[shafferj%BKNLVMS.BITNET: major VMS security problems]
Michael J. Chinni, SMCAR-CCS-E
mchinni at ardec.arpa
Fri Apr 8 03:19:12 AEST 1988
F Y I - UNIX vs. VMS
----- Forwarded message # 1:
Received: from [192.12.8.6] by ARDEC-CC1.ARDEC.ARPA id aa25628;
7 Apr 88 7:45 EST
Received: from [128.6.4.15] by ARDEC-IMD.ARDEC.ARPA id aa21382;
7 Apr 88 7:44 EST
Date: Thu, 24 Mar 1988 13:45:57.49 EST
From: shafferj%BKNLVMS.BITNET at CUNYVM.CUNY.EDU
Subject: major VMS security problems
Sender: security at AIM.RUTGERS.EDU
To: security at AIM.RUTGERS.EDU
Resent-date: Thu, 7 Apr 88 06:00 EST
Resent-to: security-list at AIM.RUTGERS.EDU
Message-ID: <8804070744.aa21382 at ARDEC-IMD.ARDEC.ARPA>
The following three messages should be of interest to this discussion.
I'm posting them with the assumption that no one else has posted the
information contained within them while the Bitnet distribution of Security
was down.
The last message of the group is particularly scary, because I'm on VMS v4.4
here and I've never heard of the bug. It would appear that our system managers
here haven't heard of it either, because there have apparently been some break-
ins lately. {See disclaimer at end!}
****************
Forwarded messages begin:
****************
From: "XMRP20000[khw]-g.c.mccoury" <pacbell!att-ih!att-cb!clyde!whuts!
mtunx!mtune!mtgzz!gcm at AMES.ARC.NASA.GOV>
Subject: Hacker hits VMS
>From The Star-Ledger(Newark NJ) 3/17/88
TEEN HACKER 'INVADES' NEW SECURE COMPUTER
PARIS(Reuters)- A 19-year-old West German hacker has succeeded
in breaking into one of the world's top-selling computers,
Digital Equipment Corp.'s VAX system, in what experts say is a
new blow to confidence in computer security.
Computer specialists broke the news yesterday at a computer
conference already shocked by the arrest on Sunday of West
German hacker Steffen Wernery, 26, as he arrived to take part
in a panel debate on system security.
Wernery is a member of the Hamburg-based Chaos Computer
Club which caused a storm last year when it revealed it had
penetrated more than 100 computers around the world, including
the network of the U.S. space agency NASA.
French police announced later that Wernery had been charged
with "theft, destruction and damaging computer goods" and had
been jailed pending trial.
West German journalist and computer expert Hans Gliss, who
was also held briefly by French police when he arrived in Paris
on Sunday, said the unidentified 19-year-old from Munich had
worked out how to enter VAX computers made by Digital.
Gliss said the Munich hacker had breached the VAX system by
using material openly available from Digital, which is based in
Maynard, Mass.
Digital executives were in a meeting and not available for
comment, a spokeswoman said.
Rudiger Dierstein, of West Germany's national space foundation
DFVLR, said the consequences of the Munich hacker's achievement
were "terrifying."
"This person has given a full description of how to gain access
to the system and gain full control. Imagine combining the
intelligence of this hacker with a definite criminal intention,"
he said.
"Someone could take control of a satellite as they are all
computer-controlled. That is why I tremble when I hear the initials
SDI."
SDI stands for President Reagan's proposed Strategic Defense
Initiative, a space-based computer-guided defense system against
nuclear missile attack.
Dierstein said the 19-year-old had privately published his work
in a pamphlet entitled "Hints on the Use of the VMS Operating System"
but police had confiscated all the documents.
The VMS(Virtual Memory System) is the main language used in
Digital's VAX computers.
Experts said other major computer manufacturers like IBM could
not afford to be complacent as it was being shown their systems
were equally vulnerable.
Companies targeted by Chaos Computer Club "hackers" were unaware
their systems had been tampered with until the club informed West
German authorities.
Experts at the Paris conference said Wernery had fixed a meeting
with the French subsidiary of the Phillips electronic group - one
of the companies penetrated by the hackers - before leaving for France.
* Grover McCoury *
* ATT IS/Communications Laboratories *
* Middletown NJ *
****************
From: Steve Ward <cfa!ward at husc6.harvard.edu>
Subject: Re: Hacker hits VMS
Does anyone know if this is a REAL security hole in VMS or just the
usual
1) failure to change default password(s) on sys, maint, user, userp
accounts as shipped from DEC.
or
2) autologins left activated by local sys manager.
or
3) other equivalent act of stupidity.
Often these sensational stories are due to vulnerability caused by
stupidity. I have never had much trouble in "hacking" a login to a
multiuser system when testing for security, usually by just trying
the time-honored guess-the-password approach. Of course, hacking to
TEST for security on your own computers is quite different from the
vandalism and criminalism of attacking someone else's machines, whether
one is hacking through cleverness or taking advantage of the lax
management of computer systems on all os's that is out there. I know of
large numbers of machines that are accessible to the world where the
local users object strongly to being forced to periodically change
passwords or insist on using any password, including very short
passwords, last names, etc. The ability to "hack" a login is inversely
proportional to the number of login accounts on the system :-)
Of course, all os's exhibit true security hole bugs from time to time.
Is this one?
****************
From: Tony Li <sargas.usc.edu!tli at oberon.usc.edu>
Subject: Re: Hacker hits VMS
Yes, this is the result of a real hole. Do you recall the V4.4
SECURESHR bug?
Tony Li - USC University Computing Services "Fene mele kiki bobo"
Uucp: oberon!tli -- Joe Isuzu
****************
End of forwarded messages
****************
If anything further on this subject should be posted to the VAX discussion,
I'll forward it to the Security discussion.
Jim Shaffer, Jr.
ShafferJ%Bknlvms.Bitnet at cunyvm.cuny.edu
----- End of forwarded messages
More information about the Comp.unix.wizards
mailing list