The Trouble with Telemail (April, 1984) --------------------------------------- Last month, two of our reporters took a trip to National Public Radio studios in New York to reveal a very interesting development. It seems that Telemail, the electronic mail service of GTE Telenet was still just as easy to access as it was last year, prior to the October raids on computer owners who had allegedly broken into the system. What had happened was this; a directory containing names of users on the Telemail system was obtained by our reporters - this list can be obtained from virtually any account on the system and, when printed out, is a couple of inches thick. They decided to go through this list and see if there were any accounts that still had the imaginative default password of "A" assigned to them. It had generally been thought, by both the public and press, that this incredibly foolish blunder had been corrected after the raids - in fact, new software was installed, which forced a user to change their password from the default when they logged on. All new passwords had to be between 6 and 8 characters in length. But, in a system with many thousands of customers, the reporters reasoned that surely there must be a few who hadn't yet logged on since the policy was implemented. They decided to start their search with user names that began with "B." They'd enter Telenet through an 800 number, type MAIL, and enter usernames beginning with B that were listed in their directory. For each username, they'd enter "A" as the password, and if it didn't work, they'd go on to the next one. The first account they tried was named B.ALEXANDER. They entered "A" as the password, and lo and behold, they were in! On the very first attempt! Robert Alexander of BUREC hadn't logged in since last summer. The "invaders" were told by the system to change the password and they complied. Then they decided to have a look around. While there was no mail to speak of in Mr. Alexander's box, they were able to access bulletin boards that this account was allowed to look at. (Bulletin boards on Telemail are simply long-term storage message bases where messages of general interest to a particular group of people are posted.) All kinds of internal memos from the Department of the Interior were displayed. In other words, the same old story. Nothing had really changed. Nearly half a year after seizing computers from coast to coast, the Telemail system was just as vulnerable to outsiders as it was before. Were the folks at GTE really interested in securing their system in the first place? Or did they just want to put the fear of the lord into hackers? At first, when this story was breaking, GTE tried to deny that such a break-in was even possible. It had to be an inside job, they claimed, because nothing is wrong with our system. Then, when it finally started to become clear that this break-in did occur and that it was because of the default passwords once again, GTE took the expected step of blaming the customers. "We're not responsible for maintaining the security of the accounts." they said. "That's up to the subscriber," in this case, the Department of the Interior. So, our two reporters came up with a plan. What if it hadn't been an outside agency's mailbox, but one belonging to GTE themselves? Who could they blame then? They went to the letter "D" this time and searched for accounts that were affiliated with GTE. The first one was D.CORCORAN and, once again, they got right in. And Denise Corcoran of GTE had access to literally hundreds and hundreds of bulletin boards with names like PAYROLL, GOVT.AFFAIRS, and JAPAN. On top of all this, it took GTE nearly a week to close access to these accounts, even after they were exposed on nationwide radio. What our reporters proved here is that Telemail is either unable or unwilling to protect its customers. Unable? That hardly seems likely. After all, most computer bulletin boards run by high school kids are able to protect their users' accounts from outsiders. Why can't one of the largest and most expensive electronic mail systems do the same? Apparently, what we have here is a company that has grown too big too soon, and is now unable to overcome the inertia that its size has created. How to Really Have Fun Once a hacker manages to get into a Telemail account, he s really set. By typing DIR " at command mode, he can get a listing of everyone that the account is allowed to see - their username, full name, company and division, and user number. He can see any user if he figures out their full username or user number. Typing DIR USERNAME or DIR USER NUMBER will give all of the above information about that person, if he exists. From the huge list that DIR " generates (which takes a couple of hours to print at 300 baud), a hacker can scan for passwords that are defaults, first names, last names, usernames, or company names. Some GTE test accounts, for instance, used to have a password of GEENOGTE. Telemail allows three logon attempts per access. Telenet allows four accesses per call. So each call to Telenet will yield 12 logon attempts to Telemail. Judging from the huge amount of users on the system, finding an easy password doesn't take all that long. There are all kinds of neat features within Telemail accounts that seem to be exclusively beneficial to hackers. If the account has access to the SET command, the user can tell the system not to print a welcome banner on logon. The information that's printed on the welcome banner tells the user when his last access was. If a hacker arranges for that information not to be printed, the real user won't find out that his account was being used at 3:00 in the morning. And odds are that he won't really notice the absence of the message - if he does, he'll probably blame it on Telemail. Then there's the UNREAD command. This actually allows a person to read through someone else's undelivered mail, and put it back when they're finished without anyone knowing that it's been read (unless a message was sent with a return receipt, which is rare). Telemail, it seems, practically bends over backwards to accommodate hackers. What's so great about having a Telemail account? Why should a hacker spend all this time getting one? It's another means of free (or cheap) communications. All one has to do is call Telenet, enter Telemail, and read or send messages that can be unlimited in length. He can share one account with someone else (which is the least risky way to work things) or communicate with another usurped account that's allowed to send to and receive from his account. This is naturally a bit more risky since if one account is reclaimed, both may end up being taken down. Transmission of messages on Telemail is instant and there's never a busy signal. More importantly though, Telemail seems to be beckoning the hackers to come back home. (Shortly after this article was dispatched, we received word that Telemail no longer uses "A" as a default. Whether this is true at all, whether they're now using a default of "B," or whether they're using defaults period, is something that hackers will no doubt find out soon. Drop us a line if you find out anything.)