To: M.ROSENBERG (MICHAELR) Cc: C.HAPANGAMA (OTC264) From: A.LOWTHER (OTC157) Delivered: Mon 8-Aug-88 9:32 AEST Sys 6007 (52) Subject: VMS HACKING Mail Id: IPM-6007-880808-085830292 Dick Weaver sent me this some time ago. It indicates that we really do need to be on our mettle as far as VMS security is concerned. Dean Gingell is a bit inclined to accept that VMS security is so good that it is inpenetrable!! Tony. From: R.WEAVER (OTC248) Delivered: Fri 11-Mar-88 16:38 AEST Sys 6008 Subject: VMS Passwords: Hackers' Attacks ? ? Mail Id: IPM-6008-880311-149750909 From: ecs140w020@deneb.ucdavis.edu Subject: VMS password hacker =================== Date: 6 Mar 88 12:06:58 GMT Sender: uucp@ucdavis.ucdavis.edu Lines: 18 Bunkersoft of Mountain View has a VMS password hacker available for $30 (source code) from Bunkersoft PO Box 4436 Mountain View CA 94040-4436 The method used is a brute force attack. However, because of the nature of the VMS password file, SYSPRV or CMKRNL is required for a short window of time before running. I ran this program on my installation at work; it found 35% of all passwords. *** *** *** *** Since HPWD is a proprietary DEC code, a batch file is given to extract this information from LOGINOUT.EXE. I believe this program is aimed at security managers etc. ecs140w020@deneb.ucdavis.edu ucdavis!deneb!ecs140w020 ... ... ... ... ... ... ... ... ... Well how about that then ! Will we need to worry about security like Minerva worries? Think we need a copy of this "hacking tool" ? Richard Weaver Ext 5134 (Manager, New Services Development) 11 March 88 + To: MICHAELR (6007:MICHAELR) To: STEVEB (6007:STEVEB) From: M.ROSENBERG (MICHAELR) Delivered: Fri 19-Aug-88 10:09 Sys 6008 (36) Subject: Hello! Mail Id: IPM-6008-880819-09086021 Importance: Normal To: MICHAELR From: A.TAYLOR (6007:TUD001) Subject: Hello! Posted: Thu 18-August-88 19:15 AEST Delivered: Thu 18-August-88 19:12 AEST (27 lines) Hi this is The Phoenix (with The Force...) Umm... sorry - missed you by 2 mins... Hmm... Why not give us this account ? The real user never logs on... Just cancel his billing - set up 3 or so other accounts in the series TUD (Now i knw thats possible!) Take away netlink if you wish.... we only want it as a means of communication between our members and yourself. The advantages of this are twofold... 1) You can keep an eye on us... 2) You get us off your back.... what do you say ? Anyhow - ever considered taking up hacking ? Seeya L8er... (-: Phoenix :-) Catch Ya Later ----====} THE FORCE {====---- P.S - Dont delete this account yet (please) - wait till we see the reply I guarantee that we will not use netlink (apart from the one short call to Alto already made...) To: BTG082 (10080:BTG082) Cc: S.BERLECKY (STEVEB) Bc: M.ROSENBERG (MICHAELR) From: M.ROSENBERG (MICHAELR) Delivered: Fri 19-Aug-88 12:09 AEST Sys 6007 (12) Subject: News of hackers Mail Id: IPM-6007-880819-109360302 Paul, Hi! Michael Rosenberg here. Those 2 numbers that you gave us have been identified are being researhed at the moment to see if they themselves were hacked. One of them is a tie line which is great because we should know from where the call was made, except that the address in the database doesn't match the company that is there and the phone number doesn't make sense and I cant even get a number for the company which it is registered. I have send this info to Telecom Aust. and will get back to you when they get back to me. You will hear from me soon, Thanks, Michael Rosenberg. To: MICHAELR (6007:MICHAELR) From: P.SWAAB (BTG082) Delivered: Fri 19-Aug-88 19:23 Sys 10080 (15) Subject: Reply to: News of hackers Mail Id: IPM-10080-880819-174580001 Michael. Thanks for the infomation you sent. The situation here is that he tried once again to access the box. But was unable to as we have devalidated that box. Dialcom(US) have located the addresses he has access us by telenet, and telenet and telecom Australia are going to try and trace these routes and close them down. Telenet are keeping a close eye out for over active work on those addresses. Again many thanks for the infomation i wll contact you if i here any more, Hope to here from you soon . Fo: MICHAELR (6007:MICHAELR) To: STEVEB (6007:STEVEB) Fo: S.BERLECKY (6008:STEVEB) Fo: M.HULBERT (MARK) Cc: D.MCDONELL (DM) Cc: J.BRIGHT (JACK) From: R.BARNACK (BERTA) Delivered: Thu 25-Aug-88 21:27 Sys 198 (78) Subject: GREETINGS FROM AUS Mail Id: IPM-198-880825-193140001 Michael and STeve, Vicky Lundberg has requested that I forward the message sent form an ID in australia to some of the 'upper management' of Telecom Gold/BT. Does the contents of this message indicate the same hacker that Michael has been dealing with or is it a new one? Any information would be appreciated. Thanks, Berta From: V.LUNDBERG (BTG072) Delivered: Thu 25-Aug-88 4:58 EDT Sys 10080 Forward: R.BARNACK (BERTA) Subject: GREETINGS FROM AUS Mail Id: IPM-10080-880825-044750001 Berta, This is Vicky from Dialcom UK systems admin.... I am a little worried about the content of this item (it seems dubious) because of what was happening from Australia last week, I feel it may be connected. Please could you investigate this user with Steve in Aussie land, and get back to me as whether it should be looked into further. This was sent to at least 2 BTG ids within a few minutes of each other, exactly the same text. Mine you see is entitled Dear Steve, so they guy obviously either has the id confused, or is just trying it on. The other has been direct to the correct 'name' of the mailid though! Your comments would be appreciated? Thanks, Vicky. From: CAE007 Delivered: Wed 24-Aug-88 1:16 BST Sys 6007 To: V.LUNDBERG (BTG072) Subject: GREETINGS FROM AUS Mail Id: IPM-6007-880824-011490001 Dear Brian, An 'electronic friend' of mine in the UK kindly forwarded to me a list of UK e-mail users like yourself, but who are involved primarily within the hierarchy of Telecom Gold itself. I am writing this brief note to you primarily to seek your help. Having successfully 'broken through' into the UK e-mail network, I am now trying to spread my wings a little seek contact with other countries. I particularly wish to make contact with the USA and, in Europe, with Greece [if Greece, indeed, has such a system]as well as other participating countries in the international e-mail network. If you or one of your colleagues has any relevant information, contact IDs or other helpful advice, I would be most grateful. As for me, my name is PAUL HELLANDER 6007:CAE007 and I am a lecturer in Modern Greek at the South Australian College of Advanced Education. Like a small, but dedicated bunch of like -minded computer users, I am very interested in electronic telecommunications and in computers in general. I actually teach multilingual word processing and page processing [DTP] to my language students at the College and have my own setup at home: a Macintosh SE, modem, printer etc. If you are not able to help me immediately, please forward my message to somebody who may be able to suggest something. But in any case, I would like to hear from you about your own interests and role within the Telecom Gold system. Best wishes from Australia! Paul To: M.ROSENBERG (MICHAELR) From: M.ROSENBERG (MICHAELR) Delivered: Thu 8-Sep-88 23:14 AEST Sys 6007 (1) Subject: force activity Mail Id: IPM-6007-880908-209140305 force was on altos at 23:08 on 8/9/88. To: JVE002 (6007:JVE002) Cc: STEVEB Cc: MARSDEN-US (142:IMC002) Cc: MICHAELR (6007:MICHAELR) Cc: OTC519 (6007:OTC519) Cc: MULHOLLAND-AA (JND002) From: MULHOLLAND-AA (JND002) Delivered: Mon 26-Sep-88 12:33 Sys 6009 (42) Subject: HACKING ON JND IDS Mail Id: IPM-6009-880926-112950001 To: Paul Heath Keylink CC Ron Sinclair OTC Steve Belecky OTC Michael Rosenberg OTC Tim Marsden ESI Paul As you are probably aware a hacker is active in Australia and has recently gained access to a number of JND mailboxes. The hacker has run up considerable time and probably a fair amount of international access. Ron Sinclair on the advice of Michael Rosenberg alerted me to the problem and Michael has also shut the IDs down when he has detected the illegal use. I've spoken to the owners of these IDs and while their passwords were not obscure they could only have been gained by a knowledge of our user directory. Obviously there is going to be a problem when the bills for this illegal usage are presented to the customers. They are already argueing that if I know the usage is not by them why should they have to pay for it. I see this incident as extremely damaging to the users perception of the integrity of the email system and as such I'd like to put make some steps to placate the users and to prevent a reoccurrence. Firstly, will Keylink credit the illegal usage ? Secondly, Tim Marsden our US system manager has suggested we set up and move all our CPLs that use Netlink to, CMDJND. We would also need a copy of NETLINK with a different name (say FRED) on CMDJND so that our use of the NETLINK command, in the CPLs could change to FRED. This combination of a changed command name and an ID that the hacker can't access would hopefully render JND IDs useless to the hackers purpose. Further we would want a program called NETLINK.CPL on CMDJND. This will be a hacker alert and would mail a message to an OTC ID that monitors for illegal use. I see a real urgency about this matter and would appreciate your early advice. Best David Mulholland To: BERTA (198:BERTA) Cc: S.BERLECKY (STEVEB) From: M.ROSENBERG (MICHAELR) Delivered: Thu 6-Oct-88 15:08 AEST Sys 6007 (18) Subject: Hackers Mail Id: IPM-6007-881006-136340371 Berta, I think that I have found evidence of a hacker on system 52, which you should chase up. On 10/3/88 (I even put the date in US format so you can read it) at about 07:53 GMT , 08:10 GMT and 09:00 GMT , calls were made from 31033010000552 to 5053210106 which I have reason to believe is a hacker. If you find it to be so , I really need to know from what address he got into system 52,as I am hoping he did it from Aust. somewhere. If it was not, and Dialcom trace it back further, could I be told the address furtherest back that you find. I am having BIG problems with this guy or one of his friends, so speed will help greatly. I also have an account netlinking a LOT to sys41 (0311030100341) from 5053200000 He is in the billing as the United Nations. Could you have a look at the calls to 41 from 07 and see if he has hacked an account there or if he is legal? Thanking you, Michael. To: MARK (198:MARK) Cc: BERTA (198:BERTA) Cc: S.BERLECKY (STEVEB) From: M.ROSENBERG (MICHAELR) Delivered: Fri 7-Oct-88 10:52 AEST Sys 6007 (25) Subject: Hacker mothods. Mail Id: IPM-6007-881007-097940230 Mark, Berta, Just a little background so that you know what brought on my rush of hacker enquiries. Chatting to my hackers on ALTOS in Germany, they have been daunting me saying that they have developed a means of pw interception and they indeed were getting a lot of OTC ids from somewhere. Finally, I found that the guy netlinks to our PADs and tielines and just waits, and waits, until someone finally tries to use the terminal. In the case of the NTN's that he uses, the vast majority of the calls are to system 07. Unfortunatly, most people think that 07 is broken in some way beacuse it doesnt display the sign on banner and Password: etc, and just keep typing their id and password, which of course appear on the hacker's screen. There he goes. I have seen evidence of this from at least 52 and 41 which is why I mentioned those two only. Because our packet network is owned by OTC , I can find out who attempted calls to any NTN, which is how I found 41. I found 52 because when I was warning on of our people who use a tie line, the hacker was trying it at that moment in time, and I identified the address. Also, I was talking to the hackers later that day on ALTOS and they tried to log into 07 from 52, so I logged into 98 and did an NSY on 52. There they were. So, there you go. I just thought you'd like to know how I came to know about hackers on your system. I am having that NUI killed, but I am sure that he has more. Thanks for your help, Michael. To: BERTA (198:BERTA) To: MARK (198:MARK) From: M.ROSENBERG (MICHAELR) Delivered: Fri 7-Oct-88 11:19 AEST Sys 6007 (5) Subject: More times. Mail Id: IPM-6007-881007-101900857 Mark, more netlinking times as follows: from 31033010000541 to 5053200024 (it may be 200056, but dont think so) 10/6 09:10,09:28,09:33 GMT and from 31033010000552 on 10/6 at 07:43 GMT To: MARK (198:MARK) From: M.ROSENBERG (MICHAELR) Delivered: Sun 9-Oct-88 12:48 AEST Sys 6007 (11) Subject: hacker on 41 Mail Id: IPM-6007-881009-115200647 Mark, I found that 41:TCN181 was hacking on 10/6 at 2:44 GMT netlinking to altos. He was one of my hackers (aust.) and came from 26245724740132. If this guy, and/or any others have been netlinking back to aust, I could really use that info because he is getting passwords from somewhere that I havent found yet, presumably with his netlinking to pads/tielines trick. There was another TCN on at the same time as Phoenix (hacker's alias) netlink ing to a telenet address. Interestingg the way they have so many on the one account group. e.g. 52:scx. Thanks, Michael. To: MARK (198:MARK) From: M.ROSENBERG (MICHAELR) Delivered: Sun 9-Oct-88 18:12 AEST Sys 6007 (3) Subject: another one. Mail Id: IPM-6007-881009-163811023 Mark, that other suspect TCN was TCN177 on 41 and definetly was hacked. Was netlinking to altos 10/9 at 8:10 GMT from 31102050001801. Mike. To: MARK (198:MARK) From: M.ROSENBERG (MICHAELR) Delivered: Thu 13-Oct-88 18:41 AEST Sys 6007 (7) Subject: TCN098 Mail Id: IPM-6007-881013-168240539 was hacking this morning. I informed ops via Lillian who clobbered him. I copied some of his files before he deleted them (he was making files and then deleting them) to otc-all>tcn098 but he no doubt had made more when he was hit so you'll have them. The hacker who called from the states last night gave the name SAM MONICA who said he was from Dialcom, system 41. Obviously not his real name but does it mean anything to you? Michael To: MARK (198:MARK) From: M.ROSENBERG (MICHAELR) Delivered: Sat 15-Oct-88 20:42 AEST Sys 6007 (3) Subject: TCN051 Mail Id: IPM-6007-881015-186400186 On system 41 has been hacked. If he has deleted the files on his account, I copied them to 98:otc-all>tcn051. I noticed him on at 6:43 am on 10/15. Michael. To: MARK (198:MARK) Cc: OTC264 Cc: S.BERLECKY (STEVEB) From: M.ROSENBERG (MICHAELR) Delivered: Mon 17-Oct-88 13:27 AEST Sys 6007 (38) Subject: TCN051 Mail Id: IPM-6007-881017-121131069 Mark, Have you noticed the file called "DRAFT" in 41:tcn051. Note in it how he mentions the account MONICA, which I now know to be a seclev 5 on 98. Recall how I said that the american hacker who called me gave the name SAM MONICA... Very unlikely to be the guy of course but you could very well have a big security problem. The force is also being investigated by Telecom Aust. for international telephone fraud at the moment. Also, when I saw tcn051 being used to hack it appeared to be being used by Phoenix. Dear Sir, I am the hacker responsible for using TCNxxxx Accounts as well as others on system 41, and after talking to the system manager I am really shocked at the stand you have chosen to take. I do not feel that the TCN USERS SHOULD BE PENALISED FOR WEAKNESSES IN YOUR SYSTEM SECURITY, and this is something I feel very strongly about. As I see it, it is your fault, and you should take the responsibility. Please forget this bulshit about the users having weak passwords, since i can obtain the password for just about any account, no matter what password is being used. There are a lot of people like me that know about the dialcom weaknesses, and are exploiting these account, and I really would like to see TCN subscribers be re-funded any excesive costs due to their activities. If you continue to exploit your users in this way, I will have to bring this matter to the media, and demonstrate just how easy it is to gain access to mail and private files of your government and other subscribers. Again I urge you to do the right thing by your customers. As an example I am bringing to your attention a certain account such as MONICA and other inhouse system account. What are they level 5? Catch Ya Later ----====} THE FORCE {====---- To: MICHAELR (6007:MICHAELR) Cc: M.HULBERT (MARK) From: M.HULBERT (MARK) Delivered: Thu 20-Oct-88 6:38 Sys 198 (79) Subject: Reply to: TCN051 Mail Id: IPM-198-881020-059720001 Mike, I was noting the carrying ons as they were in progress on Saturday. I copied the file as the Force was generating it. The two individuals are coming in from the Australian continent somewhere. They look to be coming in via an US Telenet address but that is not the case. Both are 19 years old and are working on a special project to document all of the NUAs in the world. An ambitious project at that. Now you have really put these two individuals out! You had promised them a free account and then took it away form them. That made them mad hence the "mail barrage" from system 41. These characters have more nerve than any I have seen so far. They have no respect for the business people. In addition, they are using the long distance phone system to make free calls. They talked with our client here in the states for some 3 1/2 hours on Saturday morning - our time. They apparently have the codes for gaining free access to your phone systems. Unfortunate that you do not have any legal alternatives available to you in Australia. A couple of arrests tends to inhibit such activity. Thanks for the note and the interest. We have appraised Telenet of the activity and they are looking into how what and wherefore they are cheating on their network as well. Mark From: M.ROSENBERG (MICHAELR) Delivered: Sun 16-Oct-88 23:29 EDT Sys 6007 To: M.HULBERT (MARK) Subject: TCN051 Mail Id: IPM-6007-881016-211400001 Mark, Have you noticed the file called "DRAFT" in 41:tcn051. Note in it how he mentions the account MONICA, which I now know to be a seclev 5 on 98. Recall how I said that the american hacker who called me gave the name SAM MONICA... Very unlikely to be the guy of course but you could very well have a big security problem. The force is also being investigated by Telecom Aust. for international telephone fraud at the moment. Also, when I saw tcn051 being used to hack it appeared to be being used by Phoenix. Dear Sir, I am the hacker responsible for using TCNxxxx Accounts as well as others on system 41, and after talking to the system manager I am really shocked at the stand you have chosen to take. I do not feel that the TCN USERS SHOULD BE PENALISED FOR WEAKNESSES IN YOUR SYSTEM SECURITY, and this is something I feel very strongly about. As I see it, it is your fault, and you should take the responsibility. Please forget this bulshit about the users having weak passwords, since i can obtain the password for just about any account, no matter what password is being used. There are a lot of people like me that know about the dialcom weaknesses, and are exploiting these account, and I really would like to see TCN subscribers be re-funded any excesive costs due to their activities. If you continue to exploit your users in this way, I will have to bring this matter to the media, and demonstrate just how easy it is to gain access to mail and private files of your government and other subscribers. Again I urge you to do the right thing by your customers. As an example I am bringing to your attention a certain account such as MONICA and other inhouse system account. What are they level 5? Catch Ya Later ----====} THE FORCE {====---- To: EIM004 (10074:EIM004) To: BTG-DIA (10080:BTG-DIA) To: BTG005 (10080:BTG005) To: BTG072 (10080:BTG072) To: DKE237 (12271:DKE237) To: DPT258 (12271:DPT258) To: DPT999 (12271:DPT999) To: MSE001 (12271:MSE001) To: MNL012 (12427:MNL012) To: SADM (12427:SADM) To: JUKKAI (12762:JUKKAI) To: LEENAS (12762:LEENAS) To: MARKKUV (12762:MARKKUV) To: ROM001 (13065:ROM001) To: TLO202 (13065:TLO202) To: TLO300 (13065:TLO300) To: DAC100 (152:DAC100) To: SEM012 (152:SEM012) To: SEM015 (152:SEM015) To: CROWE (198:CROWE) To: JOEA (198:JOEA) To: MARK (198:MARK) To: TOMS (198:TOMS) To: CNP007 (2022:CNP007) To: CNP343 (2022:CNP343) To: CNP365 (2022:CNP365) To: CNP517 (2022:CNP517) To: FTZ007 (3015:FTZ007) To: MNH001 (3015:MNH001) To: RJS001 (3015:RJS001) To: LADWIG (3069:LADWIG) To: SEL008 (3069:SEL008) To: AMI (5006:AMI) To: AMOS (5006:AMOS) To: FIFI (5006:FIFI) To: IPR013 (5825:IPR013) To: IPR023 (5825:IPR023) To: NZP019 (6009:NZP019) To: KDM301 (7014:KDM301) To: KDM404 (7014:KDM404) To: CAW003 (8088:CAW003) To: CAW065 (8088:CAW065) To: HQT127 (8810:HQT127) To: SVC004 (8810:SVC004) Bc: MICHAELR From: C.HAPANGAMA (OTC264) Delivered: Tue 29-Mar-88 17:14 AEST Sys 6008 (33) Subject: Security threat : OTC Mail Id: IPM-6008-880329-155130552 To: All Dialcom Licensees. CONFIDENTIAL ------------ OTC has determined that the hacker which has delivered the threat to us has been using a unique NTN ( 505235689996 ) for hacking when he does not have access to a hacked account on OTC's Dialcom system. The hacker may have used this NTN in addition to netlinking from our systems to access other Dialcom systems, which he has claimed. If indeed the hacker used this method of access, it will be easily identifiable through NUSAGE. OTC suggests that you determine if any accounts have been accessed from the address 505235689996 by running NUSAGEs. Any ids found will most likely have been hacked. Our systems' addresses are 5053200000, 5053200001 and 5053200050. Most calls made to ids from these addresses using netlink may of course be valid users. The hacker could have accessed other systems from the many VAXs and PRIMEs to which he supposedly has access, but these are of course unknown to us. If any ids on your systems are found to have been hacked from Australia could you please supply to me, 6008:OTC264, any information which you would consider helpful to OTC. Regards, Channa Hapangama Technical Support Manager, Value Added Business. OTC. To: MARK (198:MARK) Cc: EIM004 (10074:EIM004) Cc: BTG-DIA (10080:BTG-DIA) Cc: BTG005 (10080:BTG005) Cc: BTG072 (10080:BTG072) Cc: DKE237 (12271:DKE237) Cc: DPT258 (12271:DPT258) Cc: DPT999 (12271:DPT999) Cc: MSE001 (12271:MSE001) Cc: MNL012 (12427:MNL012) Cc: SADM (12427:SADM) Cc: JUKKAI (12762:JUKKAI) Cc: LEENAS (12762:LEENAS) Cc: MARKKUV (12762:MARKKUV) Cc: ROM001 (13065:ROM001) Cc: TLO202 (13065:TLO202) Cc: TLO300 (13065:TLO300) Cc: DAC100 (152:DAC100) Cc: SEM012 (152:SEM012) Cc: SEM015 (152:SEM015) Cc: CROWE (198:CROWE) Cc: JOEA (198:JOEA) Cc: TOMS (198:TOMS) Cc: CNP007 (2022:CNP007) Cc: CNP343 (2022:CNP343) Cc: CNP365 (2022:CNP365) Cc: CNP517 (2022:CNP517) Cc: FTZ007 (3015:FTZ007) Cc: MNH001 (3015:MNH001) Cc: RJS001 (3015:RJS001) Cc: LADWIG (3069:LADWIG) Cc: SEL008 (3069:SEL008) Cc: AMI (5006:AMI) Cc: AMOS (5006:AMOS) Cc: FIFI (5006:FIFI) Cc: IPR013 (5825:IPR013) Cc: IPR023 (5825:IPR023) Cc: NZP019 (6009:NZP019) Cc: KDM301 (7014:KDM301) Cc: KDM404 (7014:KDM404) Cc: CAW003 (8088:CAW003) Cc: CAW065 (8088:CAW065) Cc: HQT127 (8810:HQT127) Cc: SVC004 (8810:SVC004) Bc: M.ROSENBERG (MICHAELR) From: STEVEB Delivered: Mon 28-Mar-88 15:57 AEST Sys 6008 (72) Subject: Reply to: Security Threat to the Dialcom Community Mail Id: IPM-6008-880328-143680409 In Reply To: IPM-198-880326-088730001 To: Dialcom Licensees On Friday 25 March, Dialcom U.S. advised you that OTC had experienced a particular hacking problem and that further advice would be given as to OTC's approach to this matter. OTC requests that all licensees, until further notified, please keep the information concerning this particular hacking problem confidential and at the hughest level in your organisations and, further, that no public statement be made until OTC advises. The OTC contact point on this matter is: Mr. C. Hapangama Mail Box No. 6008:OTC264 Business Telephone: 61.2.287 5857 Home Telephone : 61.2.481 8997 Regards, D. BRAWN Chief Manager - Products Business OTC P.S. Would all licensees please mail a contact name and telephone number to Mr. Hapangama so that you may be contacted if the need arises due to an emergency situation. From: M.HULBERT (MARK) Delivered: Sat 26-Mar-88 9:51 Sys 198 To: STEVEB Subject: Security Threat to the Dialcom Community Mail Id: IPM-198-880326-088730001 Our licensee in Australia, OTC, has been penetrated by a hacker who claims to have access to about 100 Dialcom accounts on systems such as BT Gold, Primecom, Telebox, Goldnet, Dialcom and so forth. Interestingly enough, the hacker claims that he has additional access to both Prime and Vax systems which he can program to commence sending thousands of mail messages to every customer account that he knows about. His request is that OTC give him six free mailboxes or he will launch his mail inundation upon the Dialcom community. We do not know the degree of capability to carryout such a threat but certainly, if perpetrated, it could have significant implications on each of us. From a security viewpoint, we should expect that the messages will show hostility and operationally, they could clog our networks and systems and increase our network expense and response times. We are pursuing this issue with OTC and will inform each of you as additional information develops. If you note any problems of a similar nature, please inform all addressees as to your findings. We are developing defense strategies in conjunction with OTC and will keep you abreast of the activities as they are unfolding. Mark Hulbert Director, Operations Planning Fo: MICHAELR Fo: STEVEB From: C.HAPANGAMA (OTC264) Delivered: Mon 28-Mar-88 11:02 AEST Sys 6008 (107) Subject: Reply to: Hacker threat to Keylink-Dialcom. Mail Id: IPM-6008-880328-099350092 From: M.HULBERT (MARK) Delivered: Sat 26-Mar-88 4:41 Sys 198 To: C.HAPANGAMA (OTC264) Subject: Reply to: Hacker threat to Keylink-Dialcom. Mail Id: IPM-198-880326-042280001 Channa, I will look into the source of the hacking from our end here to determine if we can isolate the hacker on our end. The real concern is whether or not you may bring the resources of the local law enforcement authorities to bear on this issue to assist you. The biggest problem is the tracking of the source . If the access is from a dialup rotor in your network, the capability to trace the calls may be oyyour best capability to identify the source of your hacking. I have worked very closely with the US Secret Service on just such an instance and have recently concluded the effort with the arrest of the hacker. by the Secret Service. I suggest that is the laws of your country support your a make electronic data theft a crime, you should dpursue a d spusrsue this with the authorities. If that is not a crime, then the possibility of extortion may be a means that law that you may em,ploy to ploy to grab gain the assiststance of the law enforcement authorities. In addition, depending on your relationship with the local telephone company, we you may be able to initiate a trace without the benefit of the laaw ebnforcement folks.olks. that would allow you to monitor the particular IDs that the user hacks and start the trace based upon the access loine (or Pad port) that the call ame in oncame in on. I also suggest that you identify the hacker's profile. Most have a a particular characteristic that you can use to track and trace the users activity. It may be time of cday that the accesses occur, particular accounts, the network address from which the accesses occur, particular commands not normally used by clients etc. I have found that net-talk is one that the hackers on our end like. They also like to upload and download files of software to each other. In addition, they set up sub directories which have the latestand greatest of information on the hacking community activities and at least in my experience, we have seen them solicit others to join them in sessions on the hacked ID. I found that it was better to move the user from the hacked ID to a new ID and leave the old ID in place to track the activity of the hacker. It provided data on what other IDs he/she may have hacked since they tended to connect to other IDs from a central ID. We will be glad to assist you as you move on this problem. Please provide any information or questions that you may have to me with a copy to Gideon Amir, 98:Gideon. From: C.HAPANGAMA (OTC264) Delivered: Fri 25-Mar-88 0:40 EST Sys 6008 To: M.HULBERT (MARK) Subject: Hacker threat to Keylink-Dialcom. Mail Id: IPM-6008-880325-006130001 Mr. Joe Antonellis Division Vice President, Dialcom International. ANALYSIS OF HACKER'S THREAT TO KEYLINK-D ---------------------------------------- On the 25th March 1988, 11:45 AEST, Mr J. Antonellis of Dialcom was advised that OTC had received a threat from a hacker This message is to formally advise Dialcom of the nature of the threat in which the hacker claimed: 1) The hacker claims to have access to about 100 Dialcom accounts on BT GOLD, PRIMECOM, TELEBOX, GOLDNET etc. 2) The hacker intends using these accounts to send thousands of mail to all of the customer accounts on our systems of which he is aware and which OTC believes is quite extensive. The hacker threatens to do this for as many weeks as required until OTC succumbs and delivers the hacker six free mailboxes. 3) The hacker claims to have access to other PRIMEs and VAXs which he can program to do this feat without his intervention, which we believe. The hacker accesses the OTC Dialcom system by using Austpac dial-up and less frequently, from OTC Data Access dial-up. The hacker uses a common NUI which is used for access by all our dial-up customers. This message was sent to OTC from 157:AGS325 at 22:13 3/24/88 AEST, which we believe has been hacked. OTC and Telecom (Aust.) are reviewing this situation and expect to further advise Dialcom Inc. of our intentions by Monday 3/28/88. Please note these contacts in OTC re this situation: Legal : Ros Robertson Aust 2-287 5204 6008:OTC383 System : Channa Hapangama 2-287 5857 6008:OTC264 Commercial : David Brawn 2-287 5960 6008:OTC033 Gary Donald 2-287 5990 6008:OTC003 Facsimile : 2-287 4435 Channa Hapangama Technical Support Manager, Value Added Business. OTC To: JOEA (198:JOEA) Cc: DM (198:DM) Cc: MARK (198:MARK) Bc: MICHAELR From: C.HAPANGAMA (OTC264) Delivered: Fri 25-Mar-88 15:39 AEST Sys 6008 (44) Subject: Hacker threat to Keylink-Dialcom. Mail Id: IPM-6008-880325-140990869 Mr. Joe Antonellis Division Vice President, Dialcom International. ANALYSIS OF HACKER'S THREAT TO KEYLINK-D ---------------------------------------- On the 25th March 1988, 11:45 AEST, Mr J. Antonellis of Dialcom was advised that OTC had received a threat from a hacker This message is to formally advise Dialcom of the nature of the threat in which the hacker claimed: 1) The hacker claims to have access to about 100 Dialcom accounts on BT GOLD, PRIMECOM, TELEBOX, GOLDNET etc. 2) The hacker intends using these accounts to send thousands of mail to all of the customer accounts on our systems of which he is aware and which OTC believes is quite extensive. The hacker threatens to do this for as many weeks as required until OTC succumbs and delivers the hacker six free mailboxes. 3) The hacker claims to have access to other PRIMEs and VAXs which he can program to do this feat without his intervention, which we believe. The hacker accesses the OTC Dialcom system by using Austpac dial-up and less frequently, from OTC Data Access dial-up. The hacker uses a common NUI which is used for access by all our dial-up customers. This message was sent to OTC from 157:AGS325 at 22:13 3/24/88 AEST, which we believe has been hacked. OTC and Telecom (Aust.) are reviewing this situation and expect to further advise Dialcom Inc. of our intentions by Monday 3/28/88. Please note these contacts in OTC re this situation: Legal : Ros Robertson Aust 2-287 5204 6008:OTC383 System : Channa Hapangama 2-287 5857 6008:OTC264 Commercial : David Brawn 2-287 5960 6008:OTC033 Gary Donald 2-287 5990 6008:OTC003 Facsimile : 2-287 4435 Channa Hapangama Technical Support Manager, Value Added Business. OTC To: BERTA (198:BERTA) To: MARK (198:MARK) Cc: S.BERLECKY (STEVEB) From: M.ROSENBERG (MICHAELR) Delivered: Mon 31-Oct-88 11:37 AEDT Sys 6007 (57) Subject: UK security Mail Id: IPM-6007-881031-104601171 Berta, Mark, While watching another German chat host, i observed the following conversation: 1 0 Hp3000's guest Saber's.Edge 4 0 023427730040500 shatter shatter 5 0 uucpland guest uucico 6 0 guest <4> shatter says: saber: i need the proper nua -- i will swop 4 full access to s ystem 72 <1> Saber's.Edge says: well thats the proper nua.. <1> Saber's.Edge says: or if your in the usa its 301346 <4> shatter says: ghal: thnx -- the system 72 is 023421920100472 <4> shatter says: id mag33023 neemg23 <1> Saber's.Edge says: thanks .. <1> Saber's.Edge says: what id do you have on the d46? <4> shatter says: saber: none yet -- i am going to hack it l8er <1> Saber's.Edge says: not the pw but the Z{d.. <1> Saber's.Edge says: not that great of a system.. i have a few accounts on it now.. <4> shatter says: saber: i have hacked the uk dialcoms and now working on the ot hers .sx <1> Saber's.Edge says: well don't fuck up all the dialcoms.. <4> shatter says: saber: am turning system 72 in2 a pad No Chan From User Called 1 0 Hp3000's guest Saber's.Edge 4 0 023427730040500 shatter shatter 5 0 uucpland guest uucico 6 0 guest <1> Saber's.Edge says: also don't tell ANYONE how to hack them.. <1> Saber's.Edge says: i've heard about the Australian's problems once people fo und out how to hack Dialcom's.. <4> shatter says: saber: i won't -- but just need to attach them all from the uk 4 a major hack l8er <1> Saber's.Edge says: don't fuck up the USA's Dialcom's.. +++ <0> molinari +++ <4> shatter says: saber: i won't -- don't worry -- just wanna nick some sw <0> molinari says: puach.. --- <0> molinari --- --- <4> shatter --- --- <4> shatter --- --- <5> uucico --- .sx No Chan From User Called 1 0 Hp3000's guest Saber's.Edge 6 0 guest The id given on 72 is valid, I tried it. Please ignore any accesses from 5053200000 between 00:00 and 01:00 GMT on 31/10 because that was me checking if it was true. I dont know where that NTN 023427730040500 is, I get invalid address when I call it. I could well be an NUI that he has. That number can be changed by the user so it may not be a valid address at all. I have heard claims from other hackers that they have accessed source code from US dialcoms when they didn't know who I was. Regards, Michael. Fo: M.ROSENBERG (MICHAELR) Fo: OTC264 From: S.BERLECKY (STEVEB) Delivered: Tue 18-Oct-88 15:12 AEST Sys 6007 (58) Subject: SWISS PAVILION EXPO HACKER PROBLEM Mail Id: IPM-6007-881018-136940425 for your perousal, steve mike, do not ring the swiss guy until you talk to channa or me. From: J.PURDY (OTC288) Delivered: Tue 18-Oct-88 14:57 AEST Sys 6007 To: S.BERLECKY (STEVEB) Subject: SWISS PAVILION EXPO HACKER PROBLEM Mail Id: IPM-6007-881018-134620160 STEVE, THE X121 CALLED WAS 026245911010290 ITS SOME SORT OF BULLETIN BOARD WITH PEOPLE CHATTING ON IT IN NUREMBURG IN GERMANY . IF U WANT TO LOG ON USE THE PASSWORD "GAST" (MEANS GUEST IN GERMAN SO PETER MOLL (THE EXPO SWISS PAVILION ASSISTANT MANAGER) TELLS ME SHORTLY AFTER HE LOGGED ON HE RECEIVED THE FOLLOWING "AUSTPAC SECURITY YOU SHOULD HAVE ENTERED -?N AND 12 CHARACTERS" THEN FOLLOWED MORE PEOPLE CHATTING. THEN AGAIN "AUSTPAC SECURITY WOT WERE THE EXACT 12 CHARACTERS YOU TYPED" PETER MOLL THEN SED "PLS IDENTIFY YOURSELF " RESPONSE WAS "AUSTPAC SECURITY WOT ACCOUNT CODE EXACTLY DID YOU ENTER" PETER MOLL RESPONSE "PLSE IDENTIFY YOURSELF" RESPONSE WAS "MICHAEL ROSENBURG" PETER MOLL SED "WHAT IS PROBLEM" RESPONSE WAS "AUSTPAC - OTC SECURITY TO WHISPER IT TO ME " (APPRS USING THIS BULLETING BOARD BY HITTING A FUNCTION KEY OR SOMETHING THEY CAN SEND TO ANOTHER PERSON WHITHOUT THE OTHER USERS SEEING IT (I.E. WHISPERING IT) PETER MOLLS RESPONSE WAS "PLSE CALL ME ON 846-4017" THE SYSTEM THEN LOCKED UP AND THAT WAS THE END OF IT. OPE ITS OF SOME ASSISTANCE TO YOU..... I THORT PETER MOLL WAS SOMEWHAT ASTUTE IN NOT DIVULGING HIS NUI (HE HAS AN ADDITIONAL DIAL UP NUI TO HIS X28 LINK) IF U OR MICHAEL NEED TO CONTACT HIM HIS NBR IS PETER MOLL SWISS PAVILION EXPO 88 07 8464017. HE IS A VERY APPROACHABLE GUY AND WE HAVE WORKED CLOSELY WITH HIM AT EXPO, HOLDING DATA ACCESS SEMINARS ETC AT THE SWISS PAVILION I AM QUITE SURE HE WOULD NOT BE A PARTY TO ANY HACKING ACTIVITIES HIMSELF. GIVE MY REGARDS TO MICHAEL HOPE HE IS FEELING BIT BETR RGDS JOHN PURDY BRISBANE OFFICE To: MARK (198:MARK) Cc: BERTA (198:BERTA) Cc: DM (198:DM) Bc: M.ROSENBERG (MICHAELR) From: S.BERLECKY (STEVEB) Delivered: Mon 10-Oct-88 18:52 AEST Sys 6007 (20) Subject: HACKING Mail Id: IPM-6007-881010-169901197 Mark, Thankyou for your help this morning concerning the id UDP081. We decided to allow system 141 to talk to system 6007 again this afternoon, as soon as we re-opened this path the letters started flowing in again except this time they were from UDP080. We have closed this path again. Could i ask you to scan the whole UDP account and possibly the whole TCN account on system 141 as these seem to be a source of illegal use. Michael rosenberg detected TCN178 and UDP080 being used from the address 31102050001801. You may want to scan on this address as well. As far as the last few days effort goes there was 4339 messages sent from UDP081 to our systems, only about 160 hit real accounts on our systems and only 13 out of these 160 actually read the item. We have deleted the other 147 letters off our system. We are also contacting the 13 that have read this item. Thanks again for your help and waiting ti hear from you if you come up with anything. Regards Steve Berlecky (6007:steveb) To: MICHAELR (6007:MICHAELR) Cc: R.BARNACK (BERTA) From: M.HULBERT (MARK) Delivered: Mon 31-Oct-88 11:48 Sys 198 (69) Subject: Reply to: UK security Mail Id: IPM-198-881031-106230001 Thanks much Mike. I will get this to the UK for them to act on it in the morning. I will review it a bit more then as well. Mark From: M.ROSENBERG (MICHAELR) Delivered: Sun 30-Oct-88 19:37 EST Sys 6007 To: M.HULBERT (MARK) Subject: UK security Mail Id: IPM-6007-881030-176580001 Berta, Mark, While watching another German chat host, i observed the following conversation: 1 0 Hp3000's guest Saber's.Edge 4 0 023427730040500 shatter shatter 5 0 uucpland guest uucico 6 0 guest <4> shatter says: saber: i need the proper nua -- i will swop 4 full access to s ystem 72 <1> Saber's.Edge says: well thats the proper nua.. <1> Saber's.Edge says: or if your in the usa its 301346 <4> shatter says: ghal: thnx -- the system 72 is 023421920100472 <4> shatter says: id mag33023 neemg23 <1> Saber's.Edge says: thanks .. <1> Saber's.Edge says: what id do you have on the d46? <4> shatter says: saber: none yet -- i am going to hack it l8er <1> Saber's.Edge says: not the pw but the Z{d.. <1> Saber's.Edge says: not that great of a system.. i have a few accounts on it now.. <4> shatter says: saber: i have hacked the uk dialcoms and now working on the ot hers .sx <1> Saber's.Edge says: well don't fuck up all the dialcoms.. <4> shatter says: saber: am turning system 72 in2 a pad No Chan From User Called 1 0 Hp3000's guest Saber's.Edge 4 0 023427730040500 shatter shatter 5 0 uucpland guest uucico 6 0 guest <1> Saber's.Edge says: also don't tell ANYONE how to hack them.. <1> Saber's.Edge says: i've heard about the Australian's problems once people fo und out how to hack Dialcom's.. <4> shatter says: saber: i won't -- but just need to attach them all from the uk 4 a major hack l8er <1> Saber's.Edge says: don't fuck up the USA's Dialcom's.. +++ <0> molinari +++ <4> shatter says: saber: i won't -- don't worry -- just wanna nick some sw <0> molinari says: puach.. --- <0> molinari --- --- <4> shatter --- --- <4> shatter --- --- <5> uucico --- .sx No Chan From User Called 1 0 Hp3000's guest Saber's.Edge 6 0 guest The id given on 72 is valid, I tried it. Please ignore any accesses from 5053200000 between 00:00 and 01:00 GMT on 31/10 because that was me checking if it was true. I dont know where that NTN 023427730040500 is, I get invalid address when I call it. I could well be an NUI that he has. That number can be changed by the user so it may not be a valid address at all. I have heard claims from other hackers that they have accessed source code from US dialcoms when they didn't know who I was. Regards, Michael. To: MICHAELR (6007:MICHAELR) From: M.HULBERT (MARK) Delivered: Sun 16-Oct-88 1:38 Sys 198 (22) Subject: Reply to: TCN051 Mail Id: IPM-198-881016-014820001 MIKE< Thanks for the info. I have had Operations watching for any activity and I did get on and check on what was going on as well at about 06:50 our time this morning. I had a brief chat session with him on line but he was very cautious. It was THE FORCE and he didn't open up too much. I will look at the files shortly. Mark From: M.ROSENBERG (MICHAELR) Delivered: Sat 15-Oct-88 6:44 EDT Sys 6007 To: M.HULBERT (MARK) Subject: TCN051 Mail Id: IPM-6007-881015-060630001 On system 41 has been hacked. If he has deleted the files on his account, I copied them to 98:otc-all>tcn051. I noticed him on at 6:43 am on 10/15. Michael. To: MICHAELR (6007:MICHAELR) From: M.HULBERT (MARK) Delivered: Fri 14-Oct-88 0:39 Sys 198 (22) Subject: Reply to: TCN098 Mail Id: IPM-198-881014-005910001 Alan, The number of minutes was for a one week extract of our bill since it was too time consuming to perform a full month's review. If you expand them by about 4.33 - you should be close. Our international traffic minutes for the August timeframe was about 38K minutes Mark From: M.ROSENBERG (MICHAELR) Delivered: Thu 13-Oct-88 4:42 EDT Sys 6007 To: M.HULBERT (MARK) Subject: TCN098 Mail Id: IPM-6007-881013-042410001 was hacking this morning. I informed ops via Lillian who clobbered him. I copied some of his files before he deleted them (he was making files and then deleting them) to otc-all>tcn098 but he no doubt had made more when he was hit so you'll have them. The hacker who called from the states last night gave the name SAM MONICA who said he was from Dialcom, system 41. Obviously not his real name but does it mean anything to you? Michael To: MICHAELR (6007:MICHAELR) Cc: STEVEB (6007:STEVEB) Cc: M.HULBERT (MARK) From: M.HULBERT (MARK) Delivered: Mon 10-Oct-88 22:29 Sys 198 (37) Subject: Reply to: hacker on 41 Mail Id: IPM-198-881010-202440001 Mike, I note a pattern with the hackers. I shut down the SCX account access on Saturday since I noted the activity there. If a hacker breaks into an account, they use the directory for the account to: a. Get a list of the approved accounts on the systems b. Use the directory as a source of passwords. I have noted that names organizational abbreviations etc do map to the user's passwords. Once they are into an account prefix, they usually find several easily accessed accounts. In addition, they do not bang on an ID more than a couple or three times so as to not raise our Operations folks awareness of an attempt to penetrate. Mark From: M.ROSENBERG (MICHAELR) Delivered: Sat 8-Oct-88 22:49 EDT Sys 6007 To: M.HULBERT (MARK) Subject: hacker on 41 Mail Id: IPM-6007-881008-205390001 Mark, I found that 41:TCN181 was hacking on 10/6 at 2:44 GMT netlinking to altos. He was one of my hackers (aust.) and came from 26245724740132. If this guy, and/or any others have been netlinking back to aust, I could really use that info because he is getting passwords from somewhere that I havent found yet, presumably with his netlinking to pads/tielines trick. There was another TCN on at the same time as Phoenix (hacker's alias) netlink ing to a telenet address. Interestingg the way they have so many on the one account group. e.g. 52:scx. Thanks, Michael. To: MICHAELR (6007:MICHAELR) From: M.HULBERT (MARK) Delivered: Sat 8-Oct-88 11:20 Sys 198 (52) Subject: Reply to: Reply to: not him again Mail Id: IPM-198-881008-102090001 Mike, The crew is not just your barea - I have seen them coming in from the West Coast area of the US as well. Will be sorting it out this weekend and will advise you more. Mark From: M.ROSENBERG (MICHAELR) Delivered: Thu 6-Oct-88 19:31 EDT Sys 6007 To: M.HULBERT (MARK) Subject: Reply to: not him again Mail Id: IPM-6007-881006-175700001 Mark, The address is stated in this is not quite correct, i was quoting it from memory. The address was 505233589998 (not 9996). but you would have found that from one nusage anyway. Michael. From: M.HULBERT (MARK) Delivered: Fri 7-Oct-88 3:20 Sys 198 Forward: M.ROSENBERG (MICHAELR) Subject: not him again Mail Id: IPM-198-881007-030120001 Mike, Thanks for the warning. I will get back to you later this evening. Mark From: R.BARNACK (BERTA) Delivered: Thu 6-Oct-88 13:02 EDT Sys 198 Forward: M.HULBERT (MARK) Subject: not him again Mail Id: IPM-198-881006-117340135 this should be it. berta From: M.ROSENBERG (MICHAELR) Delivered: Thu 6-Oct-88 8:54 EDT Sys 6007 To: R.BARNACK (BERTA) Subject: not him again Berta, I identified some hacked accounts as (52)scx027 coming from 505233589996, and i called dialcom operations and notified them of same. I still don't know if there are more on 52 (they certainly claim to have lots more). I would certainly look for any access by that address. I didnt find out about any on 41. Michael Fo: MICHAELR (6007:MICHAELR) Cc: M.HULBERT (MARK) From: M.HULBERT (MARK) Delivered: Fri 7-Oct-88 3:20 Sys 198 (27) Subject: not him again Mail Id: IPM-198-881007-030120001 Mike, Thanks for the warning. I will get back to you later this evening. Mark From: R.BARNACK (BERTA) Delivered: Thu 6-Oct-88 13:02 EDT Sys 198 Forward: M.HULBERT (MARK) Subject: not him again Mail Id: IPM-198-881006-117340135 this should be it. berta From: M.ROSENBERG (MICHAELR) Delivered: Thu 6-Oct-88 8:54 EDT Sys 6007 To: R.BARNACK (BERTA) Subject: not him again Berta, I identified some hacked accounts as (52)scx027 coming from 505233589996, and i called dialcom operations and notified them of same. I still don't know if there are more on 52 (they certainly claim to have lots more). I would certainly look for any access by that address. I didnt find out about any on 41. Michael To: MARK (198:MARK) From: M.ROSENBERG (MICHAELR) Delivered: Tue 22-Nov-88 17:49 AEDT Sys 6007 (17) Subject: Hackers on 46 Mail Id: IPM-6007-881122-160360329 Mark, I think that you will find that 46:ltl492 and 46:fmt004 have been hacking furiously lately. If you can wait a couple of days before killing them, it would be better for me because I think the guy knows that I saw him on altos and if the account is killed straight away he will know that it was me. I think that the hacer is the one who knows my home number/address etc and don't wabt to get him upset with me. I am trying to make him think that I have stopped chasing hackers. Are the network addresses from which he comes (not the australian ones) telenet dial-up ports? If they are, then it would be nice if Telenet could get in touch with Telecom Aust. here because I know a guy in Telecom who wants to bust these guys for telephone fraud, because they are getting free phone calls to the states!!! Would Telenet be interested?? Let me know what you find? Thanks, Michael. To: MARK (198:MARK) From: M.ROSENBERG (MICHAELR) Delivered: Sat 3-Dec-88 9:55 AEDT Sys 6007 (7) Subject: Hacker? on 78 Mail Id: IPM-6007-881203-089380919 Mark, on the 11/30 or 12/1 ( I can't remember ) I saw someone on altos coming from 23421920100478, which is sys 78. I can't remember the times or dates but they more than likely would have been netlinking to 26245890040004. Would you forward this message to BT? Thanks, Michael. To: BERTA (198:BERTA) From: M.ROSENBERG (MICHAELR) Delivered: Fri 9-Dec-88 11:25 AEDT Sys 6007 (30) Subject: Security Mail Id: IPM-6007-881209-102761316 Berta, I managed to use network_define to effectively disable a terminal by setting the PAD parameters to appropriate values. A very messy solution but effective in the interim. The security problem which I was trying to to tell you was this one: At the moment, the OS will look in login>sons for the ufd name of a user logging in. If found, it will execute the specified command, which is the way AOSLOGIN is run. I have been using that means to enforce other restrictions on our inhouse users and certain hacked accounts. However , the problem is that if the user strikes BREAK as he logs in, the OS does not look in SONS but goes into command mode, thus avoiding any security that should be applied to that account. This includes any menu.ctl settings which AOSLOGIN would set on a user. I suggest that the OS not be allowed to be interrupted during the login phase until after a command file in SONS has been executed. Generally, I mean that we should be able to force a user to execute an external command that we may wish him to, even if he tries to avoid this by breaking out of the login procedure. This would be very handy to me to enforce extra security restrictions on inhouse accounts. It works fine for normal users, but my hackers know about this window, and I can't put any more security on them except seclevs. Is this possible? What does Fritz say? Thanks, Michael. From: R.MYERS (BERTA) Delivered: Thu 22-Dec-88 6:00 Sys 198 Forward: S.BERLECKY (STEVEB) Subject: Reply to: trace facilities Mail Id: IPM-198-881222-054030001 Here you go... words of Fritz.. berta. From: F.THANE (FRITZ) Delivered: Wed 21-Dec-88 11:51 EST Sys 198 To: R.MYERS (BERTA) Subject: Reply to: trace facilities Mail Id: IPM-198-881221-106700986 In Reply To: IPM-198-881221-081340993 While such trace facilities would be nice, they do not exist in the present version of the O/S. In fact, they never have existed because of memory requirements. I had a trace function in rev 18 at one point that only saved the frame/packet header information. In order for the system to be able to retrieve that info, approximately 256 frames had to be saved because of the speed with which they would arrive. From: R.MYERS (BERTA) Delivered: Wed 21-Dec-88 9:02 EST Sys 198 Forward: F.THANE (FRITZ) Subject: trace facilities Can we help these hacked souls...... tks, berta From: S.BERLECKY (STEVEB) Delivered: Wed 21-Dec-88 0:58 EST Sys 6007 To: R.MYERS (BERTA) Subject: trace facilities Berta, here is a different question from the usual fax questions.... Michael is trying to track Hackers and has come up with some useful tools however, we have found a rather large hole in his program and with no way of remeding it. What i would like to find out from Dialcom and in this case i probably mean Fritz or Pat is whether there are anyways of tracing or tapping into (software wise) the x25 or virtual circuit connections. To put it simply we need to monitor what is happening on the lines and ports. I know Dialcom may not want to give this sort of info out or release this sort of trace facilities, but could i get an answer of whether it can be done We are talking desperate times here, either Dialcom gives me something or i may have to gag michael from asking me this question 20 times a day. help needed and wanted, steve To: OTC264 From: M.ROSENBERG (MICHAELR) Delivered: Thu 29-Dec-88 22:44 AEDT Sys 6007 (5) Subject: HACKER Mail Id: IPM-6007-881229-204630463 I DETETCTED CEG002 HACKING TONITE, ALTHOUGH HE WAS HACKING ON IT LAST NITE TOO. I DONT THINK THAT HE HAS THE 001 ACCOUNT. I HAVE KILLED CEG002 AFTER KNOCKING HIM OFF.. MIKE.. Fo: MICHAELR (6007:MICHAELR) Cc: M.HULBERT (MARK) Cc: R.RUSSIN (ROBERT) From: M.HULBERT (MARK) Delivered: Wed 23-Nov-88 4:17 Sys 198 (54) Subject: Reply to: Hackers on 46 Mail Id: IPM-198-881123-038550001 Michael, We have two addresses in Australia that indicate that our "friends" are using your network to access our IDs on the systems here. Here are a couple of numbers to run against the network addresses and maybe we can begin to "smoke out" our friends! 505222389941 ( two accesses) Mark From: M.HULBERT (MARK) Delivered: Tue 22-Nov-88 8:26 EST Sys 198 To: M.HULBERT (MARK) Subject: Reply to: Hackers on 46 Mail Id: IPM-198-881122-075980904 In Reply To: IPM-6007-881122-016040001 Thanks - Mike. I have noted the hacking on the FMT account for the last three weeks but the client is unable to react to changing the password. We have advised the sales folks but the PCs associated with the account seem to be difficult to change the password. We have advised Telenet and as I indicated before - the FORCE is entering Telenet via the Birmingham Alabama node in the US and D>J> Chronos is entering normally via the Santa Barbara California Telenet node. However, we have yet been able to determine how they are doing it. I do suspect that they have access to a credit card authorization number and may be using that to reach us. Mark From: M.ROSENBERG (MICHAELR) Delivered: Tue 22-Nov-88 1:46 EST Sys 6007 To: M.HULBERT (MARK) Subject: Hackers on 46 Mark, I think that you will find that 46:ltl492 and 46:fmt004 have been hacking furiously lately. If you can wait a couple of days before killing them, it would be better for me because I think the guy knows that I saw him on altos and if the account is killed straight away he will know that it was me. I think that the hacer is the one who knows my home number/address etc and don't wabt to get him upset with me. I am trying to make him think that I have stopped chasing hackers. Are the network addresses from which he comes (not the australian ones) telenet dial-up ports? If they are, then it would be nice if Telenet could get in touch with Telecom Aust. here because I know a guy in Telecom who wants to bust these guys for telephone fraud, because they are getting free phone calls to the states!!! Would Telenet be interested?? Let me know what you find? Thanks, Michael. To: MICHAELR (6007:MICHAELR) Cc: R.RUSSIN (ROBERT) From: M.HULBERT (MARK) Delivered: Thu 23-Mar-89 4:40 Sys 198 (30) Subject: Reply to: FORCE Mail Id: IPM-198-890322-122881269 In Reply To: IPM-6007-890321-174760001 Mike, I haven't seen hide nor har of the Force or D.J. Chronos. We continue to sweep the systems on a weekly basis but no signs of the buggers. I sense that there are more active police activities in this area in Australia since there seemed to be a rather active group attacking credit computers etc as I saw in a US newspaper. Mark From: M.ROSENBERG (MICHAELR) Delivered: Tue 21-Mar-89 19:25 EST Sys 6007 To: M.HULBERT (MARK) Subject: FORCE Mail Id: IPM-6007-890321-174760001 Mark, there has been a falling out amongst hackers in Australia, what with the Federal police chasing after them and I had one telephone me yesterday with some information. He told me that the FORCE has now retired due to various reasons. Have you noticed that the FORCE has stopped?? He hasn't annoyed me for many months so I don't know. I do believe this guy so I though that you might like to know. Regards, Michael To: MARK (198:MARK) To: ROBERT (198:ROBERT) Bc: BERTA (135:BERTA) From: M.ROSENBERG (MICHAELR) Delivered: Wed 9-Aug-89 17:13 AEST Sys 6007 (1016) Subject: Reply to: Reply to: Reply to: Intruder Mail Id: IPM-6007-890809-154990609 In Reply To: IPM-198-890808-130321279 I might regret saying this, but what would you say if I said that I knew who this Australian hacker was, down to address and phone number, and at one stage had the federal police looking into him, bu There was much activity about 3-4 months with this guy and variuos authorities and he got scared and stopped for a while and I haven't seen hide nor hair of him on my system since. However, the guys in our packet switching in whom I provoked much interest have been aware of the above Australian NTN and when I talked to then today, they were aware that Goldnet has been suspect for the last 2 months. I do not know what the status of this guy is with the law here, but if you express interest (stupid question, but I'll have to ask it) in this guy from an official position, I will do what I can. We managed to forget about him because he avoids 6007,6008 and 6009 like the plague because I have recorded his activities so often. anyway, let me know. Regards, Michael Rosenberg. OTC Australia / Network Innovations From: R.RUSSIN (ROBERT) Delivered: Wed 9-Aug-89 4:48 Sys 198 To: M.ROSENBERG (MICHAELR) Subject: Reply to: Reply to: Intruder Mail Id: IPM-198-890808-130321279 In Reply To: IPM-198-890807-071231114 Hacker Report Summary for May/June/July 1989 ------------------------------------------ U.S Dialcom accounts hit. 50: SIE134 May 3, 7, 15, 23, 29 & 31 penetrated via network address 311080500018xx Telenet Santa Barbara California. 50: SIE169 May 1, 2, 3, 7, 8, 9, 10, 11, 12, 14, 15, 16, 17, 18, 19 21, 22, 24, 25, 27, 29, 30 & 31 penetrated via network address 311080500018xx Telenet Santa Barbara California. 50: SIE110 May 1, 2, 5, 7, 10, 16 - June 1, 2, 3, 4 & 5 penetrated via network address 311080500018xx Telenet Santa Barbara California and 311080400009xx, 311080400019xx Telenet Richmond Virginia. The entire account group SIE had their passwords changed on June 6th by my request to the System Administrator thru the Dialcom Support Rep. The passwords were changed to 6 character using it least one special character and not using a common name. The account hasn't been penetrated since then. 42: IMC096 June 10, 11, 12 penetrated via network address 311080500018xx Telenet Santa Barbara California, 31102336010404 Telenet Host Computer unknown. Telenet wouldn't disclose what kind of system it was to Dialcom. The password was changed on June 12. 42:IMC2371 June 21, 22 & 23 penetrated via network address 311080500018xx and 31102336010404. The password was changed on June 23. 42:IMC2816 June 23, 24, 25, 26, 27, 28 penetrated via network address 311080500018xx and 31102336010404. The password was changed on June 28. ------------------------------------------------------------------------------- >From the NUSAGE report provided by Ami Hadas 5006:AMI I see that the hacker launched from 50:SIE110 on June 3, 4 and 5 and gained access to system 05 AIT001. On the U.S side the hacker passed thru this account from the network address 311080500018xx. Again from the report I see that the hacker launched from 42:IMC096 on June 11 and 12 and gained access to system 05 AIT001. On the U.S. side the hacker passed thru this account via the network address 311080500018xx on June 10 to unknown address around the world and to 05 AIT001 on June 11 and 12 via the network address 31102336010404. This explains the access to system 05 from both system 50 and 42. However the main launching pad to system 05 has been via the Telenet network address 311080500018xx in Santa Barbara California and OTC address 505236189937 in Australia. Here are the country DNIC numbers the hacker(s) are going to from the NUSAGE report Ami sent us from system 05 in Israel. 2624 Germany 5053 Australia 4872 Taiwan 2080 France 2284 Switzerland 2342 UK 2382 Denmark 4542 Hong Kong 5252 Singapore 2422 Norway 5052 Australia 2724 Ireland 5301 New Zealand 2322 Austria ------------------------------------------------------------------------------- In general from my experience with this group of hackers is that they have a PC setup to process an algorithm which tries to break a known account using a database list of passwords from a dictionary and also slang words used in this day and age. Once on they upload from the PC these same database's and other Prime CPL's they have created to the host system and use this system to launch their attack on other host systems via the netlink command. In the beginning when I started working in this area (Sept 88) the hackers would have a habit of leaving trails behind them example CPL's, input files, database's etc.. In some cases they would create subufd's and keep a backup copy of their files there as well. They also used common file names such as DEF.CPL, PW.CPL, FILE DATA, DEF03.CPL, DE3F.CPL, DEF3.CPL, (BACKUP = subufd) and many other ?.CPL files. After scanning the systems and finding many back doors they had because of the files they left there. It was easy at first to locate them, remove the file and have the user change the password to a 6 character one using a special character in it as well. After a couple months they learned to use different names for their files since they were onto me locating them by their habit of file names. Even after that they got smart and only left files penetrated accounts that they needed. Any account they needed as a back door they didn't place any files on it. Since September 1988 I have been investigating all systems on a weekly basis for any kind of hacker activity. This was done by looking over unusual system console readings, NUSAGE runs and of course notifications by support staff and customers. The information gathered is then used for tracking hackers such as adding new network address numbers to the nusage runs, examining files found on penetrated accounts and getting an understanding for how they think and what they are up to. Basically they use our systems to penetrate other computer systems and also to move information around the world from intelligence gathered on those other systems. This goes for the licensee community as well. I can stop them from accessing an account of a U.S. Dialcom system and they will then go to a licensee system or someone else for a while. They know who is the most vulnerable and who isn't. If you have any questions on any of this please let me know. Thanks, Robert Russin Dialcom Systems Security From: M.HULBERT (MARK) Delivered: Mon 7-Aug-89 7:54 EDT Sys 198 To: R.RUSSIN (ROBERT) Subject: Reply to: Intruder Mail Id: IPM-198-890807-071231114 In Reply To: IPM-198-890807-059120949 Lillian, I have Robert investigating the details and we will be looking at the circumstances surrounding it. We have seen two individuals from Australia before - "The Force" and DJ Kronos who have been active from Australia. Unfortunately, we have not had great success in gaining cooperation from the Australian law enforcement folks to track the soure there. We will be reviewing our data tomorrow morning and will get back to you after that review. Mark From: L.WACHBROIT (LILLIANW) Delivered: Mon 7-Aug-89 6:34 EDT Sys 198 Forward: M.HULBERT (MARK) Subject: Intruder Mark, More on the Hacker incident(s) Zohar reported today -- looks very very serious! Please let me, Zohar and Ami know how you wish to proceed. (and whether we need the Aussies involved as well). If you need to speak to either of them directly, Zohar's number is +972-3-7532418 and Ami's is +972-3-7532419. Thanks, Lillian From: A.HADAS (AMI) Delivered: Mon 7-Aug-89 6:03 EDT Sys 5006 To: L.WACHBROIT (LILLIANW) Subject: Intruder Hi, Unfortunately we discovered only now an intruder who broke into our system during June and July. The hacker is a pro who knows too much about Prime Dialcom and DEC systems as well. Actually more then one person are involved in that crime and as you can see from the nusage file below which contains the calling address and the outgoing called address, these guys are spread around US, Europe and Australia. From June 3rd and on they were using the ID of AIT001 to sign on system 05. Some of the calls are coming from Dialcom system 150 and 142. I would like you to ask these system administrators to run nusage and find the guys who called system 5005 (at 425130000215 or 425130000215xx or 42513000013744) on the appropriate days (note the 7 hours difference between us). I am sending you the complete nusage out file which the complete list of addresses and dates, this may give you further clues. Aurec would like to get all of the details you can before we take further steps. I would also ask you to scan for calls to 425130000537 which is an Aurec Information system located here, we suspect that the same guys accessed that system illegally during that period. Please assign top priority to that investigation. It looks like we have professionals (who wrote CPL and BASIC procedures to scan addresses and try to break into systems all over the world) who have a commercial intelligence interest in our systems. Another clue may be found in a *MAILSAVE* file which is signed by David and mentions IND001 and IND003. Regards, Ami. ------------------------------------------------------------------------------ Date Time VC Net Adr Net Addr Con Hrs Chars I/O 06/03 11:22 26245890040004 31103010025350 0:05 567 309 06/03 11:27 3106004064 31103010025350 0:31 5728 198 06/03 14:02 26245890040004 31103010025350 0:18 2495 488 06/03 14:31 3106004064 31103010025350 0:03 25 96 06/04 16:30 26245890040004 31103010025350 0:01 429 74 06/04 16:39 26245300030056 31103010025350 0:02 0 54 06/04 16:51 26245890040004 31103010025350 0:01 54 54 06/04 16:53 26245890040004 31103010025350 0:01 425 51 06/04 16:54 26245890040004 31103010025350 0:01 138 53 06/04 17:00 26245890040004 31103010025350 0:52 9077 1204 06/05 12:05 26245890040004 31103010025350 0:03 476 56 06/05 13:16 5053200000 31103010025350 0:01 61 13 06/05 18:50 26245890040004 31103010025350 0:01 500 53 06/05 18:51 26245890040004 31103010025350 0:01 96 13 06/06 7:05 26245890040004 31108050001803 0:01 481 65 06/06 9:00 26245890040004 31108050001803 0:02 519 63 06/07 7:36 26245400050570 31108050001806 0:04 2196 372 06/07 7:40 26245890040004 31108050001806 0:32 827 82 To: MARK (198:MARK) To: OPER (198:OPER) From: M.ROSENBERG (MICHAELR) Delivered: Fri 24-Nov-89 9:57 AEDT Sys 6007 (17) Subject: possible hacker Mail Id: IPM-6007-891124-089570784 Mark, and the operations guys because I know Mark will be away until monday. I have a hacker here who a couple of nights ago made several calls to system 41 . Last night, I had hacking attempts from this address: 031103010025341 which I am presuming is an outgoing address for system 41. It may not be, in which case please ignore this message. The calls would have been to 5053200001 or 505211114995 and were at at 0649 on the 23/nov your time. You might want to check to see if that account has been hacked, I'd say that it has been. I know that the guy is Australian. If you find it to be hacked, could you please give me some details about his calling address etc, so that I may look around my systems further for possible hacks. Thanks, Michael Rosenberg. OTC Australia. To: M.AUSCHWITZ (MONICA) Cc: M.HULBERT (MARK) Cc: R.RUSSIN (ROBERT) Cc: T.SCHUYLER (TOMS) Bc: MICHAELR (6007:MICHAELR) From: R.RUSSIN (ROBERT) Delivered: Tue 28-Nov-89 4:38 Sys 198 (18) Subject: HACKED Accounts on System 41 Mail Id: IPM-198-891127-113090211 Monica, Here are the ufd's we spoke about. Please have the passwords on them changes asap. I also have the nusage access online if you want to look at it as well. ATN037 , EPI059 , EPI062 , EPI102 , EPI171 , EPI172 , EPI192 , PPX072 , TCN149 , TCN1608 , TCN266 , TCN3058 and UGA011. The ufd TCN4019 was the first account penetrated and was were the launch took place to get access to the other accounts. The incoming address for TCN4019 was 505236189937 and 5053200001 which are both Australia DNIC's. It looks like the FORCE is back. The access started on November 20th and went through the 26th. Nothing yet today so far. Robert To: MICHAELR (6007:MICHAELR) From: M.HULBERT (MARK) Delivered: Mon 27-Nov-89 5:39 Sys 198 (31) Subject: Reply to: possible hacker Mail Id: IPM-198-891126-122830523 In Reply To: IPM-6007-891124-089570784 I have the note and will follow up on it today. The address calling your system 031103010025341 is in fact our system 41. Good catch. Thanks Mike. Mark From: M.ROSENBERG (MICHAELR) Delivered: Thu 23-Nov-89 17:56 EST Sys 6007 To: M.HULBERT (MARK) Subject: possible hacker Mail Id: IPM-6007-891124-089570784 Mark, and the operations guys because I know Mark will be away until monday. I have a hacker here who a couple of nights ago made several calls to system 41 . Last night, I had hacking attempts from this address: 031103010025341 which I am presuming is an outgoing address for system 41. It may not be, in which case please ignore this message. The calls would have been to 5053200001 or 505211114995 and were at at 0649 on the 23/nov your time. You might want to check to see if that account has been hacked, I'd say that it has been. I know that the guy is Australian. If you find it to be hacked, could you please give me some details about his calling address etc, so that I may look around my systems further for possible hacks. Thanks, Michael Rosenberg. OTC Australia. To: MICHAELR (6007:MICHAELR) Cc: M.HULBERT (MARK) From: R.RUSSIN (ROBERT) Delivered: Fri 27-Jan-89 1:40 Sys 198 (241) Subject: Reply to: Reply to: Reply to: Tracking NUA's on systems. Mail Id: IPM-198-890126-086660371 In Reply To: IPM-6007-890125-183020001 Yes I do work for Mark Hulbert and have been with Dialcom for almost nine years now. Mark gave me your name as a contact for OTC Security and I wanted to include you in on everything in this area. I will keep you posted on the progress of the Committee membership and appreciate all your feedback. Robert From: M.ROSENBERG (MICHAELR) Delivered: Wed 25-Jan-89 20:20 EST Sys 6007 To: R.RUSSIN (ROBERT) Subject: Reply to: Reply to: Tracking NUA's on systems. Mail Id: IPM-6007-890125-183020001 Robert, I haven't heard of you before this message but imagine you work with Mark on at least security issues. I would encourage a licensee-wide security network whole heartedly.. It is my concerted opinion that THE FORCE was responsible for the $500,000 Citibank fraud 2 weeks ago. I am trying to cut through the Red Tape and talk to my contact in Telecom Aust detective services who should be involved with this crime as he has been trying to catch the force for international telephone fraud for quite some time. Force doesn't worry my system any more since he has found it easier to go diretly to the US by Telenet Dialup.. Look forward to hearing more from you about this, Michael. From: R.RUSSIN (ROBERT) Delivered: Thu 26-Jan-89 3:42 Sys 198 To: M.ROSENBERG (MICHAELR) Subject: Reply to: Tracking NUA's on systems. Mail Id: IPM-198-890125-104830689 In Reply To: IPM-10080-890125-095210001 I will look into this and let you know what I find out. I'm replying back to your message to both yourself and Michael Rosenberg with OTC in Australia for his FYI as well. I have some good news about NUSAGE that I found out about which will help you in your investigating. I will load in the phantom file I run and also the como output file it creates. I run this on all our commercial systems each week and review it. The network address being checked are the ones that have been used by hackers. The option that I have now started using will report two network addresses if the user is netlink out from the our/your host system. Th first one is the address where the user is coming in from and the second is where the user is netlinking out to. I need both of your help in developing and participating in a Dialcom Licensee's Security Board to estabilish contacts with all our Licensee's to pass hacker information and any other helpful tips around to each other. This will require that a distibution list be created to contain all representatives from each Licensee. I only have you (BT) and Michael (OTC) so far as contacts. We could then use this list to circulate information and keep well abreast of the International communities problems with hackers and helpful tips learned. It would also serve as a means to get better acquanted with our Licensee's and provide support and guidance on problem solving in the area of system security. It may even help some in other areas as well. What I have done over her was establish the account on 98:SECURITY for reporting suspicious activity from the field. I received positive results from this and it has been a very helpful tool for me and also the field as having a focal point for escallating problems. I sign onto this account every day and check for incoming mail. It was easier for people to remember the ufd SECURITY than my account 98:ROBERT when it came to reporting problems. I announced this to the field and it has become standard for Dialcom US. This same account could be established at each licensee's site on their designated system and reviewed by their system security officer as well. How do you both feel about this? Anyway here is some information to pass along to you for now. Robert Russin I discovered the account 50:SIE147 was penetrated and checked the addresses and found out the following: INCOMING ADDRESSES ------------------ 311080500018 Santa Barbara California 311050100016 Little Rock Arkansas 311020600018 Seatle Washington 311020500018 Birmingham Alabama OUTGOING ADDRESSES ------------------ 26245400050233 Germany 23422351919169 UK 900041 System 41 Dialcom US 311022300096 TYMNET Accounting System 425130000215 Israel 23422020010700 UK 30293800354 Canada 23422351919169 UK The hacker is "The Force" again. The following is the input stream to run as a phantom and the output como file it creates. COMO BERT DATE SYS NUSAGE -U ? -D 01/04-01/16 -NET 311020500018&311080500018&311030100253& 311061500013&505222389941&4542000206&2222631060&31106170010301 & -NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT NUSAGE -U ? -D 01/04-01/16 -NET 311050100016&311020600018&26245400050& 2342235&311022300&425130000&30293800 & -NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT COMO -E >DATE Tuesday, January 17, 1989 12:28:29 AM EST >SYS OPER on system 50 >NUSAGE -U ? -D 01/04-01/16 -NET 311020500018&311080500018&311030100253& NUSAGE 4.0b More>311061500013&505222389941&4542000206&2222631060&31106170010301 & More>-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT User Name Date Time Net Addr VC Net Adr Baud GW Col Con Hrs SIE147 06 10:25 31108050001802 26245400050233 1200 - NC 0:22 SIE147 06 10:26 31108050001802 425130000215 1200 - NC 0:00 SIE147 06 10:27 31108050001802 311022300002 1200 - NC 0:01 SIE147 06 10:29 31108050001802 311022300002 1200 - NC 0:01 SIE147 06 10:32 31108050001802 311022300010 1200 - NC 0:00 SIE147 06 10:34 31108050001802 311022300019 1200 - NC 0:00 SIE147 06 10:35 31108050001802 311022300096 1200 - NC 0:01 SIE147 06 10:36 31108050001802 900041 1200 - NC 0:02 SIE147 06 10:38 31108050001802 425130000215 1200 - NC 0:03 SIE147 06 10:50 31108050001805 26245400050233 1200 - NC 0:02 SIE147 06 11:15 31108050001805 26245400050233 1200 - NC 0:20 SIE147 06 11:20 31108050001805 425130000215 1200 - NC 0:02 SIE147 06 11:23 31108050001805 26245400050233 1200 - NC 0:00 SIE147 06 11:23 31108050001805 23422351919169 1200 - NC 0:00 SIE147 06 11:24 31108050001805 23422020010700 1200 - NC 0:00 SIE147 06 11:26 31108050001805 23422020010700 1200 - NC 0:01 SIE147 06 11:27 31108050001805 23422020010700 1200 - NC 0:02 SIE147 06 0:57 SIE147 13 6:36 31108050001801 26245400050233 1200 - NC 0:05 SIE147 1:03 1:03 >NUSAGE -U ? -D 01/04-01/16 -NET 311050100016&311020600018&26245400050& NUSAGE 4.0b More>2342235&311022300&425130000&30293800 & More>-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT User Name Date Time Net Addr VC Net Adr Baud GW Col Con Hrs NGM0910 11 11:53 31105010001603 90010789 2400 - COL 0:11 SIE147 04 0:42 31105010001601 311022300096 2400 - NC 0:00 SIE147 04 0:43 31105010001601 311022300094 2400 - NC 0:00 SIE147 04 0:43 31105010001601 311022300095 2400 - NC 0:02 SIE147 04 0:44 31105010001601 311022300103 2400 - NC 0:00 SIE147 04 0:45 31105010001601 311022300103 2400 - NC 0:00 SIE147 04 0:46 31105010001601 31102230009202 2400 - NC 0:00 SIE147 04 0:47 31105010001601 31102230009203 2400 - NC 0:00 SIE147 04 0:47 31105010001601 31102230009210 2400 - NC 0:00 SIE147 04 0:47 31105010001601 31102230009211 2400 - NC 0:00 SIE147 04 0:48 31105010001601 31102230009212 2400 - NC 0:00 SIE147 04 0:48 31105010001601 31102230009209 2400 - NC 0:00 SIE147 04 0:49 31105010001601 31102230009208 2400 - NC 0:01 SIE147 04 0:51 31105010001601 26245400050233 2400 - NC 0:01 SIE147 04 0:52 31105010001601 31102230009201 2400 - NC 0:00 SIE147 04 0:53 31105010001601 31102230009202 2400 - NC 0:00 SIE147 04 0:54 31105010001601 311022300096 2400 - NC 0:00 SIE147 04 0:54 31105010001601 311022300094 2400 - NC 0:00 SIE147 04 0:54 31105010001601 31102230009201 2400 - NC 0:00 SIE147 04 0:55 31105010001601 311022300179 2400 - NC 0:01 SIE147 04 0:55 31105010001601 31102230017901 2400 - NC 0:01 SIE147 04 0:55 31105010001601 31102230017901 2400 - NC 0:00 SIE147 04 0:55 31105010001601 31102230017901 2400 - NC 0:00 SIE147 04 0:56 31105010001601 31102230017701 2400 - NC 0:02 SIE147 04 0:56 31105010001601 31102230017701 2400 - NC 0:02 SIE147 04 0:58 31105010001601 311022300103 2400 - NC 0:00 SIE147 04 0:59 31105010001601 31102230050001 2400 - NC 0:01 SIE147 04 0:59 31105010001601 31102230050001 2400 - NC 0:01 SIE147 04 1:00 31105010001601 31102230019302 2400 - NC 0:00 SIE147 04 1:01 31105010001601 311022300188 2400 - NC 0:01 SIE147 04 1:01 31105010001601 31102230018801 2400 - NC 0:00 SIE147 04 1:01 31105010001601 31102230018801 2400 - NC 0:00 SIE147 04 1:02 31105010001601 31102230009201 2400 - NC 0:00 SIE147 04 1:03 31105010001601 311022300050 2400 - NC 0:00 SIE147 04 1:04 31105010001601 31102230004901 2400 - NC 0:00 SIE147 04 1:04 31105010001601 31102230004901 2400 - NC 0:04 SIE147 04 1:09 31105010001601 311022300096 2400 - NC 0:00 SIE147 04 1:09 31105010001601 31102230009201 2400 - NC 0:00 SIE147 04 1:10 31105010001601 31102230009202 2400 - NC 0:03 SIE147 04 1:12 31105010001601 31102230009201 2400 - NC 0:00 SIE147 04 1:14 31105010001601 311022300047 2400 - NC 0:09 SIE147 04 1:23 31105010001601 31102230004703 2400 - NC 0:00 SIE147 04 1:24 31105010001601 31102230004703 2400 - NC 0:02 SIE147 04 1:26 31105010001601 311022300096 2400 - NC 0:01 SIE147 04 1:26 31105010001601 31102230009201 2400 - NC 0:00 SIE147 04 1:27 31105010001601 31102230004706 2400 - NC 0:02 SIE147 04 1:32 31105010001601 311022300096 2400 - NC 0:01 SIE147 04 1:36 31105010001601 311022300096 2400 - NC 0:00 SIE147 04 0:42 0:53 >COMO -E From: V.LUNDBERG (BTG072) Delivered: Wed 25-Jan-89 10:34 EST Sys 10080 To: R.RUSSIN (ROBERT) Subject: Tracking NUA's on systems. Mail Id: IPM-10080-890125-095210001 Robert, I have been talking with our networks team about a specific NUA and tracking of access over this NUA, and we have a need to track access AS IT HAPPENS as opposed to using NUSAGE to track access AFTER is has happened. Do you know of any way we can track the access over the NUA as it happens, is there anything we can setup that will send a system alarm in some sharp or form when any user accesses over this specific NUA. Your thoughts would be greatly appreciated on this one. Cheers, Vicky. To: BTG072 (10080:BTG072) To: MICHAELR (6007:MICHAELR) Cc: M.HULBERT (MARK) Cc: R.RUSSIN (ROBERT) From: R.RUSSIN (ROBERT) Delivered: Thu 26-Jan-89 3:42 Sys 198 (203) Subject: Reply to: Tracking NUA's on systems. Mail Id: IPM-198-890125-104830689 In Reply To: IPM-10080-890125-095210001 I will look into this and let you know what I find out. I'm replying back to your message to both yourself and Michael Rosenberg with OTC in Australia for his FYI as well. I have some good news about NUSAGE that I found out about which will help you in your investigating. I will load in the phantom file I run and also the como output file it creates. I run this on all our commercial systems each week and review it. The network address being checked are the ones that have been used by hackers. The option that I have now started using will report two network addresses if the user is netlink out from the our/your host system. Th first one is the address where the user is coming in from and the second is where the user is netlinking out to. I need both of your help in developing and participating in a Dialcom Licensee's Security Board to estabilish contacts with all our Licensee's to pass hacker information and any other helpful tips around to each other. This will require that a distibution list be created to contain all representatives from each Licensee. I only have you (BT) and Michael (OTC) so far as contacts. We could then use this list to circulate information and keep well abreast of the International communities problems with hackers and helpful tips learned. It would also serve as a means to get better acquanted with our Licensee's and provide support and guidance on problem solving in the area of system security. It may even help some in other areas as well. What I have done over her was establish the account on 98:SECURITY for reporting suspicious activity from the field. I received positive results from this and it has been a very helpful tool for me and also the field as having a focal point for escallating problems. I sign onto this account every day and check for incoming mail. It was easier for people to remember the ufd SECURITY than my account 98:ROBERT when it came to reporting problems. I announced this to the field and it has become standard for Dialcom US. This same account could be established at each licensee's site on their designated system and reviewed by their system security officer as well. How do you both feel about this? Anyway here is some information to pass along to you for now. Robert Russin I discovered the account 50:SIE147 was penetrated and checked the addresses and found out the following: INCOMING ADDRESSES ------------------ 311080500018 Santa Barbara California 311050100016 Little Rock Arkansas 311020600018 Seatle Washington 311020500018 Birmingham Alabama OUTGOING ADDRESSES ------------------ 26245400050233 Germany 23422351919169 UK 900041 System 41 Dialcom US 311022300096 TYMNET Accounting System 425130000215 Israel 23422020010700 UK 30293800354 Canada 23422351919169 UK The hacker is "The Force" again. The following is the input stream to run as a phantom and the output como file it creates. COMO BERT DATE SYS NUSAGE -U ? -D 01/04-01/16 -NET 311020500018&311080500018&311030100253& 311061500013&505222389941&4542000206&2222631060&31106170010301 & -NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT NUSAGE -U ? -D 01/04-01/16 -NET 311050100016&311020600018&26245400050& 2342235&311022300&425130000&30293800 & -NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT COMO -E >DATE Tuesday, January 17, 1989 12:28:29 AM EST >SYS OPER on system 50 >NUSAGE -U ? -D 01/04-01/16 -NET 311020500018&311080500018&311030100253& NUSAGE 4.0b More>311061500013&505222389941&4542000206&2222631060&31106170010301 & More>-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT User Name Date Time Net Addr VC Net Adr Baud GW Col Con Hrs SIE147 06 10:25 31108050001802 26245400050233 1200 - NC 0:22 SIE147 06 10:26 31108050001802 425130000215 1200 - NC 0:00 SIE147 06 10:27 31108050001802 311022300002 1200 - NC 0:01 SIE147 06 10:29 31108050001802 311022300002 1200 - NC 0:01 SIE147 06 10:32 31108050001802 311022300010 1200 - NC 0:00 SIE147 06 10:34 31108050001802 311022300019 1200 - NC 0:00 SIE147 06 10:35 31108050001802 311022300096 1200 - NC 0:01 SIE147 06 10:36 31108050001802 900041 1200 - NC 0:02 SIE147 06 10:38 31108050001802 425130000215 1200 - NC 0:03 SIE147 06 10:50 31108050001805 26245400050233 1200 - NC 0:02 SIE147 06 11:15 31108050001805 26245400050233 1200 - NC 0:20 SIE147 06 11:20 31108050001805 425130000215 1200 - NC 0:02 SIE147 06 11:23 31108050001805 26245400050233 1200 - NC 0:00 SIE147 06 11:23 31108050001805 23422351919169 1200 - NC 0:00 SIE147 06 11:24 31108050001805 23422020010700 1200 - NC 0:00 SIE147 06 11:26 31108050001805 23422020010700 1200 - NC 0:01 SIE147 06 11:27 31108050001805 23422020010700 1200 - NC 0:02 SIE147 06 0:57 SIE147 13 6:36 31108050001801 26245400050233 1200 - NC 0:05 SIE147 1:03 1:03 >NUSAGE -U ? -D 01/04-01/16 -NET 311050100016&311020600018&26245400050& NUSAGE 4.0b More>2342235&311022300&425130000&30293800 & More>-NOMIN -I NA DA TI CON NET VNET BAUD ISG VISC -VOUT User Name Date Time Net Addr VC Net Adr Baud GW Col Con Hrs NGM0910 11 11:53 31105010001603 90010789 2400 - COL 0:11 SIE147 04 0:42 31105010001601 311022300096 2400 - NC 0:00 SIE147 04 0:43 31105010001601 311022300094 2400 - NC 0:00 SIE147 04 0:43 31105010001601 311022300095 2400 - NC 0:02 SIE147 04 0:44 31105010001601 311022300103 2400 - NC 0:00 SIE147 04 0:45 31105010001601 311022300103 2400 - NC 0:00 SIE147 04 0:46 31105010001601 31102230009202 2400 - NC 0:00 SIE147 04 0:47 31105010001601 31102230009203 2400 - NC 0:00 SIE147 04 0:47 31105010001601 31102230009210 2400 - NC 0:00 SIE147 04 0:47 31105010001601 31102230009211 2400 - NC 0:00 SIE147 04 0:48 31105010001601 31102230009212 2400 - NC 0:00 SIE147 04 0:48 31105010001601 31102230009209 2400 - NC 0:00 SIE147 04 0:49 31105010001601 31102230009208 2400 - NC 0:01 SIE147 04 0:51 31105010001601 26245400050233 2400 - NC 0:01 SIE147 04 0:52 31105010001601 31102230009201 2400 - NC 0:00 SIE147 04 0:53 31105010001601 31102230009202 2400 - NC 0:00 SIE147 04 0:54 31105010001601 311022300096 2400 - NC 0:00 SIE147 04 0:54 31105010001601 311022300094 2400 - NC 0:00 SIE147 04 0:54 31105010001601 31102230009201 2400 - NC 0:00 SIE147 04 0:55 31105010001601 311022300179 2400 - NC 0:01 SIE147 04 0:55 31105010001601 31102230017901 2400 - NC 0:01 SIE147 04 0:55 31105010001601 31102230017901 2400 - NC 0:00 SIE147 04 0:55 31105010001601 31102230017901 2400 - NC 0:00 SIE147 04 0:56 31105010001601 31102230017701 2400 - NC 0:02 SIE147 04 0:56 31105010001601 31102230017701 2400 - NC 0:02 SIE147 04 0:58 31105010001601 311022300103 2400 - NC 0:00 SIE147 04 0:59 31105010001601 31102230050001 2400 - NC 0:01 SIE147 04 0:59 31105010001601 31102230050001 2400 - NC 0:01 SIE147 04 1:00 31105010001601 31102230019302 2400 - NC 0:00 SIE147 04 1:01 31105010001601 311022300188 2400 - NC 0:01 SIE147 04 1:01 31105010001601 31102230018801 2400 - NC 0:00 SIE147 04 1:01 31105010001601 31102230018801 2400 - NC 0:00 SIE147 04 1:02 31105010001601 31102230009201 2400 - NC 0:00 SIE147 04 1:03 31105010001601 311022300050 2400 - NC 0:00 SIE147 04 1:04 31105010001601 31102230004901 2400 - NC 0:00 SIE147 04 1:04 31105010001601 31102230004901 2400 - NC 0:04 SIE147 04 1:09 31105010001601 311022300096 2400 - NC 0:00 SIE147 04 1:09 31105010001601 31102230009201 2400 - NC 0:00 SIE147 04 1:10 31105010001601 31102230009202 2400 - NC 0:03 SIE147 04 1:12 31105010001601 31102230009201 2400 - NC 0:00 SIE147 04 1:14 31105010001601 311022300047 2400 - NC 0:09 SIE147 04 1:23 31105010001601 31102230004703 2400 - NC 0:00 SIE147 04 1:24 31105010001601 31102230004703 2400 - NC 0:02 SIE147 04 1:26 31105010001601 311022300096 2400 - NC 0:01 SIE147 04 1:26 31105010001601 31102230009201 2400 - NC 0:00 SIE147 04 1:27 31105010001601 31102230004706 2400 - NC 0:02 SIE147 04 1:32 31105010001601 311022300096 2400 - NC 0:01 SIE147 04 1:36 31105010001601 311022300096 2400 - NC 0:00 SIE147 04 0:42 0:53 >COMO -E From: V.LUNDBERG (BTG072) Delivered: Wed 25-Jan-89 10:34 EST Sys 10080 To: R.RUSSIN (ROBERT) Subject: Tracking NUA's on systems. Mail Id: IPM-10080-890125-095210001 Robert, I have been talking with our networks team about a specific NUA and tracking of access over this NUA, and we have a need to track access AS IT HAPPENS as opposed to using NUSAGE to track access AFTER is has happened. Do you know of any way we can track the access over the NUA as it happens, is there anything we can setup that will send a system alarm in some sharp or form when any user accesses over this specific NUA. Your thoughts would be greatly appreciated on this one. Cheers, Vicky. To: JOEA (198:JOEA) Cc: DM (198:DM) Cc: MARK (198:MARK) Bc: MICHAELR From: C.HAPANGAMA (OTC264) Delivered: Fri 25-Mar-88 15:39 AEST Sys 6008 (44) Subject: Hacker threat to Keylink-Dialcom. Mail Id: IPM-6008-880325-140990869 Mr. Joe Antonellis Division Vice President, Dialcom International. ANALYSIS OF HACKER'S THREAT TO KEYLINK-D ---------------------------------------- On the 25th March 1988, 11:45 AEST, Mr J. Antonellis of Dialcom was advised that OTC had received a threat from a hacker This message is to formally advise Dialcom of the nature of the threat in which the hacker claimed: 1) The hacker claims to have access to about 100 Dialcom accounts on BT GOLD, PRIMECOM, TELEBOX, GOLDNET etc. 2) The hacker intends using these accounts to send thousands of mail to all of the customer accounts on our systems of which he is aware and which OTC believes is quite extensive. The hacker threatens to do this for as many weeks as required until OTC succumbs and delivers the hacker six free mailboxes. 3) The hacker claims to have access to other PRIMEs and VAXs which he can program to do this feat without his intervention, which we believe. The hacker accesses the OTC Dialcom system by using Austpac dial-up and less frequently, from OTC Data Access dial-up. The hacker uses a common NUI which is used for access by all our dial-up customers. This message was sent to OTC from 157:AGS325 at 22:13 3/24/88 AEST, which we believe has been hacked. OTC and Telecom (Aust.) are reviewing this situation and expect to further advise Dialcom Inc. of our intentions by Monday 3/28/88. Please note these contacts in OTC re this situation: Legal : Ros Robertson Aust 2-287 5204 6008:OTC383 System : Channa Hapangama 2-287 5857 6008:OTC264 Commercial : David Brawn 2-287 5960 6008:OTC033 Gary Donald 2-287 5990 6008:OTC003 Facsimile : 2-287 4435 Channa Hapangama Technical Support Manager, Value Added Business. OTC To: MICHAELR (6008:MICHAELR) From: CA-EXT-DIR (AGS325) Delivered: Thu 24-Mar-88 22:13 Sys 157 (76) Subject: HACKING MINERVA Mail Id: IPM-157-880324-199990001 Hello Michael, it is time we had chat. First of all, let me introduce myself. I am force, a long time hacker of your dialcom system, since about 1984. The reason for this message is to get you to set up some mailboxes on keylink for me. say RLM001 FORCER or HCK001 FORCER if the first is taken. I figure, why go on hacking users accounts which I am sure cause them and you a lot of problems. This is a simple solution. If I had some mailboxes, there would be no need to have my team scanning your accounts al the time. In any case it would remove a lot of your security problems, since there is only me and the electron. We are the only two serious hackers as far as minerva goes. I guess he is your problem, since I don't like him much either. (oh dont forget his sidekick THE POWERSPIKE. He's rather useless if you would ask me). OH YES WITH THE RLM001 please set up 5 other accounts in the series for possible later use. Hacking minerva for over 4 years, one accumulates a lot of knowledge, and I know trix you probably haven't though off. You see, because of your recent updates in security, it is becoming a pain to scan for4-5 hrs to get an account which might last only that long, and then have NETLINK barred for life, so I though that was a nice alternative. here is what you will get in exchange.. 1 - I will not hack any more real user accounts. 2 - There will be no scanning of accounts. 3 - And most importantly, your system will live. Let me expand on #3. You see, I pride myself in the fact that I have never caused any damage to the system, to the users data. Only the use of netlink, and the use of disused accounts to set up few trojans like the one which mr CURTIS of sys 08 helped me out with. I would like to keep it that way, but really you have carried the security a little bit too far. And some retaliation may be in order. There is a number of things one can do. I will tell you about one, so that if you decide to take precautions agains't one (if possible) I will still have the other options open. I have access to close to 100 accounts on dialcoms all over the world. BT GOLD, PRIMECON, TELEBOX, GOLDNET etc, you name in. I also have number of VAX's which can be programmed to control these accounts 24 hrs a day 7 days a week. Imaggine this.... one day you log on to your system, and find you have some mail. Suddenly to your surprise, you find that you have 1000 duplicate coppies of the same useless message, from all parts of the globe. Suddenly, the phones at otc start to ring like crazy from users, who each have about 5000+ coppies of the same message. You delete it and contact the other dialcoms to kill the accounts. You think the problem is gone, but next day newt new duplicates of the same message are back. well, with about 100 dialcoms to choose from it could be kept up for weeks, making your system useless as far as mail goes. Think about it... Only alternative is to restrict the mail to only about 5 per user comming from outside, or barr international mail alltogether. Frightning thought isn't it. The good thing is that I can get a system such as a vax or another prime, to control all this for me, rather randomply more or less. This is just one of the things that can be done. Think about it. Please contact me on RLM001, or mail back to here, but the real user may intercept it first, in which case. hmmm, I guess I will mail you again, and possibly send few duplicates to make sure the message get's through. HAVE A NICE DAY. Oh yes, next time you break in for a chat, on keylink, please hang around for a while. I am sure we could find some interesting things to talk about. Here it is again RLM001-RLM006 passwd FORCER Fo: MICHAELR From: AFV001 Delivered: Mon 10-Oct-88 13:06 AEST Sys 6007 (64) Subject: SYSTEM SECURITY Mail Id: IPM-6007-881010-118010370 From: HQ.RBLAC3 (UDP081) Delivered: Sat 8-Oct-88 19:30 Sys 141 To: AFV001 Subject: SYSTEM SECURITY Mail Id: IPM-141-881008-175500001 Dear Sir, I am writing this letter to all Minerva And Keylink users, to inform you about the practises which have been occuring quite recently, and which concern me very much. I have always been under the impression that Keylink had some integrity, and was a secure system to use, but have found otherwise. Minerva and Keylink operators, have the capability to monitor all use of the system, which gives them access to your private mail, online files and any information you gain through the use of the NETLINK facility. Two people I know, make a regular use of this facility, to call a Unix System in Germany. Both of their accounts have been vioalated by the operator(s) of Keylink. - THEY HAVE STOLEN PRIVATE INFORMATION WHICH MAY HAVE BEEN STORED THERE. - THEY HAVE GAINED FREE USE OF THE FACILITIES, EVEN THOUGH NOT AUTHORISED TO LEGALY ACCESS IT. - THEY HAVE IMPERSONATED THE REAL OWNERS OF THE ACCOUNTS, TO OBTAIN FURTHER INFORMATION FROM OTHER PEOPLE, AND TO DISCREDIT THEM BY OBUSING OTHER USERS UNDER THEIR ACCOUNTS. There is proof beyond any shadow of the doubt that this took place, and there are several witneses, who have seen this happen and even seen the person(s) involed admit to it. Under Victorian hacking laws, they would be liable for upto $100000 and a maximum of ten years inprisonment. I am sure the German and other Australian States would have such laws, which I am not familiar with at this time. The person in question is an OTC Employee called MICHAEL ROSENBERG, who currently still works as a person involved, or in charge of the system security. It's all rather ironical. Their excuse is that it is being done to protect the integrity of the system and its users, but I consider this to be inexcuseable behaviour, not justified by any reasons. In principle, they are worse than the hackers they are trying to protect the system from. Only difference, they can abuse their ability to monitor the system activity and capture any information and accounts the users type. This is to let you know what sort of thing goes on quite frequently and is tolerated on the Keylink and Minerva network. I will not let the matter rest here, and the media will be informed about their actions. From what i have been told, this thing is not restricted to keylink, since the same people have got access to the entire MIDAS, now called OTC DATA ACCESS Network. I have also spoken to AUSTPAC Representatives, and they have informed me that all of their data traffic bound for overseas is sent out through the OTC Network, Which in my view leaves all data comming from austpac open to abuse as well. AS FOR MYSELF, I NO LONGER USE KEYLINK, BUT ITS EQUIVALENT IN THE UNITED STATES. I ASSUME THEY WILL TRY TO STOP THIS MESSAGE REACHING YOU, OR DENY ALL THE DETAILS, BUT PLEASE I URGE YOU TO CONSIDER THE IMPLICATION AND TAKE THE APPROPRIATE MEASURES, TO PREVENT THIS SORT OF THING HAPPENING. Yours Faithfully Very Mad X-Keylink User To: MARK (198:MARK) To: ROBERT (198:ROBERT) From: MIKE.ROSENBERG (MICHAELR) Delivered: Thu 8-Feb-90 10:35 AEDT Sys 6007 (21) Subject: Activity from Australia on System 41 Mail Id: IPM-6007-900208-095270350 Dear Robert/Mark, assuming that you are both still emplyed by Dialcom.... Our packet switch guys have informed me of much activity to system 41 over the last few days. I suggest you look for accesses from 505234289983 on : 2/7 0135 to 1811 UTC for a start. Check for other accesses during feb. of course, but you should find accesses on at least the 2nd and 6th as well. You you also check an access from 505291989999 on 2/7 11:00 UTC please. It was only 4 minutes long so it is probably OK. This suspect NUI is not going be be blacklisted by OTC because furtive investigations are under way into his activities. Hear from you shortly, Regards, Michael. To: DM (198:DM) Cc: MARK (198:MARK) Cc: ROBERT (198:ROBERT) Cc: S.BERLECKY (STEVEB) From: M.ROSENBERG (MICHAELR) Delivered: Mon 12-Mar-90 14:54 AEST Sys 6007 (97) Subject: Reply to: Reply to: Hacker Mail Id: IPM-6007-900312-134220906 In Reply To: IPM-198-900309-155230700 Dave, I have asked around OTC for how to help you. Apparently OTC is still bound ny legislation which prohibits it giving out trace information to any one except to the customer to whom the info belongs. This is being changed, but cannot be changed until after our federal election on March 24. I any case, as far as official channels go, it would be better to speak to the Australian Federal Police, who are investigating phoenix and electron at the moment. I believe that they know the identities of both these guys ( even I know who electron is). Try calling Superintendent Ken Hunt, Currency Branch, AFP Melboune. Phone is +61 3 607 7777 Melbourne has a public holiday today, so I couldn't call him to open the way for you, but when you call him, you can mention that Brian Travis of OTC gave you his number, through me. The super can call Brian about if he sees the need. Let me know if you have trouble, and please let me if have success, as I'd like to keep track of as much as legally possible and/or practical. Hope this helps, Mike. From: D.MCDONELL (DM) Delivered: Sat 10-Mar-90 8:18 Sys 198 To: M.ROSENBERG (MICHAELR) Subject: Reply to: Hacker Mail Id: IPM-198-900309-155230700 Steve, please see Mark's comments below. Is there an official channel (network security types) on your domestic network side that can be used to take formal action against this hacker? Can you facilitate for us? Thanks, --Dave From: M.HULBERT (MARK) Delivered: Fri 9-Mar-90 12:23 EST Sys 198 To: D.MCDONELL (DM) Subject: Reply to: Hacker Mail Id: IPM-198-900309-111480354 In Reply To: IPM-198-900309-084961263 I need alternative, official channels. We need to make some provisions for tracing etc which will require some "official blessings." Don't take me wrong, Mike has been an excellent asset but we need to see if we might identify this hacker and arrange for some apprehension if plausible. Mark From: D.MCDONELL (DM) Delivered: Fri 9-Mar-90 9:26 EST Sys 198 Forward: M.HULBERT (MARK) Subject: Hacker Mail Id: IPM-198-900309-084961263 Mark, do want to continue going through Michael Rosenberg of OTC Dialcom, or would you prefer alternative, official channels? From: M.ROSENBERG (MICHAELR) Delivered: Fri 9-Mar-90 2:03 EST Sys 6007 Forward: D.MCDONELL (DM) Subject: Hacker Mail Id: IPM-6007-900309-153371098 Dvae I have been helping Robert and Mark with tracing NUA's and in all cases the NUI has been hacked and the customer name is useless. It would be much simpler if you could go through me because I should be able to get it all done through some channels. More effort would be req'd to set up official channels. Let me know if this is ok. Mike From: S.BERLECKY (STEVEB) Delivered: Fri 9-Mar-90 14:13 AEST Sys 6007 Forward: M.ROSENBERG (MICHAELR) Subject: Hacker Mail Id: IPM-6007-900309-128050426 From: D.MCDONELL (DM) Delivered: Fri 9-Mar-90 3:21 Sys 198 To: S.BERLECKY (STEVEB) Subject: Hacker Mail Id: IPM-198-900308-111400742 Steve, our security team needs assistance in tracking a hacker who is giving us a lot of problems over here. Can you advise a contact in your domestic networks side that could aid us in identifying this Australian user? Any tips you can provide are appreciated. Thanks, --Dave To: ROBERT (198:ROBERT) From: M.ROSENBERG (MICHAELR) Delivered: Tue 13-Mar-90 17:48 AEST Sys 6007 (140) Subject: Reply to: Reply to: Reply to: Reply to: SYSTEM ACCESS VIOLATION Mail Id: IPM-6007-900313-160270263 In Reply To: IPM-198-900312-085970211 Robert, I can tell you what cities the NUI belongs in ,m that is all. Austpac NUI's/tie lines have a numbering convention based on where they are registered, not from where the call is made. Also, all the NUI's used are stolen, the address provides no clue as to who is really using it. anyway, this is the scheme. Austpac is respresented b the 5052. The next 1-3 digits are the telephone area code of the tie line or registered NUI user. so: 50522xxxxxxxxx is a sydney number 50523xxxxxxxxx is a melbourne number 50527xxxxxxxxx is a brisbane number 50529xxxxxxxxx is perth 505262xxxxxxxx is canberra etc. 5053 numbers areotc data access and you will have to call me to findx out about those because there is no such geographical relationship between the number and the user. Hope this helps, Mike From: R.RUSSIN (ROBERT) Delivered: Tue 13-Mar-90 0:33 Sys 198 orward: M.ROSENBERG (MICHAELR) Subject: Reply to: Reply to: Reply to: SYSTEM ACCESS VIOLATION Mail Id: IPM-198-900312-085970211 Michael, Can you assist in this question. Thanks, Robert From: M.HULBERT (MARK) Delivered: Mon 12-Mar-90 8:09 EST Sys 198 To: R.RUSSIN (ROBERT) Subject: Reply to: Reply to: Reply to: SYSTEM ACCESS VIOLATION Mail Id: IPM-198-900312-073460945 In Reply To: IPM-198-900311-202750722 Bert, Please contact Mike Rosenberg in Australia and see if he can determine the actual access city from the address through his channels in Australia. Looks like a busy weekend for you - thanks for the commitment. Mark From: R.RUSSIN (ROBERT) Delivered: Sun 11-Mar-90 22:31 EST Sys 198 To: M.HULBERT (MARK) Subject: Reply to: Reply to: SYSTEM ACCESS VIOLATION Mail Id: IPM-198-900311-202750722 In Reply To: IPM-5006-900311-198930318 Zohar, Yes I know. However they just started coming into the U.S. from the 425130000215 address over this weekend. Before that the hacker was coming straight to the U.S. from the Austrakian CSC Infonet address 31370090059. Since January he has come in from the following network addresses you may want to screen your systems for. They are: 31370038209007, 505234289983, 505270589986 and the 31370090059 listed above. Most of February and March until this weekend he was coming in only from 31370090059. Once on he would netlink out and attack other accounts on the same system, other systems within the ringnet and out into the Telenet and other public data networks globaly. This hacker goes by the name Raster Biter and I have captured many of his CPL's that you have seen him use to launch attacks at NUI's. If you are the point of contact over their in Israel for our Licensee their then, I will advise you of future activity as well. Robert Russin Deputy Security Officer BT TYMNET (Dialcom) From: Z.LEVITAN (ZOHAR) Delivered: Sun 11-Mar-90 15:06 EST Sys 5006 To: R.RUSSIN (ROBERT) Subject: Reply to: SYSTEM ACCESS VIOLATION Mail Id: IPM-5006-900311-198930318 In Reply To: IPM-198-900311-100590271 Robert, Please note that although they are accessing your systems from 425130000215 they have been accessing Israel from the Australian address in my original letter. BTW have you advises TYMNET networks of the accesses to other computers on their network. Zohar From: R.RUSSIN (ROBERT) Delivered: Sun 11-Mar-90 18:32 Sys 198 To: Z.LEVITAN (ZOHAR) Subject: SYSTEM ACCESS VIOLATION Mail Id: IPM-198-900311-100590271 This hacker has been working all weekend around the Licensee Dialcom systems. He has been netlinking to the U.S. from 425130000215 as well. Just a heads up to everyone that we have heavy activity and to keep a close watch on your systems. Thanks Zohar for the heads up on your end. Robert From: R.MILLER (RONM) Delivered: Sun 11-Mar-90 8:39 EST Sys 198 Forward: R.RUSSIN (ROBERT) Subject: SYSTEM ACCESS VIOLATION Mail Id: IPM-198-900311-077921232 FYI... From: Z.LEVITAN (ZOHAR) Delivered: Sun 11-Mar-90 8:38 EST Sys 5006 To: R.MILLER (RONM) Subject: SYSTEM ACCESS VIOLATION Hi, This is to alert you to the fact that we are suffering a security breach. The party is accessing from X.121 address 5052 38189955 He has ben running a programme on our system that has been scanning NUA on Telenet. He has been scanning the range 3106097285 to 3106159999. We have found him NETLINKing to 3106003503 and 3106003525 Please advise your and TYMNET security people. We will pass on further info if any comes to hand. I an be reached by phone in Tel Aviv on 7532406 (+972 3 7532406) until 10:00 EST today or from 12:00 on 490498 (+972 3 490498). Zohar To: L.WACHBROIT (LILLIANW) Cc: M.HULBERT (MARK) Bc: MICHAELR (6007:MICHAELR) From: R.RUSSIN (ROBERT) Delivered: Fri 16-Mar-90 0:55 Sys 198 (215) Subject: Reply to: Reply to: Reply to: Reply to: Reply to: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION Mail Id: IPM-198-900315-088460610 In Reply To: IPM-198-900315-041761057 Lillain, Thanks for the info. I had the accounts on system 41 and 57 shutdown within a day or two after they cracked the accounts. I have a COMIMPUT stream that I edit each week and change the date range which checks for incoming and outgoing access on Network addresses that have been frequented by hackers. Now normal users also use these same paths. I look for anything unusual and investigate further in detail if something catches my eye. I will give you this file but, remember it applies to the hacking we had in the U.S. It can be used as a guide for other licenesee's who want to plug in the addresses they happen to be dealing with. Anyway here it is. Robert COMO BERT DATE SYS /* INTERNATIONAL ACCESS CHECK INCOMING... NUSAGE -U ? -D 03/11-03/14 -NET 5052&5053&31370038209007&31370090059 & 3106007028&208&425130000215 & -NOMIN -I NA TR CON NET BAUD DATE SYS /* INTERNATIONAL ACCESS CHECK OUTGOING... NUSAGE -U ? -D 03/11-03/14 -NET 5052&5053&31370038209007&31370090059 & 3106007028&208&425130000215 & -NOMIN -I NA TR CON NET VNET BAUD ISG VISC -VOUT DATE SYS /* DOMESTIC ACESS CHECK INCOMING... NUSAGE -U ? -D 03/11-03/14 -NET 311020500018&311030100254&311030100253 & 311080500018&3110617&3110422000&3110233&311031300062&311020100074 & 311080100054 & -NOMIN -I NA TR CON NET BAUD DATE SYS /* DOMESTIC ACESS CHECK OUTGOING... NUSAGE -U ? -D 03/11-03/14 -NET 311020500018&311030100254&311030100253 & 311080500018&3110617&3110422000&3110223&311031300062&311020100074 & 311080100054 & -NOMIN -I NA TR CON NET VNET BAUD ISG VISC -VOUT DATE COMO -E This when run as a como during non-prime time hours will create a file called BERT. I recommend that this phantom be run on all systems in the ring and when they complete to load all the como files into one file to be printed and reviewed. I hope this helps you out. Robert From: L.WACHBROIT (LILLIANW) Delivered: Thu 15-Mar-90 4:38 EST Sys 198 Forward: R.RUSSIN (ROBERT) Subject: Reply to: Reply to: Reply to: Reply to: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION Mail Id: IPM-198-900315-041761057 More on our friendly hacker. Note some of the addresses he came in on... From: Z.LEVITAN (ZOHAR) Delivered: Thu 15-Mar-90 2:14 EST Sys 5006 To: L.WACHBROIT (LILLIANW) Subject: Reply to: Reply to: Reply to: Reply to: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION here you are: User Name Date Time Net Addr Con Hrs Chars I/O BIC011 07 14:18 31103010025357 0:01 63 440 BIC011 07 14:33 31103010025357 0:25 1127 7131 BIC011 08 6:15 31103010025357 6:08 18480 122105 BIC011 08 13:03 31103010025357 4:32 4613 134250 BIC011 09 0:13 31103010025357 0:00 0 0 BIC011 09 1:44 31103010025357 3:55 285 1076 BIC011 09 8:04 31103010025341 0:08 170 2408 BIC011 09 8:07 (local) 0:00 0 0 BIC011 09 8:11 505238189955 0:37 881 8842 BIC011 09 8:36 (local) 4:43 0 0 BIC011 09 8:42 (local) 0:00 0 0 BIC011 09 8:43 (local) 0:00 0 0 BIC011 09 8:44 (local) 0:00 0 0 BIC011 09 8:48 (local) 0:00 0 0 BIC011 10 6:35 31103010025341 0:05 224 1501 BIC011 10 7:18 505238189955 10:30 24677 317582 BIC011 10 7:24 (local) 0:00 0 0 BIC011 10 7:25 (local) 0:00 0 0 BIC011 10 7:26 (local) 0:00 0 0 BIC011 10 7:26 (local) 0:00 0 0 BIC011 10 7:27 (local) 0:00 0 0 BIC011 10 7:27 (local) 0:00 0 0 BIC011 10 7:27 (local) 0:00 0 0 BIC011 10 7:28 (local) 0:00 0 0 BIC011 10 7:28 (local) 0:00 0 0 BIC011 10 7:35 (local) 0:00 0 0 BIC011 10 8:11 (local) 0:00 0 0 BIC011 10 8:13 (local) 2:53 0 0 BIC011 10 9:24 (local) 3:10 0 0 BIC011 10 13:42 (local) 0:00 0 0 BIC011 10 13:43 (local) 6:17 0 0 BIC011 11 6:54 31103010025341 0:00 0 0 BIC011 11 8:59 505238189955 1:48 8643 38058 BIC011 11 9:04 (local) 3:46 0 0 BIC011 11 11:23 505238189955 1:27 6355 49422 BIC011 11 13:11 9000000904 0:07 384 4166 BIC011 11 13:24 505238189955 0:00 0 0 BIC011 11 15:12 505238189955 2:19 11576 60613 BIC011 53:04 93264 750175 BWC001 07 13:30 31103010025357 0:42 1057 143595 BWC001 11 23:48 505238189955 10:49 36273 834483 BWC001 12 2:08 (local) 37:19 0 0 BWC001 48:50 37330 978078 101:54 130594 1728253 From: L.WACHBROIT (LILLIANW) Delivered: Wed 14-Mar-90 14:04 Sys 198 To: Z.LEVITAN (ZOHAR) Subject: Reply to: Reply to: Reply to: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION Mail Id: IPM-198-900314-063460362 In Reply To: IPM-5006-900314-125770656 For the ids he broke into, include date, time and "NET" (we want to see what address he came *from*...) From: Z.LEVITAN (ZOHAR) Delivered: Wed 14-Mar-90 6:58 EST Sys 5006 To: L.WACHBROIT (LILLIANW) Subject: Reply to: Reply to: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION Mail Id: IPM-5006-900314-125770656 In Reply To: IPM-198-900314-037610725 Hi, Please let me the nusage options that you would like us to run for you. Zohar From: L.WACHBROIT (LILLIANW) Delivered: Wed 14-Mar-90 11:11 Sys 198 To: Z.LEVITAN (ZOHAR) Subject: Reply to: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION Mail Id: IPM-198-900314-037610725 In Reply To: IPM-5006-900313-195330414 Ick! Can you send us the NUSAGE files on this guy? From: Z.LEVITAN (ZOHAR) Delivered: Tue 13-Mar-90 14:41 EST Sys 5006 To: L.WACHBROIT (LILLIANW) Subject: Reply to: Reply to: CATINF PROTECTION & ACCESS VIOLATION Mail Id: IPM-5006-900313-195330414 In Reply To: IPM-198-900313-099950306 HE Potentially an Australian who has been spending hours on Dialcom Systems. He has written some CPL's, found a couple of 'undocumented' commands and security weaknesses. 1. The person found a command DOPH which was set in 1985 to minimum seclev 0 that allows anyone to spawn a phantom. 2. He found that on most systems any user can 'ATTACH' to CATINF and gaily go about creating sufufds that he fills with CPL's, and the result files of hundreds of search for computers on the PSS networks and the attempts to 'access' these systems using files of passwords. The hacker has been fairly clever doing loop the loop. It appears from one listing we got running NUSAGE, that he arrived from system 135 and went to visit system 135 and 163. The latest accesses have been from Australia and he has been running riot with a CPL that does a loop from X to infinity with TYMNET NUA's. If he gets a connected message he writes the result to a file etc etc. Hope this makes some sense - I have been up since 03:30 this morning and logged to check if our guest got back passed the doors we closed. Zohar From: L.WACHBROIT (LILLIANW) Delivered: Tue 13-Mar-90 18:07 Sys 198 To: Z.LEVITAN (ZOHAR) Subject: Reply to: CATINF PROTECTION & ACCESS VIOLATION Mail Id: IPM-198-900313-099950306 In Reply To: IPM-5006-900313-150900268 Zohar, I feel like I came into the middle of a movie -- who is "he"? And what did "he" do? How about explaining this from the beginning? Confused of Camden From: Z.LEVITAN (ZOHAR) Delivered: Tue 13-Mar-90 9:45 EST Sys 5006 To: L.WACHBROIT (LILLIANW) Subject: CATINF PROTECTION & ACCESS VIOLATION Mail Id: IPM-5006-900313-150900268 HI, On our system he created the a SUBUFD CATINF>POST>MAIL. We have attempted to reset protections for CATINF so that users with SECLEVS below 5 could not attach, but without success. Could you please let us know what needs to be done in order to protect this UFD from 'attach'. We have looked at his last CPL and found that he accessed your system 163 and was having a go at prefix EPX with passwords 'DIALCOM', 'QWERTY' and 'TEST'. We would appreciate your letting us know this information for our system if you find it in any of his files. Many Thanks Zohar Fo: MICHAELR (6007:MICHAELR) Cc: M.HULBERT (MARK) From: R.RUSSIN (ROBERT) Delivered: Fri 16-Mar-90 0:32 Sys 198 (35) Subject: HACKERS POINT OF ORIGIN Mail Id: IPM-198-900315-085970463 Mike, Our hacker is attacking the Israel Licensee now. He comes in their system from 5005, 5052 and 38189955. This morning around 5:30 AM U.S. time the hacker was online using a hacked account netlinking out to 3106 008510 which is a Tymnet address. Mark Hulbert will advise Tymnet Network Security. I just wanted to pass this information on to you in case it can help you. Thanks, Robert From: M.HULBERT (MARK) Delivered: Thu 15-Mar-90 7:14 EST Sys 198 Forward: R.RUSSIN (ROBERT) Subject: HACKERS POINT OF ORIGIN Mail Id: IPM-198-900315-065180725 Would you provide this information to Michael Rosenberg and see if he might be able to add some further inromation to it? Mark From: Z.LEVITAN (ZOHAR) Delivered: Thu 15-Mar-90 6:11 EST Sys 5006 To: M.HULBERT (MARK) Subject: HACKERS POINT OF ORIGIN Mail Id: IPM-5006-900315-118820069 HI, The blokes at our PSS service have determined that the hacker is working from a line registered to a company called Austac with phone number +61 2 233-3677 (i.e. somewhere in Sydney). Zohar Fo: BTG072 (10080:BTG072) Fo: BTG109 (10080:BTG109) Fo: MICHAELR (6007:MICHAELR) Fo: E.LONG (ELLEN) Fo: M.HULBERT (MARK) Cc: R.MYERS (159:BERTA) Cc: ZOHAR (5006:ZOHAR) Cc: R.RUSSIN (ROBERT) From: R.RUSSIN (ROBERT) Delivered: Mon 12-Mar-90 2:16 Sys 198 (40) Subject: SYSTEM ACCESS VIOLATION Mail Id: IPM-198-900311-100590271 This hacker has been working all weekend around the Licensee Dialcom systems. He has been netlinking to the U.S. from 425130000215 as well. Just a heads up to everyone that we have heavy activity and to keep a close watch on your systems. Thanks Zohar for the heads up on your end. Robert From: R.MILLER (RONM) Delivered: Sun 11-Mar-90 8:39 EST Sys 198 Forward: R.RUSSIN (ROBERT) Subject: SYSTEM ACCESS VIOLATION Mail Id: IPM-198-900311-077921232 FYI... From: Z.LEVITAN (ZOHAR) Delivered: Sun 11-Mar-90 8:38 EST Sys 5006 To: R.MILLER (RONM) Subject: SYSTEM ACCESS VIOLATION Mail Id: IPM-5006-900311-140840652 Hi, This is to alert you to the fact that we are suffering a security breach. The party is accessing from X.121 address 5052 38189955 He has ben running a programme on our system that has been scanning NUA on Telenet. He has been scanning the range 3106097285 to 3106159999. We have found him NETLINKing to 3106003503 and 3106003525 Please advise your and TYMNET security people. We will pass on further info if any comes to hand. I an be reached by phone in Tel Aviv on 7532406 (+972 3 7532406) until 10:00 EST today or from 12:00 on 490498 (+972 3 490498). Zohar To: MICHAELR (6007:MICHAELR) Cc: M.HULBERT (MARK) Cc: R.RUSSIN (ROBERT) From: M.HULBERT (MARK) Delivered: Thu 22-Feb-90 23:46 Sys 198 (45) Subject: Reply to: System 48 Mail Id: IPM-198-900222-069750143 In Reply To: IPM-6007-900222-152690115 Michael, The Westinghouse Wespac network is a private network owned and operated by Westinghouse. The addresses for the network are 3110422. Systems 48 and 49 are Westinghouse systems but we have not noted any hacker activity of late but will recheck our most recent series of scans of our systems. I would appreciate any added information on what specifics the individual you're talking to has on the possible penetrations. Also, treat this information on Wespac with discretion. Mark From: M.ROSENBERG (MICHAELR) Delivered: Thu 22-Feb-90 1:56 EST Sys 6007 To: M.HULBERT (MARK) Subject: System 48 Mail Id: IPM-6007-900222-152690115 Robert, Mark, My contact in OTC's paket switching exchange has asked me if I knew what 311042200048 was and if it was Dialcom or not. After I told him that it was system 48, he asked me if I could ask you some things.. He doesn't have any firm evidence, but I know that he is asking questions because he intercepted a coversation with electron during which he mentioned things about penetrating Westinghouse security. I think that system 48 is Westinghouse (y/n?) and, if so, is it known amongst any one there by the name Westpac? Do you know of any obvious security breaches in 48 and 49 that concern Australia or you think come from Australian hackers. I know that these are vague questions and the time scale that he is speaking of is a couple of months ago. Also, I understand that there are things that I may not be privy to know, that is fine. Basically, is there anything that may interest Australia about security breaches on 48 and 49? I assure you of course that the person asking these questions spends most of time tracking hackers that don't originate from my system and is asking me these questions because he is trying to fill in holes in his intercepted information. Hope you can help, Thanks, Michael. Fo: MICHAELR (6007:MICHAELR) Cc: M.HULBERT (MARK) From: R.RUSSIN (ROBERT) Delivered: Wed 21-Feb-90 1:43 Sys 198 (77) Subject: Suspect activity from sys 75 Mail Id: IPM-198-900220-087370915 Michael, Here is some additional info I received from BTGOLD that may help you in your inquiry. Robert From: D.DOVEY-PRICE (BTG300) Delivered: Mon 19-Feb-90 7:09 EST Sys 10080 Forward: R.RUSSIN (ROBERT) Subject: Suspect activity from sys 75 Mail Id: IPM-10080-900219-109471015 Robert, I 've done some investigating on this matter and have found one of our customers accessing address 5053200000, but only on 22/1 and 26/1 and not on 25/1. Enclosed are the times for you to compare. The company name is ARTSLINK. Hope this info is of some use to you. Diana. User Name Date Time Net Addr MUS074 22 3:36 5053200000 MUS074 22 18:02 5053200000 MUS074 22 User Name Date Time Net Addr MUS074 26 12:40 5053200000 From: J.KENNEDY (BTG109) Delivered: Mon 19-Feb-90 10:33 GMT Sys 10080 Forward: D.DOVEY-PRICE (BTG300) Subject: Suspect activity from sys 75 Mail Id: IPM-10080-900219-094970964 Diana As Vicky isn't in, please could I ask you to have a look at this suspect activity. I have 2 requests from teh US, one from Robert, the other from Mark Hulbert - so they are obviously concerned!. Thanks very much Julie From: R.RUSSIN (ROBERT) Delivered: Fri 16-Feb-90 16:52 GMT Sys 198 orward: J.KENNEDY (BTG109) Subject: Suspect activity from sys 75 Mail Id: IPM-198-900216-106761270 Here is a question that could be better answered at your end. Robert From: M.ROSENBERG (MICHAELR) Delivered: Fri 16-Feb-90 0:35 EST Sys 6007 To: R.RUSSIN (ROBERT) Subject: Suspect activity from sys 75 Mail Id: IPM-6007-900216-149240236 Dear Berta, could you forward this message to the appropriate person in BT. A user on system 07 was accessed from system 75, and while I think that the usage was not at all indicative of a hacker, she is adamant that noone on BTG should know her password. Could you ask BTG to check for calls to system 07 (5053200000,5053200050 or 505211134999) from 023421920100475 on 22/1 1:17-11:40 UTC 17:40 25/1 - 05:34 26/1 UTC and tell me (if possible) who the user was and if that account is suspect. I'll say again that it looks to me as if the person knew the pw and only used OTC Intelnet, but I must check it out. I'd like to know who the user was so that I may tell my user the name of the person/company to see if I can jog her memory on someone who can use her account. Thanks, Michael To: MICHAELR (6007:MICHAELR) Cc: M.HULBERT (MARK) Cc: R.RUSSIN (ROBERT) From: R.RUSSIN (ROBERT) Delivered: Thu 8-Feb-90 13:45 Sys 198 (58) Subject: Reply to: Activity from Australia on System 41 Mail Id: IPM-198-900207-195640975 In Reply To: IPM-6007-900208-095270350 Michael, Yes we know about the activity on 41. Thanks for advising us as well. The hacker goes by the handle Raster Biter. They have been onto a few different account on 41 since November. I discovered this afternoon after reviewing my weekly nusage security check that they penetrated the account 41:UGA006 coming in from CSC Infonet 31370090059 and AUSTPAC 505270589986. Once on they are then using our Prime system to netlink back out into the Telenet world. I have been in contact with Telenet Security and also the Royal Canadian Mounted Police since they were beating on some Canadian systems from 41. It appears the hacker(s) are establishing many points of entries on various PDN's around the globe. They spend long hours on many of the systems they have netlinked out to from our systems. I feel that since all of their incoming addresses to U.S. Dialcom are from the above two addresses I would tend to think that the hackers are Australia based. The access is mostly late night too. There is one other CSC Infonet address they come in from but, I am at home now and don't have it written down with me. When I get in to work tomorrow I will send it to you. Since November they have hit accounts on 41, 50, 52 and 57. We have curtailed their access so far from all but 41. I find them on one account and have the password changed then the next week they show up on another account. However they are all accounts that were retrieved sometime from a directory listing since they all belong to the same client who has many prefixes on 41. The others on 50, 52 and 57 I believe were from accounts listed in another captured directory. The system manager for the account still hasn't told us if the passwords to the hacked accounts had any relation to entries in the mail directory. Well I have to go now and finish some more of my end of month report. Stay in touch and thanks for the heads up. Robert From: MIKE.ROSENBERG (MICHAELR) Delivered: Wed 7-Feb-90 18:34 EST Sys 6007 To: R.RUSSIN (ROBERT) Subject: Activity from Australia on System 41 Mail Id: IPM-6007-900208-095270350 Dear Robert/Mark, assuming that you are both still emplyed by Dialcom.... Our packet switch guys have informed me of much activity to system 41 over the last few days. I suggest you look for accesses from 505234289983 on : 2/7 0135 to 1811 UTC for a start. Check for other accesses during feb. of course, but you should find accesses on at least the 2nd and 6th as well. You you also check an access from 505291989999 on 2/7 11:00 UTC please. It was only 4 minutes long so it is probably OK. This suspect NUI is not going be be blacklisted by OTC because furtive investigations are under way into his activities. Hear from you shortly, Regards, Michael. To: E.LONG (ELLEN) To: M.AUSCHWITZ (MONICA) Cc: M.HULBERT (MARK) Cc: R.RUSSIN (ROBERT) Bc: MICHAELR (6007:MICHAELR) From: R.RUSSIN (ROBERT) Delivered: Thu 1-Feb-90 6:05 Sys 198 (22) Subject: System 41 Hacker Penetration Mail Id: IPM-198-900131-126420709 Monica, The account UGA024 on system 41 was penetrated again. The last penetration was on January 11th which I discovered and made notification. The account has since been penetrated on January 29th 7 hrs & 7 min, 30th 7 hrs & 33 min and the 31st 4 hrs and 2 min. After the last reported hit back on the 11th the password was never changed and the hacker came back onto the account again. I changed the password myself this morning after I discovered the problem. The incoming network addresses are 31370090059 , 31370038209007 which are CSC Infonet and 505234289983 which is Australia Telecom AUSTPAC. You will need to notify TCN that there account was hit and since they never changed the password the last time I don't know how you want to handle the credit part. The password is NELLE Robert To: ROBERT (198:ROBERT) Cc: MICHAELR (6007:MICHAELR) Cc: S.PATEL (BTG197) From: V.LUNDBERG (BTG072) Delivered: Wed 21-Feb-90 4:03 Sys 10080 (9) Subject: Security checks. Mail Id: IPM-10080-900220-153471089 Robert, I am going on holiday for just over 2 weeks, therefore if you have any urgent need for our help please could you contact in the first instance Sandy, BTG197. (Of course you also have Julies id if you need her too.) Many thanks, Vicky. To: ROBERT (198:ROBERT) Cc: MARK (198:MARK) Bc: NET006 From: M.ROSENBERG (MICHAELR) Delivered: Thu 29-Mar-90 18:28 AEST Sys 6007 (93) Subject: Reply to: Suspect activity from sys 75 Mail Id: IPM-6007-900329-166320230 In Reply To: IPM-198-900220-087370915 Dear Robert, I have been checking this message and just realised that this is a nusage of accesses of system 75 FROM system 07. I needed to know who on system 75 called either 5053200000 or 5053200050 or 505211134999 on the times and dates specified below. I know that no one should have been able to do this without netlink but someone did, so could you ask Dialcom UK to do an nusage of all OUTGOING calls to these addresses and tell me who the customer was. Thanks Michael From: R.RUSSIN (ROBERT) Delivered: Wed 21-Feb-90 1:43 Sys 198 orward: M.ROSENBERG (MICHAELR) Subject: Suspect activity from sys 75 Mail Id: IPM-198-900220-087370915 Michael, Here is some additional info I received from BTGOLD that may help you in your inquiry. Robert From: D.DOVEY-PRICE (BTG300) Delivered: Mon 19-Feb-90 7:09 EST Sys 10080 Forward: R.RUSSIN (ROBERT) Subject: Suspect activity from sys 75 Mail Id: IPM-10080-900219-109471015 Robert, I 've done some investigating on this matter and have found one of our customers accessing address 5053200000, but only on 22/1 and 26/1 and not on 25/1. Enclosed are the times for you to compare. The company name is ARTSLINK. Hope this info is of some use to you. Diana. User Name Date Time Net Addr MUS074 22 3:36 5053200000 MUS074 22 18:02 5053200000 MUS074 22 User Name Date Time Net Addr MUS074 26 12:40 5053200000 From: J.KENNEDY (BTG109) Delivered: Mon 19-Feb-90 10:33 GMT Sys 10080 Forward: D.DOVEY-PRICE (BTG300) Subject: Suspect activity from sys 75 Mail Id: IPM-10080-900219-094970964 Diana As Vicky isn't in, please could I ask you to have a look at this suspect activity. I have 2 requests from teh US, one from Robert, the other from Mark Hulbert - so they are obviously concerned!. Thanks very much Julie From: R.RUSSIN (ROBERT) Delivered: Fri 16-Feb-90 16:52 GMT Sys 198 orward: J.KENNEDY (BTG109) Subject: Suspect activity from sys 75 Mail Id: IPM-198-900216-106761270 Here is a question that could be better answered at your end. Robert From: M.ROSENBERG (MICHAELR) Delivered: Fri 16-Feb-90 0:35 EST Sys 6007 To: R.RUSSIN (ROBERT) Subject: Suspect activity from sys 75 Mail Id: IPM-6007-900216-149240236 Dear Berta, could you forward this message to the appropriate person in BT. A user on system 07 was accessed from system 75, and while I think that the usage was not at all indicative of a hacker, she is adamant that noone on BTG should know her password. Could you ask BTG to check for calls to system 07 (5053200000,5053200050 or 505211134999) from 023421920100475 on 22/1 1:17-11:40 UTC 17:40 25/1 - 05:34 26/1 UTC and tell me (if possible) who the user was and if that account is suspect. I'll say again that it looks to me as if the person knew the pw and only used OTC Intelnet, but I must check it out. I'd like to know who the user was so that I may tell my user the name of the person/company to see if I can jog her memory on someone who can use her account. Thanks, Michael To: M.ROSENBERG (MICHAELR) Cc: C.HAPANGAMA (OTC264) From: A.LOWTHER (OTC157) Delivered: Mon 8-Aug-88 9:32 AEST Sys 6007 (52) Subject: VMS HACKING Mail Id: IPM-6007-880808-085830292 Dick Weaver sent me this some time ago. It indicates that we really do need to be on our mettle as far as VMS security is concerned. Dean Gingell is a bit inclined to accept that VMS security is so good that it is inpenetrable!! Tony. From: R.WEAVER (OTC248) Delivered: Fri 11-Mar-88 16:38 AEST Sys 6008 Subject: VMS Passwords: Hackers' Attacks ? ? Mail Id: IPM-6008-880311-149750909 From: ecs140w020@deneb.ucdavis.edu Subject: VMS password hacker =================== Date: 6 Mar 88 12:06:58 GMT Sender: uucp@ucdavis.ucdavis.edu Lines: 18 Bunkersoft of Mountain View has a VMS password hacker available for $30 (source code) from Bunkersoft PO Box 4436 Mountain View CA 94040-4436 The method used is a brute force attack. However, because of the nature of the VMS password file, SYSPRV or CMKRNL is required for a short window of time before running. I ran this program on my installation at work; it found 35% of all passwords. *** *** *** *** Since HPWD is a proprietary DEC code, a batch file is given to extract this information from LOGINOUT.EXE. I believe this program is aimed at security managers etc. ecs140w020@deneb.ucdavis.edu ucdavis!deneb!ecs140w020 ... ... ... ... ... ... ... ... ... Well how about that then ! Will we need to worry about security like Minerva worries? Think we need a copy of this "hacking tool" ? Richard Weaver Ext 5134 (Manager, New Services Development) 11 March 88 +