From: MERC::"uunet!CRVAX.SRI.COM!RELAY-INFO-VAX" 24-MAY-1992 14:30:22.21 To: info-vax@kl.sri.com CC: Subj: Diary of a security incident #2A Diary of a Security Incident - 2A An Attack on a VMS-based University Administrative System by Ray Kaplan - I know what I don't know, these are my views only Sorry if you have seen this before - cross posted to: comp.os.vms, alt.security, DECUS BBS (DECUSERVE) and others Disclaimer: I can't talk about most of these that I know about and am involved with - so, it is with great pleasure that I do talk about the ones that I can. (This is the third one this week, sigh.) Answer to various critics: Thanks so much for your snide insinuations that I actually NEED additional case studies for my consulting/seminars/writing instead of being genuinely interested in helping the community through my interest in finding/talking about security incidents. Screw you. I hope that the fact that I post widely to the net at large convinces you that I am altruistic in motive when I ask you to tell me the details of security incidents - especially those that concern me directly - I *don't* need anymore case studies for class work! Caveat: Names/numbers/locations and other particulars have been changed to protect people (both innocent and guilty) as well as make sure that I can continue to safely "push the envelope" in the discussion of the details of security incidents. Dedication: I hope that we can start "talking some turkey" here soon. As a personal statement, doing without details in this detailed discipline is driving me batts. Question: Seems that this sort of thing (more details of security problems) is needed/desired/important. Given that you believe this, should I continue this series of postings? Can you contribute to the effort? If so, send mail - call me. As perhaps you know, it is "career limiting" and very expensive to anger the powers that be here in securityland. Diary of a Security Incident - 2A An Attack on a VMS University Administrative System By Ray Kaplan - I know what I don't know, these are my views only Note: Do not confuse this with other postings, posting streams or reports. I have begun to number them to keep track for myself. This is a new one. Background: Wednesday (May 20, 1992) I got a call from a friend (alias - "Big P"). Seems that they had a problem. Someone had physically broken into a facility and found a privileged terminal logged in? Details still unclear - argh - "we'll get back to you", Big P grumbled. Introduction: A long time friend, former student of mine (in various of my security-related lectures/classes) and member of the "Internet community" - Big P - called to say "thanks" on Friday (May 22, 1992). He said "I'm glad you beat us up in class about some of these things". Guess that this licenses me to be a big mouth and report this incident (as it will be months before they are back up to speed and ready to talk about it?). Seems that "a bust was made" and they were happy to be able to finally get some rest. Between the two of them (system manager - Big P - and system programmer - Mad Max) they put in a huge number of hours in the two + days of the incident. They'll be writing up the story as they have the time, but they are worn out and in need of some sleep/time to think/space - so, I've taken it upon myself to blast out a note as a marker. Honest Jeeves, there be dragons out here. The short of it: A student was arrested for running a "change your grade for cash" scam. This semester alone, he had done some 50 such academic standing modifications for on the order of $40 each and - sad to say - last semester had done some as well (exact number still being determined). Details to follow. The long of it: The student found one of the accounts that the University issues to part time student helpers during registration. He managed to keep this, normally short-lived account alive (details still unclear). Apparently using "standard techniques" (still unclear), the student was able to get the passwords to the Student Information System and have a grand old time. The cops (accompanied by the site's system programmer - Mad Max) actually found an uncashed $40 check for these services in the students desk. Details to follow. (You mean that they actually go out and bust people for this? Say, yeah.) The scary part: The student had access to the University's payroll system (apparently without knowing it) and there turned out to be a "back door" into the Student Information System that is both unannounced to the vendor of that software and unknown to those who run the system.) Sigh. Lessons (more to come, of course): 1) Make friends with your local constabulary (the cops). When (not if) you call your local telco carrier asking for help to trace a call - you stand a better chance of getting their attention if there is a big, burly state trooper standing behind you with a menacing scowl on his/her face. Honest, this relatively small site WAS able to get the telco's attention - albeit a difficult and time consuming effort! How come? Persistence AND the cooperation/support of the local cops (campus, local, state). I speculate that the system manager has been known to spend a lot of time out at coffee with the cops getting to know them, what they need and how they think (apparently on my advice). 'Course, it must be said that Mad MAX was seen to be foaming at the mouth when some of the intermediate steps in getting the telco's attention were failing. Telcos turn out to be quite respectful of a such bit fiddlers with ire in their eyes. It is hard to resist an articulate plea for help? Try an angry, loud and articulate one! Best practice the drill. 2) Thinking of turning on security alarms? Consider that IF you get the telco to trace a call -- it will necessarily be AFTER THE FACT. This means that they will be searching a BIG pile of data for you - a big and resource consumptive job. Consider turning on LOGIN *and* LOGOUT alarms. The "bracket" surrounding a particular call *will* make it easier for telco to find the needle in the haystack. BTW - exactly *what* time is it anyway? Clocks synched to some mutually agreed upon standard (i.e.: "net-standard" or "WWV" time?) might help. 3) Got a problem (i.e.: the registrar was calling the systems staff asking: "Say, could you tell me why you changed these grades?")? Act NOW! Best get your butt in gear as soon as possible. The "attack" WILL be hard to track down. 4) Best have some tools in the wait or have some significant talent idling in the background that can build them on the fly in a hurry. The site's system programmer (Mad Max) properly decided to hack up the DECUS WATCH program to make it journal keystrokes to a file - much to the delight of the DA on the case. The DA was heard to say "Journaled keystrokes! Great. This beats the hell out of your three eye-witnesses to the perp's deeds!" (Insert arguments for/against home built vs vendor supplied tools here.) 5) I'd guess that Max's skill was due to management's willingness to overlook the fact that he doesn't keep "regular hours" or doesn't "behave normally" sometimes. I speculate that Max has been known to wander the halls at odd hours mumbling to himself about page faults above IPL 2 and such, come in late and wear less that "standard" clothes from time to time. Additionally, I say that the boss NEEDS to understand that during an "incident", the only resource that he is likely to have is his people. You know - well trained, and having the experience to know how to gather resources and apply them to the problem at hand (and all of those other intangibles that they never ask about in job interviews.) BTW - after about 6 to 8 hours, people tend to fray at the edges - anyone in your shop around to remember to order out for pizza/coffee/beer from time to time during the siege? Up all night against an attack is almost tolerable if you have some support. Up all night against an attack without any sustenance (especially after, say, 10 hours of it) is a crime against techies by their management. Now, tell me that a small frigde filled with "creature comforts" is not justifiable! 6) Note that they decided to leave the system wide open as they lay in wait for the attacker - this is a hard and key decision. Will YOU shut the system up tight or carefully lay in wait 'till you find out what EXACTLY is going on? Turns out that the student had 7 (yes - seven) accounts! Lest you relax, I recently heard of a Gov't agency where an attacker had over 100 accounts! (Key strokes were the only way they found all of them!). 7) Note that they decided to take the system away from its normal users during this problem. Ever try to stand your ground against tenured faculty members and senior administrators that "want it back NOW"? Best talk to them about "how things will be in a breach" NOW - *before* you have to disrupt their lives. Thanks guys: Early on (as soon as they found that they were compromised), they decided to disconnect themselves from the net - yes, there *were* withdrawal pains. On behalf of the many of us that are out here in netland - "Thanks, guys!" A surprise?: The system manager finds himself feeling genuinely sorry for the kid's parents and the kid. Not only is the kid going to get nailed administratively by the University and taken to task by the criminal justice system (both locally and at a state level) - but, some of the grade changes that he made for people allowed the recipients of this increased academic standing to get otherwise undeserved Federal scholarship money. This means a Federal rap. When it rains, it pours. Poor family, poor kid. Chronology to follow in time. Send mail if you want a copy (reference the number of the thing, please). More details to follow as they become available. So lets see here. It IS the weekend, ay? Where *exactly* DID I put that beer?..... (And the host of the party noticed that he was over in the corner of the patio mumbling to himself - or was he trying to talk to the shrubbery. about ... security? - Poor devil. Quick, get him a cool one... It is the weekend, is it not?) Ray Kaplan P.O. Box 42650 Tucson, AX 85733 Internet: kaplan@ccit.arizona.edu BITNET: kaplan@arizvms Ray 8-|)}