- Email: [email protected]
Training in computer fraud?
Volume
5
Number
11
SEPTEMBER
ISSN 0142-0496
1983
COMPUTEREEEE!N Editor: MICHAEL COMER, Director, Network Security, Management Ltd. London. Associate Editor: FRED LAFFERTY, Director of Corporate Security, Cargill, Minneapolis.
Editorial
Advisors:
Jay J. BloomBecker,
Director,
Robert
P. Campbell,
CDP, President,
Andrew
Chambers,
Senior
Dr. Jerry Fitzgerald,
National
Lecturer
& Associates,
Jo&in
Managing Director,
Harris,
Alistair
Zeus Security
Lawyer and Banker,
Kelman,
Executive,
City University
Business School,
London.
California.
Barrister and Legal Expert
Management,
Adrian
Security Author
R. D. Norman,
Investigators,
in Microelectronics
Norman
Luker.
Ltd, London.
London.
Insurance Co. Ltd. Johannesburg.
Kroll Associates;New
James Martin,
Consultants
of Professional
Ned Equity
and Computing,
London.
York.
Northern
Telecom
Ltd, Montreal.
and Lecturer. Consultant,
Arthur
D. Little
Ltd.
Donn B. Parker. Senior Management
Systems Consultant,
Alec Rabarts,
of Chartered
Fellow of the Institute
J. Walsh, President,
Stanford
Accountants,
Harris and Walsh Management Abbey
National
Philip Weights, Philip Weights & Associates, Surrey,
Research
Institute,
California.
London.
Consultants,
Building Society,
Training in computer fraud? A co-operative approach to software protection
IN FRAUD?
Control,
Los Angeles. Inc, Virginia.
London.
Jules 6. Kroll, President,
Timothy
CONTENTS
TRAINING COMPUTER
Horwitz,
Graeme Ward, Head of Audit, Ltd.
Crime,
Management
in Audit and Management
Jerry Fitzgerald
Peter J. Heims, Fellow of the Institute
Martin Samociuk, Consultant, Network Security Management
Information
Fred M. Greguras, Attorney, Fenwick, Stone, Davis Et West, California. Peter Hamilton,
Geoffrey
Special Technical Advisors: James Khosla Overseas Systems Security Officer, for Chemical Bank, New York.
Data Center for Computer
Advanced
New York.
London.
U.K.
1 10
Security in teleprocessing Computers in law enforcement Book review: The EFT Act
11 11 13
The explosion in popularity of computer video games coupled with the proliferation of microcomputers in schools and colleges has led many youngsters to believe that computers are symbols of fun. The "terminal junkie" or "headbasher" can be seen in any amusement arcade, where rows of computer-based equipment are continually used for imaginary war games with Martians, space invaders, munching monsters and King Kong - like apes who throw barrels down ladders at unsuspecting members of the public. Excitement can be heightened when the video junkie gains access to Brought up in an environment of commercial or academic computers. fun expectation and freaking many youngsters find it difficult to change their attitudes when other people's machines are concerned. Few computer freaks consider it unlawful, illegal or unethical to penetrate and use commercial computer systems for their own interest or pleasure. In the past the COMPUTER FRAUD & SECURITY Bulletin has reported on many of these cases including: * * * *
0
'J
lil .SliI’l Eli I\‘I’~;I{N~l‘I(~~(, HI I.I.lrI‘INS
University of California University of Toronto London Polytechnic Colleges London Time Sharing Bureau
1983
Elsevier
Science
Publishers
No part of this publication may be reproduced, in any form or by any means, electronic, mechanical, the prior written permission of the publisher.
b.v. Amsterdam.
stored in a retrieval system, or transmitted photocopying, recordkg or otherwise, without
-2This is not to say that students are totally to blame for the present position. There are grounds for believing that many lecturers encourage security violations supposedly in the interest of programmes of learning. A lecturer at a London polytechnic college is alleged to have told students that their results were held on the college's central database and that they had all failed their final examinations. He added that if they "could somehow access the file" and improve their grades they would be welcome to do so. He reckoned that any student clever enough to achieve this deserved his degree. All of the students passed.
Long-term attitudes
Although much of what has happened in the past is light hearted and causes minimal, if any, damage, long term problems of attitude are created which manifest themselves when youngsters conditioned to an environment of stimulus expectancy join the world of business. Suddenly they may find that their favourite drug is not enough. More powerful satisfaction may be looked for, irrespective of the ethics involved. Business and college computers become the prime targets. In the past, the skills of senior managers have usually been broader and more extensive than those of new recruits. This is no longer true especially in computing, where "peaks of expertise" have become a fact of life. Quite often new recruits, fresh from university, have very high skills in limited fields. This level imposes severe control problems for managers with lower but broader skills. This article describes a typical case of computer abuse, committed by a skilled young programmer whose knowledge of the system concerned was apparently greater than that of those people supposed to be controlling him. The case poses questions for both academic and business communities:
Responsibilities of academia
-
Should university and polytechnic lecturers be more responsive to the needs of security? Should students be encouraged as part of their courses to crack security? Should students be conditioned towards the needs of an ethical business environment? Should employers place new and untested employees in positions of trust? Should employers set down policies prohibiting all personal use of their computer systems?
And, finally, just where should manufacturers aim in the development of secure operation systems and software? This case occurred in 1982 at Stirling University in Scotland where a young student called Tommy Payne caused severe problems for the faculty and his colleagues by continually breaching security. Even worse he boasted about his success.
zonm
Volume 5 Number 11
-3-
Extensive access
The University ran a VMS Version 3 operating system on a Digital Equipment VAX 11/780. The installation was nominally under the control of a computer department , although the academic staff and its pupils were allowed extensive access and had their own terminals, files and programs. Security on the system Much thought has been put into the security of the VMS Operating System and providing users follow the guidelines set out by the manufacturer, Digital Equipment Corporation, there are few loopholes that even skilled personnel can exploit. However, as in this case, basic security precautions can be overlooked. When a VAX 11/780 is first installed and the system generated, access is limited to the systems manager, the field service These highly accountant and the systems integrity test accountant. privileged users are able to grant equivalent or lower privileges to other people through a module in the operating system called Clearly any user who gains access to the Authorize AUTHORIZE. programme has almost full command of the system simply because he or she can set his or her own privileges at the highest level. It was decided that there would be two classes of users on the system at Sterling University: Ordinary users - such as students and academic staff who had Ordinary users were not allowed access to restricted privileges. AUTHORIZE. Super users - such as members of the computer department, the three original privileged accounts and some members of the academic staff.
User Identifiable
Code
Under VMS, access to resources is based on a User Identifiable Code (UIC), which is set up through the Authorize program and consist of two groups of hexadecimal numbers. The first group represents the personal identification of the user and the second the account number. At Sterling super users all had the common account number 007. The UIC is checked at each log on against a symbol table (in file SYSUAF.DAT) which is also set up under the AUTHORIZE program. The table contains details of permitted operations for each account users' passwords. With the number of users requiring access to Sterling's computer it was decided that a more simple and flexible method of setting basic privileges was required than that possible through Authorize. The Computer Department wrote a special programme, called AUTHOR.COM to allow senior staff members (who may not themselves have full access to Authorize) to add, delete or alter the privilege levels of students. Access to AUTOR.COM was by way of a high level password only available to appropriate staff members and which itself was granted privileges through Authorize. AUTHOR.COM effectively made a dynamic call to AUTHORIZE which in turn accessed and amended the symbol table in file SYSUAF.DAT.
Volume 5 Number 11
CCElsevier
International
13ulletins.
-4AUTHOR.COM listing
A listing of AUTHOR.COM is shown below: 100
$set def sys$system
200 $run authorize 300 add 'pl/password='p2/device-dbal:direct=['pl] 400 /owner='p3/priv=(nogroup,noprmmbx,notmp~x,nogrpnam, noprmceb)500 /account='p4/uic['p5,'p6]/wsquote=l50 600 exit 700 $create/directory/owner=['p5,'p6]
dbal: ['pl]
800 $create dbal:['pl]login.com 900 $set protection=(world:e,sys:redw,gr:e) 1000 $ A feature of VMS is that passwords are stored in SYSUAF.DAT in encrypted form and it is not possible for low privileged users to read or browse them. In some cases super users failed to use the encryption facility and their passwords were available in clear text. This meant that once any user discovered a super user's password he could then read the encrypted password and would be able to penetrate even the most sensitive parts of the system. Three
disks
The system at Stirling consisted of three main disks: DBAO - used by operators and super users DBAl - used by students and staff DBA2 - used for student records, accounting and sensitive materials such as examination details The file SYSUAF.DAT containing all of the passwords and privilege levels was stored on disk DBA2, which was not normally accessible by students and junior staff. Background of Tommy Payne Tommy Payne was a third year student, enrolled to take a degree in computer sciences. He was considered by some of his colleagues to be immature, awkward and difficult, but fairly talented. He had a history of being resentful to authority and as a person liable to "buck the system" given the opportunity. He appeared to resent his limited privileges and believed that if he was skillful enough to extend them for himself or others, he was entitled to do so.
Weaknesses exploited
Payne's method of operation Payne exploited basic weaknesses. He obtained a list of privileged users' passwords, which were held in clear text, accessed the system and then extended privileged status to himself. This
;;=ntl
Volume 5 Number 11
(c:iElsevier
International
Hullttins
-5enabled him to set default options on other users' directories. He then found out how to create new privileges for any user and he gave himself the right to use a powerful utility called By-Pass which even senior personnel in the Department did not fully understand. By-Pass allows users to log on without any check on their UIC. Payne discovered By-Pass by a hit and miss method when he was creating accounts for a new privileged user. The system simply asked the question, "DO you Want any privileges?" Rather than specify exactly what was wanted, he simply replied "all". The system responded with the normal list of privileges plus the special By-Pass routine. Payne then removed all of the other privileges and left himself with By-Pass plus a temporary mail box required to run programmes. At this point in time, Payne effectively had privileges equivalent to those of the System Manager. The programmes developed by the University were such that any use of the system was logged to a remote printer which was kept securely under the control of senior staff. Thus supervisors could keep track of all resources used without relying on the more volatile and easily alterable logging disk. Payne modified the programme so that when it came across his user name, it by-passed the "write to printer" command. His usage was thereby unrecorded on both printer and disk.
Password taken mai4
Despite this caution, the staff had deep suspicions about Payne's misuse and his user name and password were taken away from him. Being one jump ahead of his masters, this punishment was soon Payne, predicting this action, had already opened up a overcome. number of privilege user accounts. He thus continued to make extensive use of facilities without being charged for them. In fact any charges which might have been logged were set against the names of unsuspecting staff members. His continued access to the accounts directory eventually resulted in Disk DBA2 being dismounted between the hours of 5.00 pm and 8.00 am. However, as Payne subsequently pointed out, it could still have accessed the disk during the working day. Payne has subsequently claimed that had he wished to do so he could have wiped this and and any back-up disks that the computer department tried to mount clean. Payne's skills did not stop at this point. The management sciences department used a programme called NEWPEAS to assess course work for second year students. It was designed to allow students to log into files and list their results. Students, obviously, were prevented from editing or writing to the file.
Out
of
c
xrrnandmode
plP&lngRm
Some students discovered that when logging onto the system there was a slight pause while the UIC was checked. They found that if the break or control C key was pressed quickly and often enough during this check, the system jumped out of the command mode and gave unrestricted access to the programme, irrespective of the UIC account concerned. By then listing the programme, the user could see the master password and the master file number. From this point it was a simple matter to write or to edit the assignment results and to award better grade marks than those actually obtained.
Volume 5 Number 11
BElsevier
International
Bulletins.
-6The computer department attempted to stop misuse of the break key this by fitting small plastic disks on all key boards. HOWVfX, caused serious operational problems and made it difficult for genuine users to recover from infinite loops and other programme bugs. With the break key blocked off it was often necessary to phone the operator to disconnect the terminal and kill the job. Payne was one of the first to discover this easy penetration method and his programme went accidentally into a infinite loop. He was taken before the head of the computer department and told in no uncertain terms that he was there to work as a programmer and not to break computer systems. Payne's reaction to this was to state that in his opinion the whole point about a Computer Science Degree Course was to learn everything one can about computers. This incident, and Payne's challenging reaction to it, alerted the systems personnel who began monitoring his work more closely. They also examined his files to see what they contained.
Proof
difficult
is
It did not deter Payne from carrying on his activities and he was caught mis-using the system again. Normally, printers were dismounted at 5.00 pm. On one occasion Payne needed a listing of a particular file and he accessed the system and managed to put the printer back on line. A fellow student saw him doing this and reported how useful this was to staff members also, unfortunately, mentioning his name. Payne was asked to explain and he replied that someone must have forgotten to turn the printers off. Although this explanation was viewed with considerable scepticism, no-one could prove exactly what Payne had done. He began to take a low profile, but still managed to access the confidential files belonging to the computer sciences department. In spite of the numerous attempts to catch Payne, and his many narrow escapes, positive evidence was not forthcoming for a long time. Finally he was reminded of the University's Code of Conduct which was issued to each student before starting on the Computer Sciences Course. The document included conditions that the students could not use facilities for any purpose other than his set assignments, and that they were liable for payment of any computer time used for private ventures.
ExpZanation
Payne submitted written explanations to the University; it is reproduced in full below: "This is the formal declaration of peace between myself and those who do not approve. The following text is a full description of the method employed to obtain certain "UNOBTAINABLE" files which are kept out of the reach of 'mere' undergraduates on the VAX VMS 11/780. First of all I would like to point out that had this information been available to me in the first place, then I would have not needed to go to the great lengths to which I have had to go to obtain the files. These files were not in any way of a dangerous nature as far as the Computer Systems Security was concerned. But the point is that the method that I had to use to obtain these files did provide the opportunity to alter, or even delete any files stored on the two main storage disks DBAl and DBAO. Also, had I wished to log onto the VAX during the hours of 9.00 am to 5.00 pm then during
Volume 5 Number 11
C! Elsevier
International
Hullctins.
-7-
certain days of the week, I could have had access to the main accounting and records disk, DBA"2. This only goes to confirm my major, and hopefully your major concern about file security on the VAX. That is, sensitive material is stored on the main University computer facility, where file security is anything but watertight. A possible solution to this is to store the accounting records on another machine, well out of any unauthorised user's reach. It would appear that any major flaws in Systems Security are not inherent in the system design, but have their origin in the local implementation. Another of the main reasons that I felt it necessary to penetrate the security of the system was not an inane sense of destruction, but rather, a feeling of frustration at the seemingly pointless restrictions put upon myself and other students. For example, the stopping of the printers in rooms 4B89 and 4B91 after 5.00 pm and at weekends. This causes great difficulties in the process of program development at these times.
Obvious
passwords
Initial access to the status of superuser was through the use of a legal superuser username password. Again, I would like to labour the point here, it is that superusers should be a bit more subtle when choosing their passwords, and not chose their Christian names - for instance that of TONY chosen by Tony Day for TERMINAL. Also, is it wise to keep a copy of the undergraduate and staff usernames and passwords in a non-encrypted form on file on the VAX? After all, some of the staff do store material in their directories which I am sure they would not like undergraduates to obtain ie Mr W B Boland computing science department, who has a file with the unobvious name EXAM, which by pure chance contains the draft copy of the Autum semester exam for the course 3131. Another case of undesirable material possibly falling into the wrong hands for their course assessment. The file that they The latter has use is 1 or either Peas. for or Newspeas.for. an encrypted segment of the program which prevents one from reading the Master file number - which is 1000 - or the master password - which is MASTER. If one cares to log on using the Master password, one can see and indeed alter the methods of assessment for this assignment. I would be particularly grateful if you could pass this snippet of information to Mrs Margaret B Giles who will doubless be concerned.
Super
user
I feel I should tell you how I obtained the status of superuser for myself, although I am sure that the computer unit already know this, having had to disable all of my attempts at unrestricted access to the VAX. With particular reference to a set of systems files under the general title of SYSUAF; it seems unprofessional/unsecure to allow absolutely anyone with the minimum of privileges to alter any of these files through the running of the systems program AUTHORIZE.EXE. Once one has access to this file the sky is the limit.
Volume 5 Number 11
(c: Elsevier
International
Hulletins
-8A solution to this is to further restrict the undergraduate symbol table as far as the system documentation Help files are concerned. Obviously if a student does not know that the commands to SET DEFAULT on someone else's directory exist, then he cannot use them even if he inadvertantly gains the privileges to a0 so. However, as computer science students are at university to learn how to manipulate computers, then this seems to be a retrogressive rather than a progressive step. The second solution which I offer you then, is to set up some file passwords on programs such as Authorize.exe, which is accessed via Paul Roberts AUTHOR.COM command file, or by SETTING DEFAULT on the DBAO disk directory (sysexe) where one will find the file. If run, this file will permit a user to wipe out any user's directory or privileges, or alternatively to create new users to demand. It therefore seems reasonable that this file should only be accessed by two people, Mr Tony Hewitt - the computer systems director - and Mr Paul Roberts the Senior systems programmer. I am sure that they could arrange a suitably encrypted password between them, which the system asked for each time Authorize.exe was run. This should be input before the prompt of UAF/ is displayed and further processing occurs.
Internal password
To return to the disk DBA2. To stop undesirable users accessing the sensitive material on this disk, why not issue an internal password to the users of this disk, the main ones being CASAD, MASAD, ROSCU and NETMGR? Again, this would involve a prompt on the screen whenever a user attempted access on disk DBA2. If the wrong password is given, then they do not get access to the disk, and the sensitive material is protected. I would like to point out that armed only with the privilege BYPASS I was able to access and manipulate any file on the system. It seems strange that the Computer Unit Personnel do not use, nor seem to prevent others using, this extremely powerful facility.
is limitless
To summarise, I would like to point out that I did not crack the system using an undergraduate username, although, given time, the possibility is certainly there. It was done using a superuser's password which should never have been such a guessable one as his Christian name. However, having obtained this password, there was practically no limit to the amount of damage that might have been done! This I find unsettling. The solutions which I have offered are by no means difficult to implement, and are certainly more robust than the methods I think that they should be heeded. currently employed. I do hope that this document has not been too destructive, and that some of the constructive points that I have made will be acknowledged by their implementation in the near future. After all, the system's security should strive to be as close as possible to the ideal of 'total security'. When members of the editorial team contacted Payne, he was pleased to talk and wrote the following letter:
Volume 5 Number 11
jElsevier
International
Bulletins.
-
9 -
28th April 1983 Dear...... This report concerns the second time I broke down the security system on the VAX at Sterling University. That is why there is no mention of finding a list of passwords in a waste paper bin, that was the first time that I broke into the system. The Computer Unit took no lessons from their errors the first time the system was breached. They even still kept a full list of usernames and passwords on file in un-encrypted form after they knew I had several copies of this. Also enclosed is the program Author.Com which is the program I modified to allow me to create superusers as I needed them, without a note of their existence being recorded. 100 $ SET DEF DBAO:[SYSEXE] or 100 $ SET DEF SYS$ SYSTEM 200 $ @ SYSUAF or 200 $ RUN AUTHORIZE 300 ADD p.1. username/password = p.1. TEST/DEVICE = DBAD:/DIRECT=[USERNAME] 400 /OWNER.T PAYNE/PRIV = (PRMMBX, BYPASS)500 /UIC [p.5.007, p.6.007]/WUSQUOTA = 150 600 EXIT 700 $ CREATE/DIRECTOR/OWNER = Ip.5.007, p.6.007lDBAO: [USERNAME] 900 $ SET PROTECTION = (WORLD: e, SYS,CR, 0:RWED) 1000 $
Amendments
To remove all traces of a new user you altered line 500 which gave the accounting code used to monitor the time you spend on the system. Also one had to remove line 800 which created a record of your directory in the disk root directory called SYSROOT or DBAI: [OOOOOO]. Another amendment needed was in line 300; dbal was the student's disk device name. To gain privileges it had to be dba2 or DBAO. Also in line 400 it had to be priv = (prommbx, bypass). References are made in my report to a program called Newspeas.For. This program was used as course work assessment by the Management Science Department for second year students. To operate the program the student was placed in a restricted command environment whereby all he could do was 'run' the program and list his results. However, if the user pressed 'control C' or 'break' keys when he had immediately finished entering his password - instead of pressing the 'Return' key, then he jumped out of this restrict command mode and had full access to the program. By running the program he could then see the Master Password and the Master file number which could enable him to gain access to the computerised grading system for this exercise and award himself any grade he wanted. All of this would be undetectable by the staff of his department. Also, on file in a member of the Computing Sciences Department files was a draft copy of the first year students exam paper. Again no encrypting was used. Yours sincerely, Tommy Payne.
Volume 5 Number 11
-
10
-
Management attitudes
Staff. v lecturers
The problems caused by Payne were made worse by the division of responsibilities between the administration and the Faculty which was responsible for teaching students. There was a certain amount of animosity between the two departments and they would seldom help each other. If a student wanted to learn more about the operating system, the lecturers found if very difficult to obtain assistance from staff in the computer department. On the other hand when the computer department realised what was going on they turned to the academic staff in the hope of support. But one lecturer, apparently, went so far as to state that if he wanted to encourage students to break security he was perfectly entitled to do so. It has also been suggested that one of Payne's main activities was to supply lecturers with information which the computer department was not willing to supply. Even after the event, some of the academic staff still consider Payne's activities to be of minor importance. Conclusions and recommendations The fact that privilege users had passwords that were obvious, allowed the initial, disastrous, penetration of security. All privileged users should be extremely security conscious. As a minimum: Passwords MUST NOT be obvious Passwords should be changed frequently Passwords should be at least seven characters long No one should keep password records on paper or in clear text on files The naming of files and access to them should be controlled by their owners. Although VMS allows users to set protection on individual files this can be overcome by utilities such as BYPASS or SETPRIV. ACCeSS to these powerful utilities should be closely controlled. At Sterling University the problems of security were overcome by using a separate machine for the work of the computer department and students now are physically unable to access this system. Defences may not be quite so simple for commercial users.
A CO-OPERATIVE APPROACH TO SOFTWARE PROTECTION
Software piracy has, over the past few years, become a highly lucrative activity. Mainly confined - until recently - to the home computing (games) market, there are increasing signs that, with the expanding use of business micros, illegal copying of software will move 'upmarket' and the impact on the professional software industry will become more serious. The Bulletin has highlighted the current inadequacies of copyright and trademark protection law (in many countries) in tackling this problem. Some two years ago the British Computer Society established a specialist group to look into the technology of software protection as an alternative, and as an aid, to the legal system. Following on from this initiative, the National Physical Laboratory (NPL) and the British Technology Group (BTG) have now called together leading UK software producers, computer companies
Volume 5 Number 11
ci: Elsevier
International
Hulletins
5
Number
11
SEPTEMBER
ISSN 0142-0496
1983
COMPUTEREEEE!N Editor: MICHAEL COMER, Director, Network Security, Management Ltd. London. Associate Editor: FRED LAFFERTY, Director of Corporate Security, Cargill, Minneapolis.
Editorial
Advisors:
Jay J. BloomBecker,
Director,
Robert
P. Campbell,
CDP, President,
Andrew
Chambers,
Senior
Dr. Jerry Fitzgerald,
National
Lecturer
& Associates,
Jo&in
Managing Director,
Harris,
Alistair
Zeus Security
Lawyer and Banker,
Kelman,
Executive,
City University
Business School,
London.
California.
Barrister and Legal Expert
Management,
Adrian
Security Author
R. D. Norman,
Investigators,
in Microelectronics
Norman
Luker.
Ltd, London.
London.
Insurance Co. Ltd. Johannesburg.
Kroll Associates;New
James Martin,
Consultants
of Professional
Ned Equity
and Computing,
London.
York.
Northern
Telecom
Ltd, Montreal.
and Lecturer. Consultant,
Arthur
D. Little
Ltd.
Donn B. Parker. Senior Management
Systems Consultant,
Alec Rabarts,
of Chartered
Fellow of the Institute
J. Walsh, President,
Stanford
Accountants,
Harris and Walsh Management Abbey
National
Philip Weights, Philip Weights & Associates, Surrey,
Research
Institute,
California.
London.
Consultants,
Building Society,
Training in computer fraud? A co-operative approach to software protection
IN FRAUD?
Control,
Los Angeles. Inc, Virginia.
London.
Jules 6. Kroll, President,
Timothy
CONTENTS
TRAINING COMPUTER
Horwitz,
Graeme Ward, Head of Audit, Ltd.
Crime,
Management
in Audit and Management
Jerry Fitzgerald
Peter J. Heims, Fellow of the Institute
Martin Samociuk, Consultant, Network Security Management
Information
Fred M. Greguras, Attorney, Fenwick, Stone, Davis Et West, California. Peter Hamilton,
Geoffrey
Special Technical Advisors: James Khosla Overseas Systems Security Officer, for Chemical Bank, New York.
Data Center for Computer
Advanced
New York.
London.
U.K.
1 10
Security in teleprocessing Computers in law enforcement Book review: The EFT Act
11 11 13
The explosion in popularity of computer video games coupled with the proliferation of microcomputers in schools and colleges has led many youngsters to believe that computers are symbols of fun. The "terminal junkie" or "headbasher" can be seen in any amusement arcade, where rows of computer-based equipment are continually used for imaginary war games with Martians, space invaders, munching monsters and King Kong - like apes who throw barrels down ladders at unsuspecting members of the public. Excitement can be heightened when the video junkie gains access to Brought up in an environment of commercial or academic computers. fun expectation and freaking many youngsters find it difficult to change their attitudes when other people's machines are concerned. Few computer freaks consider it unlawful, illegal or unethical to penetrate and use commercial computer systems for their own interest or pleasure. In the past the COMPUTER FRAUD & SECURITY Bulletin has reported on many of these cases including: * * * *
0
'J
lil .SliI’l Eli I\‘I’~;I{N~l‘I(~~(, HI I.I.lrI‘INS
University of California University of Toronto London Polytechnic Colleges London Time Sharing Bureau
1983
Elsevier
Science
Publishers
No part of this publication may be reproduced, in any form or by any means, electronic, mechanical, the prior written permission of the publisher.
b.v. Amsterdam.
stored in a retrieval system, or transmitted photocopying, recordkg or otherwise, without
-2This is not to say that students are totally to blame for the present position. There are grounds for believing that many lecturers encourage security violations supposedly in the interest of programmes of learning. A lecturer at a London polytechnic college is alleged to have told students that their results were held on the college's central database and that they had all failed their final examinations. He added that if they "could somehow access the file" and improve their grades they would be welcome to do so. He reckoned that any student clever enough to achieve this deserved his degree. All of the students passed.
Long-term attitudes
Although much of what has happened in the past is light hearted and causes minimal, if any, damage, long term problems of attitude are created which manifest themselves when youngsters conditioned to an environment of stimulus expectancy join the world of business. Suddenly they may find that their favourite drug is not enough. More powerful satisfaction may be looked for, irrespective of the ethics involved. Business and college computers become the prime targets. In the past, the skills of senior managers have usually been broader and more extensive than those of new recruits. This is no longer true especially in computing, where "peaks of expertise" have become a fact of life. Quite often new recruits, fresh from university, have very high skills in limited fields. This level imposes severe control problems for managers with lower but broader skills. This article describes a typical case of computer abuse, committed by a skilled young programmer whose knowledge of the system concerned was apparently greater than that of those people supposed to be controlling him. The case poses questions for both academic and business communities:
Responsibilities of academia
-
Should university and polytechnic lecturers be more responsive to the needs of security? Should students be encouraged as part of their courses to crack security? Should students be conditioned towards the needs of an ethical business environment? Should employers place new and untested employees in positions of trust? Should employers set down policies prohibiting all personal use of their computer systems?
And, finally, just where should manufacturers aim in the development of secure operation systems and software? This case occurred in 1982 at Stirling University in Scotland where a young student called Tommy Payne caused severe problems for the faculty and his colleagues by continually breaching security. Even worse he boasted about his success.
zonm
Volume 5 Number 11
-3-
Extensive access
The University ran a VMS Version 3 operating system on a Digital Equipment VAX 11/780. The installation was nominally under the control of a computer department , although the academic staff and its pupils were allowed extensive access and had their own terminals, files and programs. Security on the system Much thought has been put into the security of the VMS Operating System and providing users follow the guidelines set out by the manufacturer, Digital Equipment Corporation, there are few loopholes that even skilled personnel can exploit. However, as in this case, basic security precautions can be overlooked. When a VAX 11/780 is first installed and the system generated, access is limited to the systems manager, the field service These highly accountant and the systems integrity test accountant. privileged users are able to grant equivalent or lower privileges to other people through a module in the operating system called Clearly any user who gains access to the Authorize AUTHORIZE. programme has almost full command of the system simply because he or she can set his or her own privileges at the highest level. It was decided that there would be two classes of users on the system at Sterling University: Ordinary users - such as students and academic staff who had Ordinary users were not allowed access to restricted privileges. AUTHORIZE. Super users - such as members of the computer department, the three original privileged accounts and some members of the academic staff.
User Identifiable
Code
Under VMS, access to resources is based on a User Identifiable Code (UIC), which is set up through the Authorize program and consist of two groups of hexadecimal numbers. The first group represents the personal identification of the user and the second the account number. At Sterling super users all had the common account number 007. The UIC is checked at each log on against a symbol table (in file SYSUAF.DAT) which is also set up under the AUTHORIZE program. The table contains details of permitted operations for each account users' passwords. With the number of users requiring access to Sterling's computer it was decided that a more simple and flexible method of setting basic privileges was required than that possible through Authorize. The Computer Department wrote a special programme, called AUTHOR.COM to allow senior staff members (who may not themselves have full access to Authorize) to add, delete or alter the privilege levels of students. Access to AUTOR.COM was by way of a high level password only available to appropriate staff members and which itself was granted privileges through Authorize. AUTHOR.COM effectively made a dynamic call to AUTHORIZE which in turn accessed and amended the symbol table in file SYSUAF.DAT.
Volume 5 Number 11
CCElsevier
International
13ulletins.
-4AUTHOR.COM listing
A listing of AUTHOR.COM is shown below: 100
$set def sys$system
200 $run authorize 300 add 'pl/password='p2/device-dbal:direct=['pl] 400 /owner='p3/priv=(nogroup,noprmmbx,notmp~x,nogrpnam, noprmceb)500 /account='p4/uic['p5,'p6]/wsquote=l50 600 exit 700 $create/directory/owner=['p5,'p6]
dbal: ['pl]
800 $create dbal:['pl]login.com 900 $set protection=(world:e,sys:redw,gr:e) 1000 $ A feature of VMS is that passwords are stored in SYSUAF.DAT in encrypted form and it is not possible for low privileged users to read or browse them. In some cases super users failed to use the encryption facility and their passwords were available in clear text. This meant that once any user discovered a super user's password he could then read the encrypted password and would be able to penetrate even the most sensitive parts of the system. Three
disks
The system at Stirling consisted of three main disks: DBAO - used by operators and super users DBAl - used by students and staff DBA2 - used for student records, accounting and sensitive materials such as examination details The file SYSUAF.DAT containing all of the passwords and privilege levels was stored on disk DBA2, which was not normally accessible by students and junior staff. Background of Tommy Payne Tommy Payne was a third year student, enrolled to take a degree in computer sciences. He was considered by some of his colleagues to be immature, awkward and difficult, but fairly talented. He had a history of being resentful to authority and as a person liable to "buck the system" given the opportunity. He appeared to resent his limited privileges and believed that if he was skillful enough to extend them for himself or others, he was entitled to do so.
Weaknesses exploited
Payne's method of operation Payne exploited basic weaknesses. He obtained a list of privileged users' passwords, which were held in clear text, accessed the system and then extended privileged status to himself. This
;;=ntl
Volume 5 Number 11
(c:iElsevier
International
Hullttins
-5enabled him to set default options on other users' directories. He then found out how to create new privileges for any user and he gave himself the right to use a powerful utility called By-Pass which even senior personnel in the Department did not fully understand. By-Pass allows users to log on without any check on their UIC. Payne discovered By-Pass by a hit and miss method when he was creating accounts for a new privileged user. The system simply asked the question, "DO you Want any privileges?" Rather than specify exactly what was wanted, he simply replied "all". The system responded with the normal list of privileges plus the special By-Pass routine. Payne then removed all of the other privileges and left himself with By-Pass plus a temporary mail box required to run programmes. At this point in time, Payne effectively had privileges equivalent to those of the System Manager. The programmes developed by the University were such that any use of the system was logged to a remote printer which was kept securely under the control of senior staff. Thus supervisors could keep track of all resources used without relying on the more volatile and easily alterable logging disk. Payne modified the programme so that when it came across his user name, it by-passed the "write to printer" command. His usage was thereby unrecorded on both printer and disk.
Password taken mai4
Despite this caution, the staff had deep suspicions about Payne's misuse and his user name and password were taken away from him. Being one jump ahead of his masters, this punishment was soon Payne, predicting this action, had already opened up a overcome. number of privilege user accounts. He thus continued to make extensive use of facilities without being charged for them. In fact any charges which might have been logged were set against the names of unsuspecting staff members. His continued access to the accounts directory eventually resulted in Disk DBA2 being dismounted between the hours of 5.00 pm and 8.00 am. However, as Payne subsequently pointed out, it could still have accessed the disk during the working day. Payne has subsequently claimed that had he wished to do so he could have wiped this and and any back-up disks that the computer department tried to mount clean. Payne's skills did not stop at this point. The management sciences department used a programme called NEWPEAS to assess course work for second year students. It was designed to allow students to log into files and list their results. Students, obviously, were prevented from editing or writing to the file.
Out
of
c
xrrnandmode
plP&lngRm
Some students discovered that when logging onto the system there was a slight pause while the UIC was checked. They found that if the break or control C key was pressed quickly and often enough during this check, the system jumped out of the command mode and gave unrestricted access to the programme, irrespective of the UIC account concerned. By then listing the programme, the user could see the master password and the master file number. From this point it was a simple matter to write or to edit the assignment results and to award better grade marks than those actually obtained.
Volume 5 Number 11
BElsevier
International
Bulletins.
-6The computer department attempted to stop misuse of the break key this by fitting small plastic disks on all key boards. HOWVfX, caused serious operational problems and made it difficult for genuine users to recover from infinite loops and other programme bugs. With the break key blocked off it was often necessary to phone the operator to disconnect the terminal and kill the job. Payne was one of the first to discover this easy penetration method and his programme went accidentally into a infinite loop. He was taken before the head of the computer department and told in no uncertain terms that he was there to work as a programmer and not to break computer systems. Payne's reaction to this was to state that in his opinion the whole point about a Computer Science Degree Course was to learn everything one can about computers. This incident, and Payne's challenging reaction to it, alerted the systems personnel who began monitoring his work more closely. They also examined his files to see what they contained.
Proof
difficult
is
It did not deter Payne from carrying on his activities and he was caught mis-using the system again. Normally, printers were dismounted at 5.00 pm. On one occasion Payne needed a listing of a particular file and he accessed the system and managed to put the printer back on line. A fellow student saw him doing this and reported how useful this was to staff members also, unfortunately, mentioning his name. Payne was asked to explain and he replied that someone must have forgotten to turn the printers off. Although this explanation was viewed with considerable scepticism, no-one could prove exactly what Payne had done. He began to take a low profile, but still managed to access the confidential files belonging to the computer sciences department. In spite of the numerous attempts to catch Payne, and his many narrow escapes, positive evidence was not forthcoming for a long time. Finally he was reminded of the University's Code of Conduct which was issued to each student before starting on the Computer Sciences Course. The document included conditions that the students could not use facilities for any purpose other than his set assignments, and that they were liable for payment of any computer time used for private ventures.
ExpZanation
Payne submitted written explanations to the University; it is reproduced in full below: "This is the formal declaration of peace between myself and those who do not approve. The following text is a full description of the method employed to obtain certain "UNOBTAINABLE" files which are kept out of the reach of 'mere' undergraduates on the VAX VMS 11/780. First of all I would like to point out that had this information been available to me in the first place, then I would have not needed to go to the great lengths to which I have had to go to obtain the files. These files were not in any way of a dangerous nature as far as the Computer Systems Security was concerned. But the point is that the method that I had to use to obtain these files did provide the opportunity to alter, or even delete any files stored on the two main storage disks DBAl and DBAO. Also, had I wished to log onto the VAX during the hours of 9.00 am to 5.00 pm then during
Volume 5 Number 11
C! Elsevier
International
Hullctins.
-7-
certain days of the week, I could have had access to the main accounting and records disk, DBA"2. This only goes to confirm my major, and hopefully your major concern about file security on the VAX. That is, sensitive material is stored on the main University computer facility, where file security is anything but watertight. A possible solution to this is to store the accounting records on another machine, well out of any unauthorised user's reach. It would appear that any major flaws in Systems Security are not inherent in the system design, but have their origin in the local implementation. Another of the main reasons that I felt it necessary to penetrate the security of the system was not an inane sense of destruction, but rather, a feeling of frustration at the seemingly pointless restrictions put upon myself and other students. For example, the stopping of the printers in rooms 4B89 and 4B91 after 5.00 pm and at weekends. This causes great difficulties in the process of program development at these times.
Obvious
passwords
Initial access to the status of superuser was through the use of a legal superuser username password. Again, I would like to labour the point here, it is that superusers should be a bit more subtle when choosing their passwords, and not chose their Christian names - for instance that of TONY chosen by Tony Day for TERMINAL. Also, is it wise to keep a copy of the undergraduate and staff usernames and passwords in a non-encrypted form on file on the VAX? After all, some of the staff do store material in their directories which I am sure they would not like undergraduates to obtain ie Mr W B Boland computing science department, who has a file with the unobvious name EXAM, which by pure chance contains the draft copy of the Autum semester exam for the course 3131. Another case of undesirable material possibly falling into the wrong hands for their course assessment. The file that they The latter has use is 1 or either Peas. for or Newspeas.for. an encrypted segment of the program which prevents one from reading the Master file number - which is 1000 - or the master password - which is MASTER. If one cares to log on using the Master password, one can see and indeed alter the methods of assessment for this assignment. I would be particularly grateful if you could pass this snippet of information to Mrs Margaret B Giles who will doubless be concerned.
Super
user
I feel I should tell you how I obtained the status of superuser for myself, although I am sure that the computer unit already know this, having had to disable all of my attempts at unrestricted access to the VAX. With particular reference to a set of systems files under the general title of SYSUAF; it seems unprofessional/unsecure to allow absolutely anyone with the minimum of privileges to alter any of these files through the running of the systems program AUTHORIZE.EXE. Once one has access to this file the sky is the limit.
Volume 5 Number 11
(c: Elsevier
International
Hulletins
-8A solution to this is to further restrict the undergraduate symbol table as far as the system documentation Help files are concerned. Obviously if a student does not know that the commands to SET DEFAULT on someone else's directory exist, then he cannot use them even if he inadvertantly gains the privileges to a0 so. However, as computer science students are at university to learn how to manipulate computers, then this seems to be a retrogressive rather than a progressive step. The second solution which I offer you then, is to set up some file passwords on programs such as Authorize.exe, which is accessed via Paul Roberts AUTHOR.COM command file, or by SETTING DEFAULT on the DBAO disk directory (sysexe) where one will find the file. If run, this file will permit a user to wipe out any user's directory or privileges, or alternatively to create new users to demand. It therefore seems reasonable that this file should only be accessed by two people, Mr Tony Hewitt - the computer systems director - and Mr Paul Roberts the Senior systems programmer. I am sure that they could arrange a suitably encrypted password between them, which the system asked for each time Authorize.exe was run. This should be input before the prompt of UAF/ is displayed and further processing occurs.
Internal password
To return to the disk DBA2. To stop undesirable users accessing the sensitive material on this disk, why not issue an internal password to the users of this disk, the main ones being CASAD, MASAD, ROSCU and NETMGR? Again, this would involve a prompt on the screen whenever a user attempted access on disk DBA2. If the wrong password is given, then they do not get access to the disk, and the sensitive material is protected. I would like to point out that armed only with the privilege BYPASS I was able to access and manipulate any file on the system. It seems strange that the Computer Unit Personnel do not use, nor seem to prevent others using, this extremely powerful facility.
is limitless
To summarise, I would like to point out that I did not crack the system using an undergraduate username, although, given time, the possibility is certainly there. It was done using a superuser's password which should never have been such a guessable one as his Christian name. However, having obtained this password, there was practically no limit to the amount of damage that might have been done! This I find unsettling. The solutions which I have offered are by no means difficult to implement, and are certainly more robust than the methods I think that they should be heeded. currently employed. I do hope that this document has not been too destructive, and that some of the constructive points that I have made will be acknowledged by their implementation in the near future. After all, the system's security should strive to be as close as possible to the ideal of 'total security'. When members of the editorial team contacted Payne, he was pleased to talk and wrote the following letter:
Volume 5 Number 11
jElsevier
International
Bulletins.
-
9 -
28th April 1983 Dear...... This report concerns the second time I broke down the security system on the VAX at Sterling University. That is why there is no mention of finding a list of passwords in a waste paper bin, that was the first time that I broke into the system. The Computer Unit took no lessons from their errors the first time the system was breached. They even still kept a full list of usernames and passwords on file in un-encrypted form after they knew I had several copies of this. Also enclosed is the program Author.Com which is the program I modified to allow me to create superusers as I needed them, without a note of their existence being recorded. 100 $ SET DEF DBAO:[SYSEXE] or 100 $ SET DEF SYS$ SYSTEM 200 $ @ SYSUAF or 200 $ RUN AUTHORIZE 300 ADD p.1. username/password = p.1. TEST/DEVICE = DBAD:/DIRECT=[USERNAME] 400 /OWNER.T PAYNE/PRIV = (PRMMBX, BYPASS)500 /UIC [p.5.007, p.6.007]/WUSQUOTA = 150 600 EXIT 700 $ CREATE/DIRECTOR/OWNER = Ip.5.007, p.6.007lDBAO: [USERNAME] 900 $ SET PROTECTION = (WORLD: e, SYS,CR, 0:RWED) 1000 $
Amendments
To remove all traces of a new user you altered line 500 which gave the accounting code used to monitor the time you spend on the system. Also one had to remove line 800 which created a record of your directory in the disk root directory called SYSROOT or DBAI: [OOOOOO]. Another amendment needed was in line 300; dbal was the student's disk device name. To gain privileges it had to be dba2 or DBAO. Also in line 400 it had to be priv = (prommbx, bypass). References are made in my report to a program called Newspeas.For. This program was used as course work assessment by the Management Science Department for second year students. To operate the program the student was placed in a restricted command environment whereby all he could do was 'run' the program and list his results. However, if the user pressed 'control C' or 'break' keys when he had immediately finished entering his password - instead of pressing the 'Return' key, then he jumped out of this restrict command mode and had full access to the program. By running the program he could then see the Master Password and the Master file number which could enable him to gain access to the computerised grading system for this exercise and award himself any grade he wanted. All of this would be undetectable by the staff of his department. Also, on file in a member of the Computing Sciences Department files was a draft copy of the first year students exam paper. Again no encrypting was used. Yours sincerely, Tommy Payne.
Volume 5 Number 11
-
10
-
Management attitudes
Staff. v lecturers
The problems caused by Payne were made worse by the division of responsibilities between the administration and the Faculty which was responsible for teaching students. There was a certain amount of animosity between the two departments and they would seldom help each other. If a student wanted to learn more about the operating system, the lecturers found if very difficult to obtain assistance from staff in the computer department. On the other hand when the computer department realised what was going on they turned to the academic staff in the hope of support. But one lecturer, apparently, went so far as to state that if he wanted to encourage students to break security he was perfectly entitled to do so. It has also been suggested that one of Payne's main activities was to supply lecturers with information which the computer department was not willing to supply. Even after the event, some of the academic staff still consider Payne's activities to be of minor importance. Conclusions and recommendations The fact that privilege users had passwords that were obvious, allowed the initial, disastrous, penetration of security. All privileged users should be extremely security conscious. As a minimum: Passwords MUST NOT be obvious Passwords should be changed frequently Passwords should be at least seven characters long No one should keep password records on paper or in clear text on files The naming of files and access to them should be controlled by their owners. Although VMS allows users to set protection on individual files this can be overcome by utilities such as BYPASS or SETPRIV. ACCeSS to these powerful utilities should be closely controlled. At Sterling University the problems of security were overcome by using a separate machine for the work of the computer department and students now are physically unable to access this system. Defences may not be quite so simple for commercial users.
A CO-OPERATIVE APPROACH TO SOFTWARE PROTECTION
Software piracy has, over the past few years, become a highly lucrative activity. Mainly confined - until recently - to the home computing (games) market, there are increasing signs that, with the expanding use of business micros, illegal copying of software will move 'upmarket' and the impact on the professional software industry will become more serious. The Bulletin has highlighted the current inadequacies of copyright and trademark protection law (in many countries) in tackling this problem. Some two years ago the British Computer Society established a specialist group to look into the technology of software protection as an alternative, and as an aid, to the legal system. Following on from this initiative, the National Physical Laboratory (NPL) and the British Technology Group (BTG) have now called together leading UK software producers, computer companies
Volume 5 Number 11
ci: Elsevier
International
Hulletins