2.0 ELECTRONIC INTRUDERS

This section describes the variety of electronic intruders and the skills and techniques these intruders have demonstrated to gather and exploit information. The 1993 edition of this report discussed the computer underground in detail, including their means of communication, group structures, and publications. Because of all the media coverage on the computer underground in recent months, much of the detail has been removed from this report. This section focuses on the types of electronic intruders most likely to threaten NS/EP telecommunications.

Electronic intruders with malicious intent can be members of the computer underground, coerced or disgruntled employees, industrial spies, foreign intelligence services, or any combination thereof. Intruders from these groups use similar techniques, but motivations and resources vary from group to group. Consequently, intruders from each of these groups may work with or employ intruders from other groups (see Exhibit 2-1). Indeed, a malicious intruder may not be associated with any particular group: renegade intruders may have no ties to the computer underground, insiders, industrial spies, or foreign intelligence services. Renegade intruders with malicious intentions have similar motivations, however, to members of the previously mentioned groups. These four groups are used to categorize the various motives of malicious electronic intruders. It is important to also note that users, authorized or unauthorized, whose intentions are not malevolent can still disrupt or deny network services through ignorance or mistakes.

EXHIBIT 2-1 Categories of Potentially Malicious Electronic Intruders

Identifying an intruder's group affiliation or motivation is difficult. As mentioned previously, intruders of different groups may work together, which helps to mask the true motive behind specific attacks. It is also possible for an intruder to function as a member of more than one group. Therefore, identifying the true motive of the intruder is difficult, if not impossible. (CSL0394)

From data written about and by electronic intruders, it is apparent that they remain active. However, law enforcement activity has driven members of the computer underground further into seclusion. Several prominent intruders have been arrested and prosecuted for penetrating telecommunications and computer systems. These arrests may have helped deter casual electronic intruders from attacking the network.

Unfortunately, successes in prosecuting computer criminals have made finding the elite intruders more difficult. Computer criminals are divulging less information about themselves and their activities. The intruders appear to be developing increasingly surreptitious attacks, making the collection of evidence more complicated. Electronic intruders move freely over state or international borders, and they perform their tasks without gaining physical access to systems. These factors make it more difficult to detect intrusions. When intrusions are detected, it is difficult, if not impossible, to track down and prosecute those involved. As elusive attack methods are perfected, the possibilities for more elaborate and covert attacks increase.

2.1 Skills and Techniques

Electronic intruders have demonstrated a variety of methods for gathering and exploiting system information. These methods range from nontechnical activities to highly sophisticated software-based attacks. Exhibit 2-2 outlines the basic stages of the electronic intrusion threat. These stages and examples are discussed in a general manner throughout this report. The gathering of system information is an initial step preceding actual attacks (see Section 2.1.1). When information about a system is gathered, intruders attack the system by any of three means: monitoring the system, penetrating the system, or planting code or false information in the system (see Sections 2.1.2, 2.1.3, and 3.0). These three types of attacks can result in four types of effects: unauthorized monitoring and disclosure of sensitive information, unauthorized modification of network databases/servers, denial or disruption of service, or fraud or financial loss (see Section 4.0).

2.1.1 Basic Information Gathering Activities. There has been much information written about the more basic methods electronic intruders employ to gather information about various systems. The use of these tactics is still commonplace; even

EXHIBIT 2-2 Stages of the Electronic Intrusion Threat

established intruders continue to use the tried and true basic methods. (TD14-315, 2600WI93, CUD614) These methods are summarized below:

"Dumpster Diving" or "Trashing." This brazen activity is often undertaken by the newer or younger intruders as a quick way to gather information about a company or a network by sorting through the victim's trash. This has proven to be an effective method because of the widespread assumption by employees, that once something has been thrown away, no one else sees it. Intruders have found discarded account names and passwords, personal information, and other potentially sensitive information. (MTRASH, TAOTRASH, BELLTRASH, TRASHTECH) The value of one's trash to unauthorized users should not be underestimated.

Social Engineering. A social engineer attempts to deceive an unwary victim by assuming a false identity, usually that of a network administrator, security manager, craft employee, or other person privy to sensitive information. This tactic is effective due, in part, to employees' willingness to help, coupled with a lack of awareness of such methods. Social engineering should be taken seriously because valuable data (such as passwords, personal information, company proprietary information, and dial-in numbers) have all been obtained by this method. (R&ROP, SOCENG89, UNLISTED, CUD513)

War Dialing. War dialing is the practice of using a modem to call all numbers within an exchange or within a range of numbers to locate other modem lines. After these modem lines have been identified, intruders call these numbers to identify the computer system supporting the modem. When interesting systems have been identified, the numbers are usually disseminated to other intruders.

Physical Break-ins. A less common, but extremely effective information gathering tactic is the physical break-in to carrier or service provider sites. The most notable example is the alleged break-in by Kevin Poulsen who allegedly broke into local exchange carrier (LEC) offices and stole equipment, software, identification badges, and other miscellaneous items. (UMPOULSEN) When an intruder successfully breaks into a site, the intruder has direct access to various systems and can find system information. Despite the ever-present danger of arrest, electronic intruders seem to actively use this method. (PHRACK32, PHRACK21, PHRACK2, IHA191, PHRACK43, THEFT)

2.1.2 Sophisticated Software Skills and Techniques. The more knowledgeable intruders have developed software tools for a variety of missions. Many of these sophisticated tools are widely available to any intruder at any skill level. Software tools, such as war dialing programs and password crackers, are available to all electronic intruders via the Internet and computer bulletin board systems.

A different genre of software tools is being used increasingly by electronic intruders. These tools are often custom developed by computer underground members; they are frequently distributed with both source and object code, allowing for quick and easy modification to suit specific tasks. The most dangerous type of this software is new or modified code, or malicious code, which the electronic intruders plant surreptitiously inside network elements. These small programs can be written to function like software viruses, worms, or trojan horses.

The genre of software viruses, worms, and trojan horses has been discussed in great detail in other forums, but it is important to mention here. Although most reports of these types of software attacks relate to microcomputers and not network elements, the principles are similar. There are indications that many electronic intruders have extensive knowledge of viruses, worms, and trojan horses. Some have authored viruses and trojan horses for mini- and microcomputer platforms (PHRACK23, PHRACK25), and virus writing competitions have been advertised in the computer underground. (CUD521) Trojan horses have also been found in certain PSN network elements. (IVPC94) If the software attack is delayed (i.e., programmed to execute at a later date), the infected code may be copied onto the system back-up mechanisms. Removing the infected code in this case would normally involve restoring the system from the manufacture's original system tapes and then rebuilding the system's operating data, resulting in substantial downtime.

In 1990, several members of the Legion of Doom's (LOD) Atlanta branch were arrested on charges of penetrating and disrupting telecommunications network elements. Federal agents accused the LOD members of planting a series of destructive "time bomb" programs in network elements in Denver, Atlanta, and New Jersey. These time bombs were designed to shut down major switching hubs, but were defused by telephone company employees before they caused damage. (WSJ082290)

Currently, there have been few other documented cases of surreptitious code being planted in PSN network elements. However, the required skill sets are well developed in the computer underground and could be applied to the PSN. This is significant because of the potential damage that could result from such an attack.

An equally significant technique gaining popularity in the electronic intruder community involves modifying legitimate software tools stolen from telecommunication carriers and equipment manufacturers. At least four well publicized incidents illustrate this problem:

Kevin Mitnick, a.k.a. Condor arrested and prosecuted in 1989 for stealing more than $1 million in source code from Digital Equipment Corporation (DEC), modifying it to add "trap doors," and attempting to copy it back to DEC's development computers. He also was prosecuted for breaking and entering into telephone company facilities. (MITNICK4, HAFFNER91)

Herbert Zinn, a.k.a. Shadow Hawk arrested as a juvenile in 1987 and subsequently prosecuted for breaking into AT&T computers and stealing source code for digital switches worth hundreds of thousands of dollars. (COOK90, TNS10)

Legion of Doom indictments handed down in the aftermath of the BellSouth Enhanced 911 (E-911) cases in 1989 charged that LOD members unlawfully accessed BellSouth computers and stole proprietary source code and software tools. (LODINDICT90, PHRACK24, CUD421)

Leonard Rose, a.k.a. Terminus prosecuted in 1990 for possessing stolen copies of source code for AT&T's UNIX operating system. The source code in Rose's possession had been modified to defeat security features. (POST32391, BARLOW90)

In these four cases, no PSN element was compromised by planting modified source code of element software. However, there have been reports that the members of the electronic intruder group, Masters of Disaster (a.k.a. Masters of Deception, a.k.a. Masters of Destruction, or MOD) (see Section 2.2), accessed several carriers' computers and "modified or otherwise corrupted" programs. (PHRACK40) The level of threat in this area warrants attention because these cases demonstrate the skills necessary to target PSN elements.

A slightly different twist on this threat occurred in several less publicized incidents electronic intruders stole source code to network management, maintenance, or engineering tools and used it to attack the network. This threat has been especially prevalent in X.25 packet switched networks because X.25 software tools are easily available. (PHRACK31, PHN02-04) Tutorials on how to use and modify these tools have been distributed throughout the computer underground. (PHRACK42) The level of threat in this area is difficult to quantify; however, because of the electronic intruders' improving skills and the growing dissemination of these tools, the threat is significant.

A highly sophisticated form of software attack, known as a programmed attack, has been detected several times in various networks and is considered to be on the leading edge of intrusion activities. These attacks rely on highly customized software programs that target specific types of computers or network elements. Little data has been gathered on these attacks because they are seldom detected. It is significant that these programs are almost never destructive or disruptive they apparently seek to modify or add services rather than "crash" systems. Another apparent purpose for programmed attacks is to gather information. These programs normally attack using pre-existing accounts, so they can be assumed to be the result of significant prior effort on the electronic intruder's part.

The capability illustrated by this category of attacks has not fully matured. However, if a coordinated attack using these types of tools were directed at the PSN with a goal of disrupting NS/EP telecommunications, the result could be significant.

2.1.3 Defeating Existing Countermeasures. Another area where electronic intruders demonstrate their technical flexibility and ingenuity is in defeating countermeasures. Because intruders have recently boasted about their abilities to penetrate various PSN elements, existing countermeasures may have been bypassed. Supposing that only a small percentage of the boasts are true, a significant problem may exist because most access points to telecommunication networks utilize some form of access control.

These countermeasures vary in terms of effectiveness and efficiency. The three most widely implemented techniques are account name/password pairs, dial-back modems, and one-time passwords (i.e., token-based mechanisms). These techniques are discussed in the following paragraphs. Other types of access controls include biometric techniques, smart cards, and restricted user groups.

Account Name/Password Pairs. The most widespread countermeasure used in network systems is the account name/password pair. This method is the least secure method in deterring unauthorized use. The deficiencies of password protection are well documented and outside the scope of this analysis. Electronic intruders have been able to exploit password systems using several methods. The first method is to use known login/password combinations that are shipped by the equipment manufacturers as system defaults. The second method is to actively "crack" password files. The electronic intruder obtains the password file by gaining initial access to the target computer (using a stolen or compromised account) or by remote file transfer methods, such as the Trivial File Transfer Protocol (TFTP). This file is normally encrypted, but electronic intruders have developed techniques for exploiting this file. These attacks, called dictionary attacks, are still used by novice electronic intruders even though they are inefficient. Systems with poorly implemented and/or managed password controls are still considered vulnerable to this threat. A third, more sophisticated method for exploiting password controls requires electronic intruders to electronically monitor data traffic using automated "sniffer" programs. They are then able to search for login sequences and capture valid login and password data directly off the line. Although this method requires a degree of technical expertise outside the realm of novice electronic intruders, it has been identified as a very valuable method for gathering access codes. (CUD340, DFP1, HACKGUIDE)

Dial-Back Modems. Dial-back modems are also an old technology that is widely available. This type of access control works by identifying the incoming call, disconnecting the circuit, and dialing the identified person or computer at a predetermined telephone number. This method can be side-stepped by electronic intruders if they instruct the LEC service provisioning system to forward the returned calls directly to the electronic intruder's computer. Although difficult, this method has been successfully used by electronic intruders to gain access to protected systems. (NSTF92)

Another simpler method is used if the central office uses originator control for the phone lines. The attacker just stays on the line, mimics dial tone when the modem attempts to disconnect, then waits for the modem to dial out again on the same line. However, if the dial-back modem uses a separate dial-out line, this method will not work.

One-Time Passwords. Defeating one-time passwords is a difficult technique used by the more competent electronic intruders. As the name implies, systems utilizing one-time passwords allow access to a system with a certain password only once. Token-based authentication exemplifies the one-time password system. When users log on to such a system, they are given a numeric challenge that they must type into the token. A response number is then displayed on the token which, in turn, must be typed into the computer. The computer expects a certain reply from the token owned by the user. If the response is incorrect, the user is denied access to the system.

Electronic intruders can defeat this countermeasure by taking control of the user's line after access has been granted. In many cases, when a user disconnects from a system, the host modem experiences a time lapse before resetting. During this time, an electronic intruder can pick up the line and assume the legitimate user's identity. The more experienced electronic intruders have demonstrated the necessary capabilities.

2.2 Members of the Computer Underground

Over the past several years, there has been a significant amount of media coverage exposing the members of the computer underground. These intruders are generally males between the ages of 16 and 29. Although historically motivated by curiosity and a desire to understand computer systems, they are continually and increasingly demonstrating their financial motivation. (NETFIRE1) The new breed of computer underground members criticize the older generation of intruders (i.e., the LOD and the MOD members) for relying on their old reputations. This new breed will certainly attempt to prove themselves to substantiate their criticism of older intruders. (WIRED994)

Several of the more notable incidents of members of the computer underground involved groups of intruders working in teams. These groups comprise intruders who exhibit skills for particular systems or techniques. The group then uses the various skills of the members to accomplish intrusions that cannot be done by any one member acting alone.

One particular group demonstrates the potential threat of intruders working as a team. On July 8,1992, several members of the computer intruder group known as MOD (MOD) were indicted on 11 counts, which included conspiracy, wire fraud, computer fraud, and interception of electronic communications. The following is a list of some of the alleged activities of the group:

Developed and unleashed "programmed attacks" on telephone company computers

Monitored data transmissions on X.25 networks looking for passwords and access codes

Illegally accessed phone company computers to create new circuits and add services with no billing records

Changed an adversary's long distance carrier to more easily obtain the adversary's calling records

Sold passwords and access codes

Destroyed data in several computer systems.

The arrested MOD members reached plea bargain agreements. One of the members, Mark Abene (a.k.a., Phiber Optik), was sentenced to a year in jail. Several MOD members who were not arrested are presumed to still be active in the computer underground.

Another example of potential abuse by electronic intruders occurred on April 11, 1991, when law enforcement authorities arrested Kevin Lee Poulsen in Van Nuys, California, 17 months after he was indicted on a variety of computer fraud and wiretapping charges. Poulsen, known by the alias Dark Dante, allegedly masterminded a complete computer and telephone system invasion. If the allegations against Poulsen are factual, he was responsible for the most comprehensive, coordinated attack on the PSN to date. Some of the allegations against Poulsen and his two accomplices are informative:

Compromised an ongoing law enforcement investigation

Identified law enforcement run businesses and law enforcement wiretaps

Intruded on LEC service provisioning systems numerous times (allegedly more than 40)

Modified existing telephone services, added new telephone services (some without billing), forwarded calls to other numbers, and dual-provisioned telephone lines

Intruded on LEC maintenance/test systems to electronically monitor telephone conversations

Intruded on LEC databases and obtained telephone numbers (some unlisted), street addresses, customer names, and other sensitive data

Physically broke into carrier offices, and stole equipment, software, identification badges, and other material

Sold sensitive data obtained from LEC databases, and illegally established or modified telephone services for other individuals

Manufactured false identification, including telephone company identification badges and drivers licenses

Intruded on other computer systems for profit, including the California DMV, credit bureaus, and an Air Force computer network

Illegally possessed classified documents

Laundered money. (UMPOULSEN, PHRACK32, NB12090, SJMN41391, LT42393, SE30SNYB)

Poulsen has pleaded guilty to all the above charges, except for the illegal possession of classified documents. His sentencing and trial on the possession of classified information charge are scheduled for early 1995.

It is worth noting that Poulsen has not been indicted for attacking PSN systems with an expressed interest in causing widespread denial of service, compromising the operating system software of network elements, or seeking to cause physical damage to PSN facilities. The allegations brought against Poulsen suggest that he was seeking to manipulate the system to his own ends and to profit from his activities.

Members of the computer underground have demonstrated a high degree of skill learning about systems. When they gather information about systems, they disseminate this information to intruder-related computer systems and networks, including computer underground bulletin board systems. The intruders discuss new information with the goal of discovering vulnerabilities. This effective learning cycle is attractive to those who may wish to compromise a system, have the resources to buy the skills of the computer underground members, but do not have the knowledge necessary to attack a system themselves.

Members of the computer underground modify old electronic intrusion tools to work more efficiently and to be used on new systems. There are even periodic software "releases" of some of the more popular intrusion programs. The existing tools and resources in the computer underground could certainly assist other parties interested in intrusion activities.

Foreign Involvement. The issue of foreign involvement in electronic intruder activities in the United States PSN is complex. Telecommunication networks are truly international. They stretch beyond national boundaries, they bridge continents, and they provide connectivity to virtually every corner of the globe.

Electronic intruder activities are also international and not limited to the United States. Many developed countries have computer underground movements that engage in activities ranging from simple toll fraud to virus creation, computer intrusion, and data network attacks. The Netherlands and Germany have particularly active computer underground groups. In The Netherlands, many nondestructive electronic intrusion activities are legal, and law enforcement activities in this area are virtually nonexistent. In Germany, intrusion techniques are actively taught in some state universities, and electronic intruders have flourished. Although these two countries' computer underground activities are unique, many other nations have energetic electronic intruder subcultures. Exhibit 2-3 lists foreign countries where recent electronic intruder activity has been reported.

EXHIBIT 2-3 Foreign Countries With Active Computer Undergrounds

Australia Czech Republic The Netherlands Austria France Romania Argentina Greece Russia Belgium Germany South Africa Belarus Hungary Spain