Targets
Wherever hackers gather, talk soon moves from past achievements
and adventures to speculation about what new territory might be
explored. It says much about the compartmentalisation of computer
specialities in general and the isolation of micro- owners from
mainstream activities in particular that a great deal of this
discussion is like that of navigators in the days before Columbus:
the charts are unreliable, full of blank spaces and confounded with
myth.
In this chapter I am attempting to provide a series of notes on
the main types of services potentially available on dial-up, and to
give some idea of the sorts of protocols and conventions employed.
The idea is to give voyagers an outline atlas of what is interesting
and possible, and what is not.
On-line hosts
On-line services were the first form of electronic publishing: a
series of big storage computers--and on occasion, associated
dedicated networks -- act as hosts to a group of individual databases
by providing not only mass data storage and the appropriate 'search
language' to access it, but also the means for registering, logging
and billing users. Typically, users access the on-line hosts via a
phone number which links into a a public data network using packet
switching (there's more on these networks in chapter 7).
The on-line business began almost by accident; large corporations
and institutions involved in complicated technological developments
found that their libraries simply couldn't keep track of the
publication of relevant new scientific papers, and decided to
maintain indices of the papers by name, author, subject-matter, and
so on, on computer. One of the first of these was the armaments and
aircraft company, Lockheed Corporation.
In time the scope of these indices expanded and developed and
outsiders -- sub-contractors, research agencies, universities,
government employees, etc were granted access. Other organisations
with similar information-handling requirements asked if space could
be found on the computer for their needs.
** Page 30
Eventually Lockheed and others recognised the beginnings of a quite
separate business; in Lockheed's case it lead to the foundation of
Dialogue, which today acts as host and marketing agent for almost 300
separate databases. Other on-line hosts include BRS (Bibliographic
Retrieval Services), Comshare (used for sophisticated financial
modelling), DataStar, Blaise (British Library) I P Sharp, and
Euronet-Diane.
On-line services, particularly the older ones, are not especially
user-friendly by modern standards. They were set up at a time when
both core and storage memory was expensive, and the search languages
tend to be abbreviated and formal. Typically they are used, not by
the eventual customer for the information, but by professional
intermediaries--librarians and the like-- who have undertaken special
courses. Originally on-line hosts were accessed by dumb terminals,
usually teletypewriters like the Texas Whisperwriter portable with
built-in acoustic modem, rather than by VDUs. Today the trend is to
use 'front-end' intelligent software on an IBM PC which allows the
naive user to pose his/her questions informally while offline; the
software then redefines the information request into the formal
language of the on-line host (the user does not witness this process)
and then goes on-line via an auto-dial modem to extract the
information as swiftly and efficiently as possible.
On-line services require the use of a whole series of passwords:
the usual NUI and NUA for PSS (see chapter 7), another to reach the
host, yet another for the specific information service required.
Charges are either for connect-time or per record retrieved, or
sometimes a combination.
The categories of on-line service include bibliographic, which
merely indexes the existence of an article or book--you must then
find a physical copy to read; and source, which contains the article
or extract thereof. Full-text services not only contain the complete
article or book but will, if required, search the entire text (as
opposed to mere keywords) to locate the desired information. An
example of this is LEXIS, a vast legal database which contains nearly
all important US and English law judgements, as well as statutes.
News Services
The vast majority of news services, even today, are not, in the
strictest sense, computer-based, although computers play an important
role in assembling the information and, depending on the nature of
the newspaper or radio or tv station receiving it, its subsequent
handling.
** Page 31
The world's big press agencies--United Press, Associated Press,
Reuters, Agence France Presse, TASS, Xinhua, PAP, VoA -- use telex
techniques to broadcast their stories. Permanent leased telegraphy
lines exist between agencies and customers, and the technology is
pure telex: the 5-bit Baudot code (rather than ASCII) is adopted,
giving capital letters only, and 'mark' and space' are sent by
changing voltage conditions on the line rather than audio tones.
Speeds are 50 or 75 baud.
The user cannot interrogate the agency in any way. The stories
come in a single stream which is collected on rolls of paper and then
used as per the contract between agency and subscriber. To hack a
news agency line you will need to get physically near the appropriate
leased line, tap in by means of an inductive loop, and convert the
changing voltage levels (+80 volts on the line) into something your
RS232C port can handle. You will then need software to translate the
Baudot code into the ASCII which your computer can handle internally,
and display on screen or print to a file. The Baudot code is given in
Appendix IV.
None of this is easy and will probably involve breaches of several
laws, including theft of copyright material! However a number of news
agencies also transmit services by radio, in which case the signals
can be hijacked with a short-wave receiver. Chapter 9 explains.
Historic news, as opposed to the current stuff from agencies, is
now becoming available on-line. The New York Times, for example, has
long held its stories in an electronic 'morgue' or clippings library.
Initially this was for internal use, but for the last several years
it has been sold to outsiders, chiefly broadcasting stations and
large corporations. You can search for information by a combination
of keyword and date-range. The New York Times Information Bank is
available through several on-line hosts.
As the world's great newspapers increasingly move to electronic
means of production--journalists working at VDUs, sub-editors
assembling pages and direct-input into photo-typesetters--the
additional cost to each newspaper of creating its own morgue is
relatively slight and we can expect to see many more commercial
services.
In the meantime, other publishing organisations have sought to
make available articles, extract or complete, from leading magazines
also. Two UK examples are Finsbury Data Services' Textline and
Datasolve's d Reporter, the latter including material from the BBC's
monitoring service, Associated Press, the Economist and the Guardian.
Textline is an abstract service, but World Reporter gives the full
text. In October 1984 it already held 500 million English words.
** Page 32
In the US there is NEXIS, which shares resources with LEXIS; NEXIS
held 16 million full text articles at that same date. All these
services are expensive for casual use and are accessed by dial-up
using ordinary asynchronous protocols.
Many electronic newsrooms also have dial-in ports for reporters
out on the job; depending on the system these ports not only allow
the reporter to transmit his or her story from a portable computer,
but may also (like Basys Newsfury used by Channel Four News) let them
see news agency tapes, read headlines and send electronic mail. Such
systems have been the subject of considerable hacker speculation.
Financial Services
The financial world can afford more computer aids than any other
non-governmental sector. The vast potential profits that can be made
by trading huge blocks of currency, securities or commodities--and
the extraordinary advantages that a slight 'edge' in information can
bring--have meant that the City, Wall Street and the equivalents in
Hong Kong, Japan and major European capitals have been in the
forefront of getting the most from high-speed comms.
Ten years ago the sole form of instant financial information was
the ticker tape--telegraphy technology delivering the latest share
price movements in a highly abbreviated form. As with its news
equivalents, these were broadcast services (and still are, for the
services still exist) sent along leased telegraph lines. The user
could only watch, and 'interrogation' consisted of back-tracking
along a tape of paper. Extel (Exchange Telegraph) continues to use
this technique, though it is gradually upgrading by using viewdata
and intelligent terminals.
However, just over ten years ago Reuters put together the first
packages which gave some intelligence and 'questioning power' to the
end user. Each Reuters' Monitor is intelligent, containing (usually)
a DEC PDP-8 series mini and some firmware which accepts and selects
the stream of data from the host at the far end of the leased line,
marshalls interrogation requests and takes care of the local display.
Information is formatted in 'pages' rather like viewdata frames, but
without the colour. There is little point in eavesdropping into a
Reuters line unless you know what the terminal firmware does. Reuters
now face an aggressive rival in Telerate, and the fight is on to
deliver not only fast comprehensive prices services but international
screen-based dealing as well. The growth of Reuters and its rivals is
an illustration of technology creating markets--especially in
international currency--where none existed before.
** Page 33
The first sophisticated Stock Exchange prices 'screens' used
modified closed circuit television technology. London had a system
called Market Price Display Service--MPDS--which consisted of a
number of tv displays of current prices services on different
'channels' which could be selected by the user. But London now uses
TOPIC, a leased line variant on viewdata technology, though with its
magazine-like arrangement and auto-screen refresh, it has as much in
common with teletext as Prestel. TOPIC carries about 2,500 of the
total 7,500 shares traded in London, plus selected analytical
material from brokers. Datastream represents a much higher level of
sophistication: using its £40,000 plus pa terminals you can compare
historic data-- price movements, movements against sector indices
etc--and chart the results.
The hacker's reward for getting into such systems is that you can
see share and other prices on the move. None of these prices is
confidential; all could be obtained by ringing a stockbroker.
However, this situation is likely to change; as the City makes the
change from the traditional broker/jobber method of dealing towards
specialist market making, there will then be electronic prices
services giving privileged information to specialist share dealers.
All these services are only available via leased lines; City
professionals would not tolerate the delays and uncertainties of
dial-up facilities. However dial-up ports exist for demonstrations,
exhibitions, engineering and as back-up--and a lot of hacking effort
has gone into tracking them down.
In the United States, in addition to Reuters, Telerate and local
equivalents of official streams of stock exchange and over-the-
counter data, there is Dow Jones, best known internationally for its
market indices similar to those produced by the Financial Times in
London. Dow Jones is in fact the owner of the Wall Street Journal and
some influential business magazines. Its Dow Jones News/Retrieval
Service is aimed at businesses and private investors. It features
current share prices, deliberately delayed by 15 minutes, historic
price data, which can be charted by the user's own computer
(typically an Apple or IBM PC) and historic 'morgue' type company
news and analysis. Extensions of the service enable customers to
examine accounts of companies in which they are interested. The bulk
of the information is US-based, but can be obtained world-wide via
packet-switching networks. All you need are the passwords and special
software.
** Page 34
Business Information
Business information is usually about the credit-worthiness of
companies, company annual reports, trading opportunities and market
research. The biggest electronic credit data resource is owned by the
international company Dun & Bradstreet: during 1985-86 it is due to
spend £25m on making its data available all over Europe, including
the UK. The service, which covers more than 250,000 UK businesses, is
called DunsPrint and access is both on-line and via a viewdata
front-end processor. Another credit agency, CNN Services, extensively
used already by the big clearing banks, and with 3000 customers
accessing information via viewdata sets, has recently also announced
an extended electronic retrieval service for its own called Guardian
Business Information A third UK credit service available
electronically is called InfoLink.
In addition, all UK companies quoted on the London Stock Exchange
and many others of any size who are not, have a report and analysis
available from ICC (InterCompany Comparisons) who can be accessed via
on--line dial--up, through a viewdata interface and also by
Datastream customers. Dun & Bradstreet also have an on--line service
called KBE covering 20,000 key British enterprises.
Prodigious quantities of credit and background data on US
companies can be found on several of the major on--line hosts. A
valid phone number, passwords and extracts from the operations manual
of one of the largest US services, TRW--it has credit histories on 90
million people--sat on some hackers' bulletin boards (of which much
more later) for over twelve months during 1983 and 1984 before the
company found out. No one knows how many times hackers accessed the
service. According to the Washington Post, the password and manual
had been obtained from a Sears Roebuck national chain store in
Sacramento; some hackers claimed they were able to alter credit
records, but TRW maintain that telephone access to their systems is
designed for read-only operations alone, updating of files taking
place solely on magnetic tape.
US market research and risk analysis comes from Frost Sullivan.
Risk analysis tells international businessmen which countries are
politically or economically unstable, or likely t become so, and so
unsafe to do business with. I once found myself accessing a
viewdata-based international assessment service run b a company
called Control Risks, which reputedly has strong link to the Special
Air Service. As so often happens when hacker think they are about to
uncover secret knowledge, the actual data files seemed relatively
trivial, the sort of judgements that could be made by a bright sixth
former who read posh newspapers and thoughtful weekly magazines.
** Page 35
University facilities
In complete contrast to computers that are used to store and
present data are those where the value is to deliver processing power
to the outside world. Paramount among these are those installed in
universities and research institutes.
Although hackers frequently acquire phone numbers to enter such
machines, what you can do once you are there varies enormously. There
are usually tiers and banks of passwords, each allowing only limited
access to the range of services. It takes considerable knowledge of
the machine's operating system to break through from one to another
and indeed, in some cases, the operating system is so thoroughly
embedded in the mainframe's hardware architecture that the
substantial modifications necessary to permit a hacker to roam free
can only be done from a few designated terminals, or by having
physical access to the machine. However, the hobbyist bulletin board
system quite often provides passwords giving access to games and the
ability to write and run programs in exotic languages--my own first
hands--on experience of Unix came in exactly this way. There are
bulletin boards on mainframes and even, in some cases, boards for
hackers!
Given the nature of hacking, it is not surprising that some of the
earliest japes occurred on computers owned by universities. Way back
in the 1970s, MIT was the location of the famous 'Cookie Monster',
inspired by a character in the then-popular Rowan & Martin Laugh-in
television show. As someone worked away at their terminal, the word
'cookie' would appear across their screen, at first slowly wiping out
the user's work. Unless the user moved quickly, things started to
speed up and the machine would flash urgently: "Cookie, cookie, give
me a cookie". The whole screen would pulse with this message until,
after a while, the hacking program relented and the 'Monster' would
clear the screen, leaving the message: "I didn't want a cookie
anyway." It would then disappear into the computer until it snared
another unsuspecting user. You could save yourself from the Monster
by typing the word "Cookie", to which it replied "Thank you" and then
vanished.
In another US case, this time in 1980, two kids in Chicago,
calling themselves System Cruncher and Vladimir, entered the computer
at DePaul University and caused a system crash which cost $22,000 to
fix. They were prosecuted, given probation and were then made a movie
offer.
** Page 36
In the UK, many important university and research institution
computers have been linked together on a special data network called
SERCNET. SERC is the Science and Engineering Research Council.
Although most of the computers are individually accessible via PSS,
SERCNET makes it possible to enter one computer and pass through to
others. During early 1984, SERCNET was the target of much hacker
attention; a fuller account appears in chapter 7, but to anticipate a
little, a local entry node was discovered via one of the London
University college computers with a demonstration facility which, if
asked nicely, disgorged an operating manual and list of 'addresses'.
One of the minor joys of this list was an entry labelled "Gateway to
the Universe", pure Hitch-hiker material, concealing an extensive
long-term multi-function communications project. Eventually some
hackers based at a home counties university managed to discover ways
of roaming free around the network....
Banking
Prominent among public fantasies about hackers is the one where
banks are entered electronically, accounts examined and some money
moved from one to another. The fantasies, bolstered by
under-researched low-budget movies and tv features, arise from
confusing the details of several actual happenings.
Most 'remote stealing' from banks or illicit obtaining of account
details touch computers only incidentally and involve straight-
forward fraud, conning or bribery of bank employees. In fact, when
you think about the effort involved, human methods would be much more
cost-effective for the criminal. For hackers, however, the very
considerable effort that has been made to provide security makes the
systems a great challenge in them- selves.
In the United Kingdom, the banking scene is dominated by a handful
of large companies with many branches. Cheque clearing and account
maintenance are conducted under conditions of high security with
considerable isolation of key elements; inter-bank transactions in
the UK go through a scheme called CHAPS, Clearing House Automatic
Payments System, which uses the X.25 packet switching protocols (see
chapter 7). The network is based on Tandem machines; half of each
machine is common to the network and half unique to the bank. The
encryption standard used is the US Data Encryption Standard. Certain
parts of the network, relating to the en- and de-cryption of
messages, apparently auto-destruct if tampered with.
** Page 37
The service started early in 1984. The international equivalent
is SWIFT (Society for Worldwide Interbank Financial Transactions);
this is also X.25- based and it handles about half-a-million messages
a day. If you want to learn someone's balance, the easiest and most
reliable way to obtain it is with a plausible call to the local
branch. If you want some easy money, steal a cheque book and cheque
card and practise signature imitation. Or, on a grander scale, follow
the example of the £780,000 kruggerand fraud in the City. Thieves
intercepted a telephone call from a solicitor or bank manager to
'authenticate' forged drafts; the gold coins were then delivered to a
bogus company.
In the United States, where federal law limits the size of an
individual bank's operations and in international banking, direct
attacks on banks has been much easier because the technology adopted
is much cruder and more use is made of public phone and telex lines.
One of the favourite techniques has been to send fake authorisations
for money transfers. This was the approach used against the Security
National Pacific Bank by Stanley Rifkin and a Russian diamond dealer
in Geneva. $10.2m moved from bank to bank across the United States
and beyond. Rifkin obtained code numbers used in the bilateral Test
Keys. The trick is to spot weaknesses in the cryptographic systems
used in such authorisations. The specifications for the systems
themselves are openly published; one computer security expert, Leslie
Goldberg, was recently able to take apart one scheme--proposed but
not actually implemented--and show that much of the 'key' that was
supposed to give high level cryptographic security was technically
redundant, and could be virtually ignored. A surprisingly full
account of his 'perfect' fraud appears in a 1980 issue of the journal
Computer Fraud and Security Bulletin.
There are, however, a few areas where banking is becoming
vulnerable to the less mathematically literate hacker. A number of
international banks are offering their big corporation customers
special facilities so that their Treasury Departments (which ensure,
among other things, that any spare million dollars are not left doing
nothing over night but are earning short-term interest) can have
direct access to their account details via a PC on dial-up. Again,
telebanking is now available via Prestel and some of its overseas
imitators. Although such services use several layers of passwords to
validate transactions, if those passwords are mis-acquired, since no
signatures are involved, the bank account becomes vulnerable.
** Page 38
Finally, the network of ATMs (hole-in-the-wall cash machines) is
expanding greatly. As mentioned early in this book, hackers have
identified a number of bugs in the machines. None of them,
incidentally, lead directly to fraud. These machines allow card-
holders to extract cash up to a finite limit each week (usually
£100). The magnetic stripe contains the account number, validation
details of the owner's PIN (Personal Identity Number), usually 4
digits, and a record of how much cash has been drawn that week. The
ATM is usually off-line to the bank's main computer and only goes
on-line in two circumstances--first, during business hours, to
respond to a customer's 'balance request'; and second, outside
regular hours, to take into local memory lists of invalid cards which
should not be returned to the customer, and to dump out cheque book
and printed statement requests.
Hackers have found ways of getting more than their cash limit each
week. The ATMs belonging to one clearing bank could be 'cheated' in
this way: you asked for your maximum amount and then, when the
transaction was almost completed, the ATM asked you 'Do you want
another transaction, Yes/No?' If you responded 'yes' you could then
ask for--and get--your credit limit again, and again, and again. The
weakness in the system was that the magnetic stripe was not
overwritten to show you had had a transaction till it was physically
ejected from the machine. This bug has now been fixed.
A related but more bizarre bug resided for a while on the ATMs
used by that first bank's most obvious High Street rivals. In that
case, you had to first exhaust your week's limit. You then asked for
a further sum, say £75. The machine refused but asked if you wanted a
further transaction. Then, you slowly decremented the amounts you
were asking for by £5...70, 65, 60...and so on, down to £10. You then
told the ATM to cancel the last £5 transaction...and the machine gave
you the full £75. Some hackers firmly believe the bug was placed
there by the original software writer. This bug too has now been
fixed.
Neither of these quirks resulted in hackers 'winning' money from
the banks involved; the accounts were in every case, properly
debited. The only victory was to beat the system. For the future, I
note that the cost of magnetic stripe reader/writers which interface
to PCs is dropping to very low levels. I await the first inevitable
news reports.
Electronic Mail
Electronic mail services work by storing messages created by some
users until they are retrieved by their intended recipients.
** Page 39
The ingredients of a typical system are: registration/logging on
facilities, storage, search and retrieval, networking, timing and
billing. Electronic mail is an easy add-on to most mainframe
installations, but in recent years various organisations have sought
to market services to individuals, companies and industries where
electronic mail was the main purpose of the system, not an add-on.
The system software in widest use is that of ITI-Dialcom; it's the
one that runs Telecom Gold. Another successful package is that used
in the UK and USA by Easylink, which is supported by Cable & Wireless
and Western Union.
In the Dialcom/Telecom Gold service, the assumption is made that
most users will want to concentrate on a relatively narrow range of
correspondents. Accordingly, the way it is sold is as a series of
systems, each run by a 'manager': someone within a company. The
'manager' is the only person who has direct contact with the
electronic mail owner and he in turn is responsible for bringing
individual users on to his 'system' -- he can issue 'mailboxes'
direct, determine tariff levels, put up general messages. In most
other services, every user has a direct relationship with the
electronic mail company.
The services vary according to their tariff structures and levels;
and also in the additional facilities: some offer bi-directional
interfaces to telex; and some contain electronic magazines, a little
like videotex.
The basic systems tend to be quite robust and hacking is mainly
concentrated on second-guessing users IDs. Many of the systems have
now sought to increase security by insisting on passwords of a
certain length--and by giving users only three or four attempts at
logging on before closing down the line. But increasingly their
customers are using PCs and special software to automate logging-in.
The software packages of course have the IDs nicely pre-stored....
Government computers
Among hackers themselves the richest source of fantasising
revolves around official computers like those used by the tax and
national insurance authorities, the police, armed forces and
intelligence agencies.
The Pentagon was hacked in 1983 by a 19-year-old Los Angeles
student, Ronald Austin. Because of the techniques he used, a full
account is given in the operating systems section of chapter 6. NASA,
the Space Agency, has also acknowledged that its e-mail system has
been breached and that messages and pictures of Kilroy were left as
graffiti.
** Page 40
This leaves only one outstanding mega-target, Platform, the global
data network of 52 separate systems focused on the headquarters of
the US's electronic spooks, the National Security Agency at Fort
Meade, Maryland. The network includes at least one Cray-1, the worlds
most powerful number-cruncher, and facilities provided by GCHQ at
Cheltenham.
Although I know UK phone freaks who claim to have managed to
appear on the internal exchanges used by Century House (M16) and
Curzon Street House (M15) and have wandered along AUTOVON, the US
secure military phone network, I am not aware of anyone bold or
clever enough to have penetrated the UK's most secure computers.
It must be acknowledged that in general it is far easier to obtain
the information held on these machines--and lesser ones like the DVLC
(vehicle licensing) and PNC (Police National Computer)-- by criminal
means than by hacking -- bribery, trickery or blackmail, for example.
Nevertheless, there is an interesting hacker's exercise in
demonstrating how far it is possible to produce details from open
sources of these systems, even when the details are supposed to be
secret. But this relates to one of the hacker's own secret
weapons--thorough research, the subject of the next chapter.
.bmp)
No comments:
Post a Comment