The Hacker Video

by Emmanuel Goldstein

Over the summer, military computer systems in the United States were accessed by Dutch hackers.  One of the episodes was captured on videotape by 2600, portions of which were shown on a recent nationwide television show.  Most of it, however, has never been seen.  We are releasing this videotape to the public so that more people will witness just how shamefully easy it is to get access to military computers.

The intrusion took place in late-July, 1991.  The purpose of this demonstration was to show just how easy it really was.  Great care was taken to ensure that no damage or alteration of data occurred on this particular system.  No military secrets were taken and no files were saved to a disk by the hackers.  What is frightening is that nobody knows who else has access to this information or what their motivations might be.  This is a warning that cannot be taken lightly.

Explanation of the Videotape

The tape opens with some background shots of the hacker site in Amsterdam.  Basically, it's a group of about five people in their twenties gathered together to match wits and play with computers.

Through a local phone number, a connection is made to the Internet.  This network ties together schools, corporations, and government installations around the world.  By connecting from one machine on the Internet to another, you can use two or more computers at once, without a noticeable loss of speed.

$ telnet 192.67.67.20 # nic.ddn.mil Trying 192.67.67.20... Connected to 192.67.67.20. Escape character is '^]'. -- DDN Network Information Center -- * * For TAC news, type: TACNEWS <return> * For user and host information, type: WHOIS <return> * For NIC information, type: NIC <return> * * For user assistance call (800) 235-3155 or (415) 859-3695 * Report system problems to ACTION@NIC.DDN.MIL or call (415) 859-5921 * SRI-NIC, TOPS-20 Monitor 7(21245)-4 @ whois WHOIS SRI-NIC WHOIS 3.5(1090)-1 on Tue, 22 Aug 91 15:49:35 PDT, load 9.64 Enter a handle, name, mailbox, or other field, optionally preceded by a keyword, like "host sri-nic". Type "?" for short, 2-page details, "HELP" for full documentation, or hit RETURN to exit. ---> Do ^E to show search progress, ^G to abort a search or output <--- Whois: army.mil

Using a program called telnet, the hackers connect to the Defense Data Network Information Center.  (Telnet enables a user to actually login to systems all over the world.)  In this case, the particular address is 192.67.67.20, a computer which requires no password and is open to everyone.  (The address has since been changed to 192.112.36.5.)  It is a clearinghouse of information about various systems and their users.

The hackers are met with a Whois: prompt.  The computer is asking them who they want to have checked out.  The hackers type army.mil, indicating any computer on the military network that has the word "army" in its address.  The computer spits out over one thousand computer names and addresses.

A computer named tracer.army.mil at address 192.33.5.135 is chosen at random.  (This computer is believed to be located at Los Alamos, but this has not been confirmed.)  The hackers then begin to try default passwords, like guest, public, uucp, etc.  None of these work.

$ ftp -n tracer.army.mil Connected to tracer.army.mil 220 Ftp server at tracer.army.mil (Version R3-4) ready. ftp> quote user ftp 331 Guest login ok, send identity as password ftp> quote cwd ~root 530 Please login with USER and PASS. ftp> quote pass ftp 230 Guest login ok, access restrictions apply. ftp> ls -al 200 PORT command okay. 150 Opening data connection for /bin/ls -al ...

The next line of attack is the FTP command.  By using File Transfer Protocol (FTP), anyone can copy files from one system to another.  FTP is similar to Telnet in that it connects to systems all over the world.  But while Telnet is used to login to systems, FTP is only used to transfer files.  In addition, it is not necessary to have accounts on more than one machine in order to use FTP.

The way it works is as follows: a user logs into a machine on the Internet.  Using FTP, he connects to another machine, which then asks him for a username.  By typing anonymous, the user is granted limited access to the machine.  The purpose of this is so that public files can be made available without having to give out accounts to everyone needing access.

ftp> quote user ftp ftp> quote cwd ~root ftp> quote pass ftp

But this version of FTP has at least one major bug in its software.  By issuing the above commands, the user is not only able to gain access to the machine, but change his directory (location) on the system to the root directory.  (Root is the most powerful account on the system.)  So instead of being able to look at a limited number of files on the system, the anonymous user is now able to look at anything.  In addition, the hackers can also change anything, albeit with great difficulty.  This is because the hackers are not actually logged into the system.  They are still confined to working within the framework of the FTP program.

At this stage, while the hackers can read and alter any bit of information on this military system, they cannot run any programs.  Also, they cannot actually login to the system.  But this doesn't remain a problem for very long.

ftp> get /etc/passwd # Exit FTP and modify passwd file on local system

Since FTP allows users to copy files, the hackers choose to copy the password file (known as /etc/passwd).  This file contains a list of every user on the system along with their encrypted password.  It is virtually impossible to actually decrypt these passwords, which is why the file is readable by any user on the system.  (It is not supposed to be readable through FTP, however.)  Ordinarily, copying this file would not be very significant.  However, once the hackers have the file copied to their local system, they carefully insert another user into it.  Since the system believes they have certain privileges, it allows them to replace the old version of the password file with their new version.

The username they create is dquayle.  In the field where the encrypted password would be is nothing.  This means there is no password for Dan Quayle's newly created account.  Hence they do not have to worry about decrypting it.  The hackers apparently had intended to give dquayle root privileges by inputting the appropriate values for his account.  But a careful look at the videotape will show that dquayle was not given any special privileges.

$ ftp -n tracer.army.mil ftp> quote user ftp ftp> quote cwd ~root ftp> quote pass ftp ftp> put /etc/passwd ftp> exit

The hackers repeat the first series of steps (henceforth known as the "FTP bug") to once again get root privileges.  The original /etc/passwd file is now replaced with the modified version containing the fictitious user dquayle.

$ telnet tracer.army.mil

The hackers reconnect to the military system, which asks for a username.  The hackers type in dquayle.  Access is granted without a password.

But root access is not granted.  Instead, a warning is printed on the screen indicating that the terminal is "not a secure device."  In many cases, the system will not allow root access to anyone coming in from the outside.  This was what originally appeared to have happened.  However, as mentioned earlier, dquayle had no special privileges, so the system never even tried to access root.  Either way, it would seem that the hackers' ultimate goal has been thwarted.

# Exit Telnet and modify passwd file on local system $ ftp -n tracer.army.mil ftp> quote user ftp ftp> quote cwd ~root ftp> quote pass ftp ftp> put /etc/passwd ftp> exit

Instead of giving up, the hackers go back to their copy of the password file.  They make another account, this time with root privileges and no password.  This account they call toor the word root backwards.  They once again make use of the FTP bug to "put" the new password file on the system.

$ telnet tracer.army.mil $ su toor #

Using Telnet, the hackers once again login as dquayle.  This time, after the warning is issued, they issue a two letter command (su) followed by their new username (toor).  The su command allows a user to switch to the identity of another user while logged in.  It saves the trouble of hanging up and calling back into the system and is useful if someone has two accounts or if two users are sharing a terminal.  In this particular case, the hope is that the su command will not check to see if the call was coming from outside.

No password is requested since none was entered into the toor account.  A single # on the screen tells the hackers that their mission has succeeded.  That symbol indicates true root access.  The su command granted them root access even though they were coming in from the outside.  Since they were already logged onto the system, su assumed they were legitimate.  This military computer system (tracer.army.mil) is now completely under the hackers' control.

The rest of the night is spent looking for interesting bits of data to prove beyond a doubt that this is not a system for just anyone to be in.  The next day, some of the data is scrolled through.  Among the more interesting pieces is a memo from the Counterterrorism Officer dated January 15, 1991 (the deadline day for Iraqi troops to be withdrawn from Kuwait) discussing security issues.  Clearly, this is sensitive information.

How Passwords Are Guessed

The final part of the tape illustrates a password hacker program.  Using the aforementioned password file, the program comes up with the most commonly used passwords.  Instead of decrypting the passwords in the password file, it encrypts the possible passwords (the encryption algorithm is standard) and then compares them to the actual passwords.  If they match, then a password has been found.  In the example shown (from a different system), many passwords are found in this manner.

Why We Are Exposing This

The hackers responsible for this are not interested in military secrets.  But they do recognize the importance and value of the information that is stored on such computers.  The fact of the matter is that if these gaping security holes are not openly exposed, they will never get fixed.  Ironically, the bug that was used in this particular case is a fairly old one that has been fixed on most systems.  Why it still existed on a military system is beyond us.  But we do know that this is only one system and only one bug.

Corporate computer systems also continue to operate with security holes.  As hackers, we are concerned with the lack of safeguards that are being placed upon sensitive data.  In addition to military data, much information about individual people continues to be sloppily managed.  Our credit ratings, telephone records, banking information, and computerized files of all sorts are open to scrutiny for anyone who can gain access.

We should stress that the vast majority of unauthorized access does not involve computer hackers.  Since we have no ulterior motives, other than the quest for knowledge, we openly reveal whatever we find out.  Unfortunately, this often results in our being blamed for the problem itself - confusing the messenger with the message.  In reality, there are countless instances of employees invading the privacy of individuals by accessing credit files or billing information that they have no business seeing.  Since this information is so easy for them to get a hold of, there is virtually no way of their being detected.  And, even if they were detected, they aren't really breaking any laws.

Add to this the increasing fragility of our modern technology as computers become dependent upon other computers and it becomes evident that serious problems, even catastrophes, lie ahead.  The actions of computer hackers are, at worst, an annoyance to some rather powerful people.  Were we not to expose the flaws in the system, they would still be there and they would most definitely be abused.

We will send you a VHS copy for $10 or 3 blank 120 tapes.