, that weakest link is its management and control. Professor Henry J. Beker Zergo Ltd
CASE STUDY PASSWORD TERMINALS
FISHING ON PUBLIC
Remote computer access by terminal logon is an extremely useful facility, but one which is often used without the caution it requires. A common fear is wire-tapping, both with telephone modems and dedicated lines. However good the central computer’s password system is, it is useless if a hacker can simply connect another modem to the telephone line, and watch while the user types both the password and then the supposedly secure data. This can be circumvented using encryption. Depending on the amount you are prepared to spend, both in terms of the cost of the hardware and the time taken to encrypt the data, varying levels of security are available. For ultimate security there are even algorithms which current computers couldn’t crack within the lifetime of the universe, using all the matter in the universe as the energy supply. The Data Encryption Standard (DES) is based on this kind of algorithm, simplified to allow the US military to crack it freely. Another common fear is devices which detect the radiation emitted by CRTs. It is possible to build a device, for under f 100, using readily available components, which can be tuned to the EMF put out by a monitor or television, and show on a monitor screen an image of whatever is being displayed. Perfect password security and line encryption is
12
January 1990
useless if an eavesdropper can simply sit and watch the secret data as the user types it in, perhaps even recording the whole session on a video recorder. It is common in military applications to use equipment which is completely encased in metal boxes to stop radiation escaping, except of course for the screen of the monitor, which is covered instead with a grid of wires. The monitor, keyboard and computer are not connected together by wires, but instead use cables made from optic fibres so that they emit negligible radiation. Many people work hard designing such security measures, and it is open to question whether it is theoretically possible to produce a system with external access which is totally secure, but in practice this is not the important issue. Computer systems rarely fall victim to a frontal attack against their main security measures; instead it is the little errors, the forgotten details, the careless mistakes, which are the chinks in armour. One example of this occurred at Cambridge University, UK, in the autumn of 1986. The Computing Service there has hundreds of BBC micros around the university, used as terminals to log into the central IBM 3084 mainframe. A few weeks after arriving at the university in October 1986, a first-year student wrote a program which ran in these BBC micros and recorded passwords as they were typed in. The way it worked was very simple. It used a facility of the BBC micro’s Operating System called “Event Notification”. The “FISHES” program, as it was called, ran for only a fraction of a second, and all it did was a single system call, to request to be notified of any characters entering input buffers. Unsuspecting users arriving later were free to run any program they wished, including the terminal emulator PHX, but every time a character entered an input buffer, the Operating System dutifully notified FISHES, as it had been asked to.
01990
Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
January 1990
Of the various buffers in the system,
"IAMAFISH
FISHES was interested in two: the serial port input buffer, and the keyboard buffer. Every
You
are
not
a fish.
time it was notified of a character received by the serial port (from the modem), it took a note of it, and when it saw that the word “Logon:” had arrived, it turned its attention to the
*ISWIMINTHESEA You tell
are
you
my
truly
a
fish
so
I will
secrets:
keyboard buffer. It now monitored each character that the user typed, recording first his user-id, and then his password. Additionally, the student programmed FISHES into EPROMs to plug into the computers, so that he would not have to load it off disk every morning when the computers were first turned on. Secondly, FISHES saved its userid-password
pairs in unused
battery-powered RAM in the computer, so that they would not be lost when the computer was turned off. This meant that the student, who came to be known as “The Fisherman”, did not have to rush back to the computers every evening to pick up the days catch before the computers were turned off. FISHES ran for many months before it was discovered by chance. On 6 March 1987 a diploma student was downloading software out of the computer’s ROM. His automatic ROM-copying program retrieved, as well as the programs he expected, one extra one which was not described in the manuals. Examining the standard ROM header showed the title of the program to be FISHES, so the student tried the HELP command: *HELP
Only
a of
fish the
may black
know box's
the magic.
The student was worried by this so he called the Computing Service. They experimented, and discovered what to type to make the program work:
01990
This example illustrates an important point: no computer in a public place can ever be secure. Legislation may sometimes succeed in punishing culprits, but it doesn’t prevent hacking from happening in the first place, which must be our prime objective. Many people are aware of the risk of Trojan horse programs. It has often been known for people to write programs a few lines long in BASIC which print Login: and then wait for unsuspecting users to arrive. When a victim tries to log on it stores the id and password and then prints a message such as: “Service not available, please try later”. For this reason, users are warned to reboot the machine before using the terminal emulator program. Surprisingly many people believe that this simple precaution will allow them to safely use a public terminal, not realizing that it is ineffective against any thing more complex than the simplest of BASIC programs. A slightly more elaborate hacking technique involves replacing the terminal
FISHES
Surprisingly perhaps, the program responded, although not in an altogether straightforward manner. It said:
secret
and this last line was followed by a list of userids and passwords.
Elsevier Science Publishers Ltd
emulator on the hard disk (or in the workstation’s ROMs) with a modified version which will record users’ passwords. The remedy for this is for all users to carry disks with their own personal copy of the terminal emulator. A solution along these lines was proposed at Cambridge, using “Smart” cards - plastic cards similar in appearance to credit cards, which contain a ROM chip and
13
January
Computer Fraud & Security Bulletin
electrical contacts which allow them to be plugged into a slot in the workstation.
7990
Expecting to rely on legislation to catch the culprit after the event is futile. There is no protection other than caution at all times.
It is clear however, that even this D. D. Harriman
elaborate solution would not affect the FISHES program. It does not know, nor even care, what terminal emulation software is being run, it simply monitors the characters coming from the modem and the keystrokes typed by the user. The user could even sit down, turn the
BOOK REVIEW
computer on, and write their terminal emulator in BASIC, and FISHES would be unaffected. At an even lower level, it would be
Title: The Complete Authors:
Computer
Virus Handbook
David Frost and /an Beale
possible to build a radio transmitter and place it inside the keyboard. A bug detector might find that, but it wouldn’t find one which simply recorded keystrokes for a few weeks until its owner returned to collect it. No amount of software security will defend against these kind of attacks. The lesson then, is that you can never trust any terminal, workstation or personal computer in a public place. Even a cleaner in the office in the morning could switch your computer keyboard for a bugged one, or copy a fishing program from floppy onto your hard disk. Your computer system can never be totally
ISBN: 0 2273 03255 0 Publisher: Pitman Publishing, London, WC2E 9AN, UK. Price: f 14.95 (172~~.
728 Long Acre,
hardback)
This is the second edition of a book which started its life about a year ago as a selection of loose leaves. The work has now become more complete and has gained the respectability of a hard bound volume. The book starts with an introduction to viruses, answering questions like “What is a virus”, “How can a virus get into a system”,
secure. The best you can do is to ensure that
“virus symptoms” etc. This is followed by a survey of the legal aspects of viruses and
your security measures are consummate with
infections. A list of 20 IBM-PC viruses, 9
the level of effort that a hacker is likely to put into trying to break them. If you store sensitive
assorted operating systems is included. Each
Macintosh viruses and 10 viruses attacking
information on computer, then you must take
virus is described and its mutations are listed.
security seriously, and be aware of its
The book then catalogues some 25 anti-virus
limitations.
products for IBM-PCs, as well as an assortment of Macintosh software. A glossary
The FISHES program was the work of a naive student who made no attempt to hide it,
of terms and some other useful information is included at the end. No index is provided.
even making it respond to HELP commands. A serious hacker with malicious intent could easily write a program which was virtually impossible to find, and totally impossible to trace. The program could even be spread automatically using a virus to carry it.
14
Examining the list of viruses, I was intrigued to see Flushot 4 included as a virus. It is, actually, a non-replicating Trojan horse. An oversight, I thought. Alas, a few pages later we meet Larry the Lounge Lizard. Again, a Trojan horse and not a virus - but this time the fact is acknowledged by the authors, who
01990
Elsevier Science Publishers Ltd