Computer underground Digest Sun Oct 25, 1992 Volume 4 : Issue 53 Editors: Jim Thomas and G
Computer underground Digest Sun Oct 25, 1992 Volume 4 : Issue 53
Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
Archivist: Brendan Kehoe
Shadow-Archivists: Dan Carosone / Paul Southworth / Ralph Sims
Copy Editor: Etaion Shrdleaux, Sr.
CONTENTS, #4.53 (Oct 25, 1992)
File 1--Re: CuD 4.49 - Viruses--Facts and Myths (1)
File 2--Re: CuD 4.49 - Viruses--Facts and Myths (2)
File 3--Further Disclosures In 911/"Legion of Doom Case"
File 4--NY State Police Decriminalize the word "Hacker" (Newsbytes)
File 5--Update on Toronto Bust of Early October
File 6--SRI Seeks "Phreaks" for New Study
File 7--XIOX's Anti-Phone-Fraud Products (Press Release)
File 8--CSC "Anti-Telecom Fraud" Device
File 9--The CU in the News (from Info Week)
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost from email@example.com. The editors may be
contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at:
Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115.
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL0 and DL12 of TELECOM; on Genie in the PF*NPC RT
libraries; from America Online in the PC Telecom forum under
"computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; in
Europe from the ComNet in Luxembourg BBS (++352) 466893; and using
anonymous FTP on the Internet from ftp.eff.org (22.214.171.124) in
/pub/cud, red.css.itd.umich.edu (126.96.36.199) in /cud, halcyon.com
(188.8.131.52) in /pub/mirror/cud, and ftp.ee.mu.oz.au (184.108.40.206)
in /pub/text/CuD. Back issues also may be obtained from the mail
server at firstname.lastname@example.org.
European distributor: ComNet in Luxembourg BBS (++352) 466893.
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Some authors do copyright their material, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
Date: Fri, 23 Oct 92 01:23:48 EST
From: spaf@CS.PURDUE.EDU(Gene Spafford)
Subject: File 1--Re: Cu Digest, #4.49- Viruses--Facts and Myths (1)
In the Digest, #4.49, "Dark Adept" provided a long article on virus
facts and myths. Unfortunately, he/she got several "facts" incorrect.
I could try to make a point about the danger of correct-sounding
material being mistaken for factual simply because it is well-written,
and on the difficulty of verifying information presented from behind a
pseudonym and without citations, but will leave that for another rant. :-)
I'll try to correct a few of the more glaring errors. The interested
reader should consult one of the well-researched and documented texts
on the market for further details. I'd suggest Ferbrache's excellent
text "A Pathology of Computer Viruses" (Springer-Verlag), Hoffman's
collection "Rogue Programs" under the Van Nostrand Reinhold imprint,
and Denning's "Computers Under Attack" by Addison-Wesley. Also of
value are Hruska's "Computer Viruses and Anti-Virus Warfare" and the
badly overpriced "Computer Virus Handbook" edited by Highland.
The comp.virus newsgroup (Virus-L mailing list) has a very nice FAQ
article compiled by several knowledgeable researchers and authors in
the area of computer viruses that addresses many of these points and
provides pointers to additional information.
Now for my comments.
> A virus is a tiny program that attaches itself to other programs. It does
Viruses do not need to be tiny.
> a chance of catching a virus. Data files (files that are not programs, like
> text for your wordprocesser) cannot contain viruses.
Wrong. Data files can contain viruses in two ways. First, they may
contain viruses that are in a non-threatening format. For instance, a
text file may contain a virus encoded as hex digits. This is not a
threat, per se, but is a virus. This is the pedantic objection.
However, it is also possible for a virus to be present in a form that
causes it to be interpreted. For instance, a virus can be written in
Lotus 1-2-3 macros in a spreadsheet. The spreadsheet is not a
program, but is has elements that can be executed and act like a
virus. Likewise, a virus can be written in GNU Emacs macros that are
automatically executed when a file is read with Emacs (unless the
"inhibit-local-variables" variable is set correctly).
Viruses can be written for .bat files under DOS, and these are not
considered to be programs by everyone. However, they get executed,
and that means that a virus can be in one of them.
> The only way to activate the virus is to run the program.
Including my examples given above, this is not strictly true, either.
Some Mac viruses activate when one inserts a disk into the drive and
the desktop is read (under System 6.0.x). This does not involve
executing a program, but interpreting code present on the disk. Other
examples exist, but you get the point.
> Another thing is batch files. These are files on IBM PC's that end in ".bat".
> These DO NOT contain viruses.
However, they could. The viruses would be easy to spot and probably
not very effective, but they could be written, just as Unix shell
script viruses can be written. (For instance, see Tom Duff's paper in
"Computing Systems" of a few years ago.)
> Ok. Viruses can only be made for specific machines. By this I mean
> that a virus that infects IBM PC's will NOT be able to infect Macs.
> There may be a tiny tiny chance if your Mac is running something like
> an IBM Emulator that a virus may cause problems, but in general, if
> you have a non-IBM compatible computer, and you can't run IBM software,
> then you can't catch IBM viruses and vice-versa.
Wrong. A virus written in spreadsheet macros or Perl or some other
higher-level language will indeed work on any machine that supports an
interpreter for that high-level language. Also, we have seen cases of
viruses written for DOS machines (Intel 80x86 architecture) able to
run on DOS emulators under MacOS -- it isn't a tiny chance, but a real
> For the most part, only personal computers (i.e., IBM PC's and Macs) are
> affected by viruses. On IBM's, they are usually limited to DOS, so if
> you are running Unix on a 386 you don't really need to worry (yet).
Wrong. Boot sector infectors are generally able to spread to Unix
disks. Usually they just wipe out the Unix boot sector. This should
indeed be a worry. If the Unix disk shares the same boot record
format as MS-DOS, it's even more of a worry (luckily, this isn't
generally the case).
> If you buy the software from
> a computer store, you don't have to worry. Once in a million there might
> be some type of problem, but in general, store purchased software will
> NEVER have a virus.
Wrong. Some stores will take software back for refunds after it has
been used in machines with viruses. Thus, the store software will be
infected. Some stores even put new shrink-wrap over the packages so
you can't tell it happened.
Other stores will use the software in the store in their machines to
demo it or to make sure it works the way you think. Again, this is a
source of viruses -- many store systems are badly infected.
Finally, there are many incidents where vendors have shipped their
software to stores with the disks already infected with a virus.
Getting software from a store is NOT a guarantee that it is free from
> There are 3 main types of "anti-virus" software available:
> o Scanners
> o Detectors
> o Removers
This is not how most experts in the field classify such software.
> Each virus has what the anti-virus geeks call a "footprint".
We "geeks" usually refer to it as a signature. I know of no one
reputable who refers to these as "footprints."
[Dark Adept then goes on to explain his "detectors" and jumbles
together activity monitors and integrity checkers. I won't bother
explaining the nuances here -- consult one of the references.
However, many of his points are off the mark, especially as regards
> Nine times out of ten, a disinfector will have to
> delete *ALL* the programs that are infected. Gone. Erased. Never to come
> back. Some can get out the virus without deleting files, but this is
Not so rare -- several such programs exist and work quite well. In
the Mac world, almost all viruses can be successfully disinfected by
John Norstad's "Disinfectant". Skulason's F-Prot does a very good job
on removing most MS-DOS viruses. It is not rare at all.
[Dark Adept then recommends Central Point Software. We can't tell if
this is an informed opinion based on comparison, or if Dark Adept is
really the president of Central Point and trying to scam us because we
have no idea who or what Dark Adept really is.
In general, thorough and impartial tests conducted by places like the
Hamburg virus research group and by the Virus Bulletin have revealed
that Skulason's F-Prot and Dr. Solomon's Toolkit are far and away the
most complete and effective anti-virus tools for MS-DOS. Interested
readers can consult those mentioned and similar references for
details. Neither Skulason nor Solomon are greedy SOBs like some other
vendors in the arena (I agree with Dark Adept that there are some
notable ones out there). In fact, Skulson's product is free for
personal use at home!]
> A virus is made up of two basic parts: an infector and a destructor.
> The INFECTOR is the part of the program which hides the virus and makes
> it spread. The DESTRUCTOR is the mischief maker. This is the part
> that draws crazy pictures on your screen or erases a file on you.
Not strictly true. Many viruses cause damage because the people who
wrote them aren't as clever as they like to think they are, or because
new hardware & software configurations have come along that weren't
anticipated by the virus author. The result is that the virus causes
damage as it tries to spread by overwriting critical data or poking
into the wrong memory locations. This is one of the principle reasons
that *NO* virus is harmless -- two or three years from now, something
that appeared harmless in someone's home system may cause a massive
failure in the machines at a business or laboratory with a vastly
different set of configuration parameters.
> "The first virus was written by..."
> No one knows. However, if you were to ask me, I will say the first
> virus was written by the first person who made copy-protection.
Pure bullshit -- an apologist attempt to justify pirating and/or virus
writing. Many copy protection schemes bear no real resemblance to
viruses, and in any event they don't replicate themselves into other
Ferbrache and I both have good evidence that the first PC viruses were
written in 1981 (2 years before Cohen thought of the idea). Many
people credit Ken Thompson with the first virus because of his Turing
Award lecture on trust. Others credit early core wars experimenters.
It depends on how you formally define virus. The definition I use
sides with the ones who credit Thompson.
[Dark Adept then claims that viruses aren't a problem because in all
his limited academic experience he has seen only a few cases of
viruses. This is like claiming that elephants don't exist because he
hasn't seen one in years while living in Illinois.
Business and government sites continue to report wide-spread and
continuing outbreaks. Viruses exist and they continue to be a
significant problem. It's not the end of the world, but it is not
getting better and it is real.]
> I just hoped I made this virus thing clearer. This is not based
> on any virus "expertise" I have, just a thorough knowledge of
> computers and my experience with them (which is extensive). I am not a
> "virus expert" nor am I a virus author. But next time someone tries to
> scare you or calls themselves a "virus professional" call them an idiot.
OKay, you're an idiot.
> They don't even want to format a hard drive, just have a little
> fun programming. Once in a while one of their "projects" might get out
> of hand, but they're not there to make your life miserable. Sure I'd be
> pissed at em if Flight Simulator got infected, but no biggie. Just clean
> up and reinstall.
Fun, hell. If I set fire to your house because I wanted to have a
little fun, don't get bent out of shape -- it's your own fault for not
having sprinklers, right? Just get the insurance money and move
If the people who write viruses are so talented and bored, there are
lots of other things they could do that would be of benefit to others
around them and might be just as much fun. Committing indirect acts
of vandalism are not "fun" for the victims nor is it the fault of the
people who are conducting research or a business on the systems that
get hosed. There are people using their systems for more critical
efforts than "Flight Simulator" -- and they don't have time,
personnel, or resources to backup their systems every 10 minutes...nor
should they be forced to. Virus writing is nothing more than
vandalism and is solely the fault of the virus authors.
Date: Tue, 13 Oct 92 08:09:24 EDT
From: "David M. Chess"
Subject: File 2--Re: CuD 4.49 - Viruses--Facts and Myths (2)
This is a brief reply to the file from The Dark Adept that appeared in
CuD 4.49. As an anti-virus weenie myself, I'm speaking from a rather
different point of view, obviously. On the other hand, I don't claim
to be speaking for the anti-virus weenie community as a whole; this is
just a few personal reactions, written during a sanity break from some
Most of the factual stuff in the Adept's file is generally correct
(and amusingly phrased!). A few notes:
- It's not really just .COM and .EXE files in DOS that can carry
viruses. Those are the most common vectors, but since there
is a DOS call that will execute a file of any name at all as
a program, and some viruses infect when that call is used,
you have to look in all your files during a cleanup operation.
For instance, if you have a game program in FINOGA.COM, and all
it really does is display the game-company logo and then run
FINOGA.BNX, some of the most common file-infecting viruses will
be able to infect FINOGA.BNX, and if you don't clean it up from
there, you're still infected.
- It's possible (just barely) to write a virus for a BAT file.
But no one's figured out how to do it in a reliable or non-obvious
way, so there are no BAT viruses "in the wild", and users don't
have to worry about them. The same applies to (for instance)
worksheet files for spreadsheet programs; since they can contain
things like autostart macros, it's theoretically possible to
write a virus that infects them, but there are none in the wild.
The Adept writes that viruses are more common on personal computers
because they "need access to memory that they shouldn't have, and on
a personal computer, there is nothing to stop them from getting it."
This is a common misconception. In fact, viruses *don't* need
access to memory that they shouldn't have; all they need to be able to
do is read and write program files (the same way that your compiler,
your patch program, your file manager, and so on, do). Experimental
viruses have been written for larger non-personal computers, and they
work just fine (ask your local librarian for a list of papers by Fred
Cohen from the computer science literature for some good details of
this sort of thing). The reason we don't see viruses for larger
computers is that software for them does not flow as freely as
software for personal computers. Quick, how many people reading this
have a diskette in some pocket? OK, now how many have a 9-track tape
The Adept's confidence about the cleanliness of store-purchased
software is, I fear, somewhat unfounded. There have been numerous
reports of legitimately-purchased software accidentally shipped (or
infected at the point of sale) with a virus. As software producers
and sellers become aware of the problem and better instrumented to
prevent it, we can hope it will become increasingly rare. But more
than one system has become virus infected even though "all I ever use
is shrink-wrapped software, honest!".
> Each virus has what the anti-virus geeks call a "footprint".
Actually, we anti-virus geeks call it a "signature" or a "scan-id".
Most of the rest of the Adept's comments are quite correct. I would
observe that most infections in the real world are caused by viruses
that have been out for some time, so it's not incredibly vital to have
this week's copy of your scanner. This quarter's copy is probably a
good idea, though! Also, modern scanners tend to be good at detecting
small variants of viruses that they have signatures for, so if someone
creates a "new" virus by the usual method of munging an old one, many
scanners will still find it.
One disadvantage of modification detectors that the Adept doesn't
mention is that they are prone to false positives. That is, when you
install a new version of HyperWunga, and it changes five-godzillion
programs on your disk, the next time you run your modification
detector it will of course tell you that lots of programs have
changed. How do you know that none of them were changed by a virus
rather than WungaInstall? You probably don't.
The Adept somewhat underestimates the abilities of virus removers. In
fact, a good remover will be able to restore almost all of the objects
infected by almost all common viruses to almost their original state;
it should *never* delete a file without asking your permission first.
Note all those "almost"s, though; many viruses are very buggy, and if
*I* had an actual infection on a machine I cared about, I would
restore the infected objects from backups, even if I had a remover
that claimed to work correctly on that virus. The other choice is to
trust both the virus and the remover not to have done anything wrong.
A good remover, of course, will know which viruses are buggy, and warn
you about the files that might be corrupted.
Microcomputer viruses probably don't matter much to the Net, as the
Adept points out. We should keep in mind, though, similar things that
matter more to the Net: there was this little worm the other December,
for instance! Spreading things can impact just about any kind of
computer system, if the culture and the connectivity are right.
Adept also offers the usual "virus writers are just nice guys who like
to write interesting programs" line. May be true; I don't know any
actual virus writers. I would, however, like to ask how all that
hard-disk-trashing code got in there. Did someone sneak into the Nice
Guys' rooms at night and type it in? The people who write destructive
viruses clearly have some maladjustments that need to be cleared up
before I'd let them near any of *my* offspring. Even viruses that
aren't meant to be destructive generally wreak havoc and cause pain as
they spread. I have no quarrel with someone who writes a virus just
to play with and takes reasonable measures to make sure it never gets
to anyone who doesn't want it. But the authors of the viruses that
are currently in the wild messing up machines (accidentally or on
purpose) don't qualify.
I certainly agree that there's been quite a bit of hype in the
anti-virus field. As usual, of course, one should blame the marketing
departments rather than the coding labs! *8) The world is certainly
not about to end, and the average user should probably take about the
same level of precautions against viruses that she does against, say,
a hard disk failure. Get a couple of good backup programs, and a
couple of good anti-virus programs, and use them well! And bring up
your kids to have something more interesting to do with a computer
than write code that hurts other folks...
Date: Wed, 21 Oct 92 03:23:28 EDT
From: mcmullen@MINDVOX.PHANTOM.COM(John F. McMullen)
Subject: File 3--Further Disclosures In 911/"Legion of Doom Case"
((MODERATORS' NOTE: We periodically reprint articles from
NEWSBYTES, which we consider the best single on-line source of
information on the nets. Barbara and John McMullen, the authors of
most of the articles we reprint, are perhaps the most capable and
incisive computer journalists in the country. They consistently
provide indepth, accurate, and comprehensive stories that provide an
antidote to the generally mediocre coverage of other media. We have
no formal way to commend them for their principled and thorough
stories other than say "Thanks!"
Newsbytes is a commercial news service with bureaus from Moscow to
Sydney, Australia. It publishes a minimum of 30 stories related to
technology 5 days a week. It reaches approximately 4.5 million people
through electronic distribution including Compuserve, GEnie, America
OnLine, AppleLink, DIALOG, Newsnet, Clarinet and various foreign
It is also distributed to some individual BBS systes for a relatively
For information on pricing, contact Wendy Woods 415 550-7334))
NEW YORK, NEW YORK, U.S.A., 1992 OCT 20(NB) -- In a discussion with
Newsbytes, Sgt. Kurt Leonard of the Chesterfield County, Virginia
Police Department disclosed further information concerning the
on-going investigation of alleged 911 disruption throughout the
eastern seaboard of the United States by individuals purporting to be
members of the hacker group "The Legion of Doom" (LOD).
Leonard identified the individual arrested in Newark, New Jersey,
previously referred to only as "Maverick", as Scott Maverick, 23.
Maverick has been charged with terroristic threats, obstruction of a
government function, and illegal access to a computer. He is presently
out on bail.
Leonard said that David Pluchino, 22 was charged to the same counts as
Maverick and an additional count of the possession of burglar tools.
Leonard said that Pluchino, the subject of a 1990 Secret Service
"search and seizure" action under the still on-going "Operation
SunDevil" investigation" possessed information linking him with
members of the Legion of Doom.
The Legion of Doom connection has become the subject of controversy
within the online community. Although Maverick has been quoted as
saying that he is a member of the group and that that the group's
intent was "to attempt to penetrate the 911 computer systems and
inflect them with viruses to cause havoc", members of the group have
disavowed and connection with those arrested. "Lex Luthor", one of the
original members of the group told Newsbytes when the initial report
of the arrests became public "As far as I am concerned the LOD has
been dead for a couple of years never to be revived. Maverick was
never in LOD. There have been 2 lists of members (one in phrack and
another in the lod tj) and those lists ar the final word on
membership. We obviously cannot prevent copy-cats from saying they
are in lod. When there was an LOD, our goals were to explore and leave
systems as we found them. The goals were to expose security flaws so
they could be fixed before REAL criminals and vandals such as this
Maverick character could do damage. If this Maverick character did
indeed disrupt E911 service he should be not only be charged with
computer trespassing but also attempted murder. 911 is serious
Lex Luthor's comments, made before the names of the arrested were
released, were echoed by Chris Goggans, a/k/a "Erik Bloodaxe, and
Mark Abene, a/k/a Phiber Optik, both ex-LOD members and by Craig
Neidorf who chronicled the membership of LOD in his electronic
When the names of the arrested became public, Newsbytes again
contacted Lex Luthor to see if the names were familiar. Luthor replied
"Can't add anything, I never heard of them."
Phiber Optik, a New York resident told Newsbytes that he remembered
Pluchino as a person that ran a computer "chat" system called
"Interchat" based in New Jersey. Phiber added "They never were LOD
members and Pluchino was not known as a computer hacker. It sounds as
though they were LOD wanabees who are now, by going to jail, going to
get the attention they desire."
A law enforcement official, familiar with the SunDevil investigation
of Pluchino, agreed with Phiber, saying "there was no indication of
any connection with the Legion of Doom." The official, speaking under
the condition of anonymity, also told Newsbytes that the SunDevil
investigation of Pluchino is still proceeding and, as such, cannot be
Leonard also told Newsbytes that the investigation has been a joint
effort of New Jersey, Maryland and Virginia police departments and
said that, in conjunction with the October 9th 2:00 AM arrests of
Pluchino and Maverick, a simultaneous "search and seizure" operation
was carried out at the Hanover, Maryland home of Zohar Shif, a/k/a
"Zeke", a 23 year-old who had also been the subject of a SunDevil
search and seizure.
Leonard also said that, in addition to computers taken from Pluchino,
material was found "establishing a link to the Legion of Doom." Told
of the comments by LOD members that the group did not exist anymore,
Leonard said "While the original members may have gone on to other
things, these people say they are the LOD and some of them have direct
connection to LOD members and have LOD materials."
Asked by Newsbytes to comment on Leonard's comments, Phiber Optik said
"The material he's referring to is probably text files that have been
floating around BBS's for years, Just because someone has downloaded
the files certainly doesn't mean that they are or ever were connected
(Barbara E. McMullen & John F. McMullen/19921020)
Date: Wed, 21 Oct 92 03:23:28 EDT
From: mcmullen@MINDVOX.PHANTOM.COM(John F. McMullen)
Subject: File 4--NY State Police Decriminalize the word "Hacker" (Newsbytes)
The following appeared on Newsbytes (10/21/92). Newsbytes is
a commercial service an its material is copyrighted. This piece is
reprinted with the express permission of the authors.
ALBANY, NEW YORK, U.S.A., 1992 OCT 21(NB) -- Senior investigator Ron
Stevens of the New York State Police Computer Unit has told Newsbytes
that it will be the practice of his unit to avoid the use of the term
"hacker" in describing those alleged to have committed computer
Stevens told Newsbytes "We use the term computer criminal to describe
those who break the law using computers. While the lay person may have
come to understand the meaning of hacker as a computer criminal, the
term isn't accurate. The people in the early days of the computer
industry considered themselves hackers and they made the computer what
it is today. There are those today who consider themselves hackers and
do not commit illegal acts."
Stevens had made similar comments in a recent conversation with Albany
BBS operator Marty Winter. Winter told Newsbytes ""Hacker" is,
unfortunately an example of the media taking what used to be an
honorable term, and using it to describe an activity because they (the
media) are too damned lazy or stupid to come up with something else.
Who knows, maybe one day "computer delinquent" WILL be used, but I
sure ain't gonna hold my breath.
Stevens, together with investigator Dick Lynch and senior investigator
Donald Delaney, attended the March 1993 Computers, Freedom and Privacy
Conference (CFP-2) in Washington, DC and met such industry figures as
Glenn Tenney, congressional candidate and chairman of the WELL's
annual "Hacker Conference"; Craig Neidorf, founding editor and
publisher of Phrack; Steven Levy, author of "Hackers" and the recently
published "Artificial Life"; Bruce Sterling, author of the recently
published "The Hacker Crackdown"; Emmanuel Goldstein, editor and
publisher of 2600: The Hacker Quarterly and a number of well-known
"hackers". Stevens said "When I came home, I read as much of the
literature about the subject that I could and came to the conclusion
that a hacker is not necessarily a computer criminal."
The use of the term "hacker' to describe those alleged to have
committed computer crimes has long been an irritant to many in the
on-line community. When the the July 8th federal indictment of 5 New
York City individuals contained the definition of computer hacker as
"someone who uses a computer or a telephone to obtain unauthorized
access to other computers.", there was an outcry on such electronic
conferencing system as the WELL (Whole Earth 'Lectronic Link). Many of
the same people reacted quite favorably to the Stevens statement when
it was posted on the WELL.
(Barbara E. McMullen & John F. McMullen/19921021)
Date: Fri, 23 Oct 92 18:21:12 CDT
Subject: File 5--Update on Toronto Bust of Early October
When Toronto Metropolitan Police apprehended a 15 year old "computer
hacker" in the first week of October for disrupting the Toronto E911
system, the details about the extent of computer use was raised. From
initial reports, it appeared that the primary offense involved
repeated telephone hoaxes rather than an actual penetration of the
E911 computer system itself. Today, a spokesperson for the Toronto
Metropolitan Police, the agency in charge of the case, provided
The disruption of the system itself involved a series of hoax calls to
Toronto emergency services. However, the calls were made by "phone
phreaking," in which calls were routed through a series of
PBX-Alliance-Meridien systems in the United States. In addition to
theft of communication, the youth is being charged on 24 separate
counts of mischief and 10 counts of conveying false messages (false
alarms to the E911 system).
The spokesperson explained that under Canadian law, violations are
divided into indictable offenses and summary offenses. The former are
equivalent in the U.S. to felony charges, and the latter to
misdemeanor charges. The spokesperson indicated that the charges in
this case fall under provincial jurisdiction. The Canadian justice
system is somewhat different than that of the U.S., which has federal,
state, and local jurisdictions. In the U.S., computer crimes may fall
under federal jurisdiction involving the Secret Service (for most
telecommunications/computer crimes) or the F.B.I. (for crimes in which
a federal computer is involved). Although Canada also has tri-level
jurisdiction (federal, provincial--centralized authority in each
province, and municipal--the equivalent of city police in the U.S.),
computer crimes come under the jurisdiction of provincial or municipal
police. Because the youth is a minor, the trial will be held in camera
(closed session) and records will not be made public.
The spokesperson said that, judging from the existing evidence, the
youth was acting alone and the case was unrelated to the recent cases
in New York/New Jersey.
Date: 20 Oct 1992 18:00:41 -0800
From: "Stuart Hauser"
Subject: File 6--SRI Seeks "Phreaks" for New Study
A team working with Donn Parker at the SRI is gathering information
about the perceived vulnerabilities (and related topics) of the
software and control systems of the public switched telephone and data
networks from the perspective of the hacker community and other
knowledgeable sources. It is an extension of prior research that Donn
has been carrying on over the past 20 years into the vulnerabilities
of end-user computer systems, also from the perspective of hackers.
Like the other projects, this is a pure research study.
Our objective is to gather our information through face-to-face,
telephone and keyboard interviews of members of the hacker community
and its observers in the next two to four weeks. We are not attempting
to identify and collect information on criminal activities, but rather
on what folks know or hear about the weaknesses and vulnerabilities of
the PSTN/PDNs. Below is a more complete brief on our interests.
Information Sheet for Participants in SRI's Study of the Public
Switched Telephone Network
SRI International is conducting a study of the security aspects of
voice and data communications networks, referred to as "Cyberspace" by
some. Specifically, we are looking at the security of the public
switched telephone networks and public data networks (PSTN/PDN) from
the perspective of the vulnerability of the network management and
control software residing in the switching systems and the computers
that manage them. This study is part of SRI's ongoing research into
information and communications systems worldwide and how they are
viewed by the international "hacker" community. We are seeking the
views of many experts-including what we have called "good hackers" for
many years-on a number of issues relating to the security and
vulnerability of the PSTN/PDNs, and on the international "malicious
We know that the security of the software that controls the PSTN/PDNs
is as important to most hackers as it is to everyone else who is
interested in exploring Cyberspace. Consequently, we believe that the
good hackers are as interested as we are in helping us and other
PSTN/PDN stakeholders understand what the really malicious crackers
might see as the weaknesses and vulnerabilities of these networks,
what new technologies-including the use of human engineering
techniques-they might be planning to use to gain access, and what they
might be planning to do next.
This study is being led and conducted by Donn B. Parker, who has been
conducting this type of research for SRI International and its clients
for the past 20 years, and is well known throughout both the good
hacker and malicious cracker communities. As in the case of the prior
field research of this kind, Mr. Parker and his associates will be
gathering information through face-to-face interviews of the members
of the hacker community in the United States, Canada, Europe, and
several other countries.
SRI International is a research and consulting organization that is
not owned by any business or government agency; we are not in the law
enforcement or criminal investigation business. This is a pure
research project to determine the vulnerability and security of the
software that manages and controls the PSTN/PDNs. Our interests are
very much the same as were those for earlier projects in which our
interests were focused on the vulnerability and security of the now
widely used computer information systems. We do not work with law
enforcement agencies to collect information on any individual or group
and we will not reveal the names of our information sources unless the
sources ask us to do so. A summary of our findings will be sent to
you on request after the study has been completed.
By working together in this way, SRI and cooperating information
professionals can help protect the major highways of Cyberspace for
our respective uses and interests.
Donn B. Parker
Date: Wed, 21 Oct 92 11:03:12 -0400
From: bx981@CLEVELAND.FREENET.EDU(Larry Schilling)
Subject: File 7--XIOX's Anti-Phone-Fraud Products (Press Release)
XIOX'S FORT KNOX PRODUCTS COMBAT PHONE FRAUD
EXPERIENCED BY U.S. BUSINESSES
NEW YORK (OCT. 20) BUSINESS WIRE - Xiox' Fort Knox line of products is
aimed directly at reducing the estimated $4 billion of losses to
telephone service theft experienced by American businesses each year.
And they are the first products that combat telephone "hacking"
without requiring businesses to shut off vulnerable PBX features.
According to John Hough, noted phone fraud expert and author of "Toll
Fraud and Telabuse," business losses from telephone fraud, or
"hacking," are estimated at $4 billion per year.
Hough, chairman of Telecommunications Advisors Inc. (a Portland, Ore.
consulting firm), indicates that the average loss per incident to
users exceeds $90,000. Hough's firm estimates that more than 35,000
users will become victims of toll fraud in 1992.
Xiox estimates that every business has a one in 18 chance of being
hacked. The implications for security, however serious they may be in
terms of stolen service costs, become even more formidable when the
risk to a company's data is factored in. Many organizations' computer
systems are accessible through the telephone lines, and their computer
data is only as secure as their phone system.
In addition to creating enormous business losses, hackers have forced
businesses to shut off valuable and convenient features such as Direct
Inward System Access (DISA), Remote System Access, home agent
connections and remote diagnostics lines.
All these PBX features became access paths to hackers, who re-sell the
illegally-obtained services. Businesses experience further "hidden
losses" because they can't use the telephone for critical purposes.
"Fort Knox products are the most straightforward and economical
approach I've seen to enable users to keep their telephone systems
both 'open and secure,'" said Ed Freyermuth, telecom manager for
One of the Fort Knox products, Hacker Tracker, gives users the ability
to track and trap hackers, opening up the possibility of apprehending
"Hackers have proliferated over the past ten years, possibly because
of their connection to the illegal drug trade," said Wanda
Gamble-Braggs, manager of Systems Integrity, Western Division of MCI.
"Unlike most crimes, they leave no evidence and are at little risk of
being caught. The approach to security taken by the Xiox system is
the first one that MCI has seen that gives the user some hope of
catching the criminal instead of becoming the next victim."
The Fort Knox family of anti-hacker products includes:
-- Hacker Preventer, an automated, intelligent system that senses
deviation from "normal" telephone usage and cuts off access to
hacking attempts. It incorporates proprietary hardware- and
software-based technology which attaches to the user's PBX. Price:
$10,000 to $28,000, depending on the size of the system needing
-- Hacker Tracker is a specialized recording and reporting system
incorporating proprietary software for tracking and trapping hackers.
-- Hacker Deadbolt is a proprietary hardware and software system
providing protection for remote maintenance and testing ports of a
PBX, voice mail system and other telephone equipment on the customer's
premises. It can be upgraded to become Hacker Preventer. Price:
These products may be purchased separately or together. When
installed, the Xiox Fort Knox products become an intelligent agent for
monitoring all telecommunications traffic in and out of a system.
"At Solectron, we've analyzed the risk of being hacked," commented
Dave Tichener, telecom manager for Solectron Inc. "The Fort Knox
system represents a very reasonably-priced insurance policy, compared
to the potential loss."
All Fort Knox anti-hacker products are immediately available.
CONTACT: Xiox Corp.
Michael O'Connell, 415/375-8188, ext. 228
Oak Ridge Public Relations, Cupertino, Calif.
Ford Kanzler, 408/253-5042
Date: Fri, 23 Oct 92 09:22:27 PDT
From: Lawrence Schilling
Subject: File 8--CSC "Anti-Telecom Fraud" Device
Greetings. Another telecommunications security product. The
technology here is way over my head, so much so that I really don't
understand what this release is talking about. Nonetheless I'm
tempted to ask: Is the need for security as great as these purveyors
say and imply it is? Do these products solve problems or create them
or both? Regards. Larry Schilling
=START= XMT: 15:38 Thu Oct 22 EXP: 16:00 Sun Oct 25
CSC ANNOUNCES PRODUCT TO CUT FRAUD IN WIRELESS TELECOMMUNICATIONS INDUSTRY
EL SEGUNDO, CA (OCT. 22) BUSINESS WIRE - A new software product that
combats fraud in the wireless telecommunications industry was
announced Thursday by Computer Sciences Corp. (NYSE:CSC).
Called FraudBuster, the product was developed by Coral Systems Inc., a
Longmont, Colo.-based applications software firm serving the cellular
telecommunications market. CSC has exclusive marketing rights to the
product and is supporting software development.
According to John Sidgmore, president of CSC's telecommunications
business unit, CSC Intelicom, ''Right now, about $15 million worth of
cellular calls are being made in the U.S. each day -- and of that,
fraud is draining about $1.5 million daily from carriers' revenues.
FraudBuster is part of a series of offerings by CSC Intelicom and
Coral to support wireless carriers with software that addresses needs
such as billing, fraud and seamless roaming, which routes calls to a
cellular user at any location.
According to Coral President Eric Johnson, the teaming of CSC
Intelicom and Coral gives wireless carriers access to the full breadth
of technologies needed to support a nine-year-old industry that's
slated to reach $100 billion by the year 2000.
The industry's most compelling problem right now, said Johnson, is
fraud. But a second top concern among carriers is how to keep up with
fast-changing network technologies.
FraudBuster, he said, was designed to address both needs.
What makes FraudBuster unique, he noted, is its Unix open-systems
architecture that integrates with today's cellular networks and
evolving intelligent networks of the future. Proprietary and
DOS-based systems, he noted, don't offer that flexibility.
FraudBuster is also available now.
The product is also unique in its use of artificial intelligence to
track subscriber calling patterns. Using a complex set of algorithms,
FraudBuster creates a behavioral profile of each subscriber, based on
his or her historical usage patterns. Actual calls are then analyzed,
and network operators are immediately alerted when calls that are
markedly different from the norm occur.
The problem with most systems on the market today, said Johnson, is
their use of simple, across-the-board checks that don't take into
account the unique habits of each user. What's more, checks
themselves are too limited, reflecting a single variable -- such as
number of calls -- rather than the complex array of factors that can
accurately help carriers distinguish a real subscriber from an illegal
By residing on a carrier's network and operating in real time,
FraudBuster can quickly alert a carrier to problems. Carriers can
also configure the product to fit their particular needs. For
example, FraudBuster's algorithms can be easily tuned to increase its
sensitivity to specific types of fraud occurring in a particular
In addition to combating the most common types of fraud, including
clone phones and tumbler phones, FraudBuster can detect new types of
fraud as they develop. It can also operate in either a distributed or
centralized processing environment.
As part of a series of software products being offered by CSC and
Coral to the wireless industry. FraudBuster can be used on a stand-
alone basis or be integrated with other wireless software solutions
such as Coral's Home Locations Register, which offers carriers
seamless roaming and pre-call subscriber validation.
With headquarters in El Segundo, Computer Sciences is the largest
independent provider of information technology consulting, systems
integration and outsourcing to industry and government. CSC has more
than 26,500 employees worldwide and annual revenues of $2.3 billion.
CONTACT: Computer Sciences Corp., El Segundo
C. Bruce Plowman/Bill Lackey/Mary Rhodes, 310/615-0311.
Date: 21 Oct 92 20:02:13 EDT
From: Gordon Meyer <72307.1502@COMPUSERVE.COM>
Subject: File 9--The CU in the News (from Info Week)
Information Week (Oct 5, 1992 p10) reports that AT&T is suing the New
York Post for over $90,000 in unpaid long distance charges. The Post
claims the charges stem from fraudulent use of its PBX system, but
AT&T says that under current FCC regulations customers are responsible
for all charges on calls placed from their telephones, period. There
are 'rumblings' that a similar suit between AT&T and Mitsubishi is
about to be settled.
CONGRESS DECLARES SOFTWARE PIRACY A FELONY
The Software Copyright Protection Bill (S.893) has been sent to
President Bush for his signature. The bill provides for prison terms
of up to five years, and fines of up to $250K, for people convicted of
infringing at least 10 copies of a copyrighted program or programs
with a retail value of $2,500. This applies to both individuals and
corporations. (Information Week Oct. 12, 1992 pg 16)
MARSHALS GRAB COUNTERFEIT SOFTWARE
According to Microsoft Corp., U.S. marshals in California and New
Jersey have made the largest-ever seizure of unauthorized computer
software, impounding more than 150,000 counterfeit copies of its
MS-DOS operating system. The software retails for approximately $60 a
copy, bringing the value of the seizure to more than $9 million.
(From STReport #8.41)
End of Computer Underground Digest #4.53
E-Mail Fredric L. Rice / The Skeptic Tank