|
Story about the Treasury Department's AIS BBS, whi
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
*Treasury* Told Computer Virus Secrets
Whistleblowers Halted Display Available to Anyone With a Modem.
The Washington Post, June 19, 1993, FINAL Edition
By: Joel Garreau, Washington Post Staff Writer
Section: A SECTION, p. a01
Story Type: News National
Line Count: 151 Word Count: 1661
For more than a year, computer virus programs that can wreak havoc with
computer systems throughout the world were made available by a U.S.
government agency to anyone with a home computer and a modem, officials
acknowledged this week.
At least 1,000 computer users called a Treasury Department telephone
number, spokesmen said, and had access to the virus codes by tapping into
the department's Automated Information System bulletin board before it was
muzzled last month.
The bulletin board, run by a security branch of the Bureau of Public
Debt in Parkersburg, W.Va., is aimed at professionals whose job it is to
combat such malicious destroyers of computer files as "The Internet Worm,"
"Satan's Little Helper" and "Dark Avenger's Mutation Engine." But nothing
blocked anyone else from gaining access to the information.
Before the practice was challenged by anonymous whistleblowers, the
bulletin board offered "recompilable disassembled virus source code"-that
is, programs manipulated to reveal their inner workings. The board also
made available hundreds of "hackers' tools"-the cybernetic equivalent of
safecracking aids. They included "password cracker" software-various
programs that generate huge volumes of letters and numbers until they find
the combination that a computer is programmed to recognize as authorizing
access to its contents-and "war dialers," which call a vast array of
telephone numbers and record those hooked to a computer.
The information was intended to educate computer security personnel,
according to Treasury spokesmen. "Until you understand how penetration is
done, you can't secure your system," said Kim Clancy, the bulletin board's
operator.
But with this information, relative amateurs could create new viruses,
according to software writers.
"I am dismayed that this type of activity is being condoned by an
American governmental agency. I am extremely disturbed by the thought that
my tax money is being used for what I consider unethical, immoral and
possibly illegal activities," wrote an anonymous whistleblower quoted in
Risks Forum, a Silicon Valley-based electronic "magazine" where debate has
raged on the issue since it surfaced last month.
"That's like leaving a loaded gun around and people saying, 'It's not my
fault if someone picks it up and shoots himself in the head with it,' "
said Paul Ferguson, a Centreville computer consultant upset by Treasury's
practices.
The Treasury Department has little idea who has dialed up the bulletin
board, and what has been copied out of it, said spokesman Peter Hollenbach.
Hence it is impossible to judge if any damage has been done.
Hollenbach and some computer professionals minimize the risk, saying the
software on the bulletin board was acquired through the computer
underground in the first place, and thus had always been available to
miscreants with sufficient contacts, tenacity and skill. "Hackers don't go
to the Department of Treasury to get their hacking tools," Clancy said.
A computer virus is a program that can command a computer to damage or
wipe out data it contains. It "infects" a target computer by burying itself
in a legitimate piece of software that enters the host via a floppy disk or
communication with a computer network. It is called a virus because it is
designed to replicate itself onto any computer it comes in contact with. As
many as 2,000 viruses already exist, according to Peter G. Neumann,
publisher of Risks Forum. They have names such as Leprosy, Anthrax and
Cancer.
The potential for virus damage has increased geometrically as big
isolated mainframe computers are abandoned in favor of networks of small
PCs-some worldwide in scope-through which the viruses can migrate. "Because
of the distributed nature of the network, a virus can now reach thousands
of machines, requiring hundreds of thousands of dollars of man-hours to
clean up" once infected, said Ferguson.
The explosion of computer bulletin boards-dial-up systems that allow
users to trade any product that can be expressed in machine-readable zeros
and ones-has also added to the ease of virus transmission, computer
analysts say. "I am Bulgarian and my country is known as the home of many
productive virus writers, but at least our government has never officially
distributed viruses," wrote Vesselin Vladimirov Bontchev of the Virus Test
Center of the University of Hamburg, Germany.
The whistleblowers particularly objected to the Treasury bulletin
board's making available what amounted to dissected viruses, with their
internal workings made clear. This was worse, they maintained, than making
live viruses available. A person without the skill to write a brand-new
virus could nonetheless produce a variation on an existing one, they
feared. If sufficiently mutated, the virus might slip past anti-virus
programs designed to look for known products.
The Treasury Department became enmeshed in this controversy because it
is one of the most intense users of computers in the federal government.
All the billions of dollars of Treasury securities are handled, through the
Bureau of Public Debt, on computer networks, according to spokesman
Hollenbach.
The division's systems are overseen by the Automated Information Systems
(AIS) security branch. The AIS computer bulletin board was set up "as a way
to get information expeditiously to our information systems' security
managers," Hollenbach said.
Over time, however, "the word got out" about the existence of the AIS
bulletin board, said Hollenbach. "It became fairly well known throughout
the computer security community. There is no such thing as an unlisted
number anymore."
Nor was much effort expended to limit the use of the bulletin board to
security managers. Its creators described it as "open to the public" and
revealed its phone number last year in Computer Underground Digest (CuD),
an electronic "magazine" accessible via the computer networks. The magazine
is followed by those interested in the murky world of "hackers, crackers
and phone phreaks." It is edited by Jim Thomas, of the sociology and
criminal justice department of Northern Illinois University.
At first, the AIS bulletin board contained only routine security alert
postings. But then operator Clancy "began to get underground hacker files
and post them on her board," said Bruce Sterling, author of "The Hacker
Crackdown: Law and Disorder on the Electronic Frontier." "She amassed a
truly impressive collection of underground stuff. If you don't read it, you
don't know what's going to hit you."
This step was consistent with Clancy's earlier initiation of a
"roundtable" that she hosted on another hacker bulletin board. The
roundtable is a place where hackers and law enforcement professionals can
"let their hair down," Clancy said. There she had "politely discussed
intrusion techniques and law enforcement matters," Sterling said.
Such cooperation between hackers and security officers is hardly
unprecedented. Hackers frequently insist that their computer invasions are
public-spirited attempts to alert authorities to lax security. Others share
what they know because they are caught up in what Sterling describes as
"the brag, boast and strut" syndrome. They are willing to show law
enforcement officials what they can do in order to impress them.
But since the complaints began, Treasury officials, while not
disciplining Clancy, have shut down the "underground" portion of her
bulletin board. "It is not consistent with what we originally set out to
accomplish," Hollenbach said. "We decided to refocus back to our roots."
Clancy, 30, who is a former Air Force bomb-squad member, is highly
regarded in the computer security world. Sterling, one of the nation's
foremost writers about the computer underground, called her "probably the
best there is in the federal government who's not military or NSA (National
Security Agency). Probably better than most CIA."
The controversial information she made available was "the equivalent of
how to commit arson, or hot-wire cars-all of direct relevance to computer
security issues," Sterling said. "Every maladjusted sociopath with
Coke-bottle-bottom glasses has no trouble finding this stuff. The police
are the only ones not allowing themselves to look at this stuff."
Neumann of Risks Forum, however, is troubled by Clancy's actions. "It is
the classical double-edged sword. It might help, and might hinder. "You're
looking at a potential for serious disaster," he added. "If you're talking
about life-critical systems"-air traffic control, for instance-"it means
killing people."
Clancy, meanwhile, is staying in touch with the underground. In fact,
this week, she said, she was "testing a product for some hackers." Before
it goes into production, she will review it to find potential bugs. It is a
new war dialer called "Tone-Loc." "It's an extremely good tool. Saves me a
lot of trouble. It enables me to run a hack against my own phone system
faster" to determine points of vulnerability.
Clancy said she does not have any qualms about helping hackers test
systems-invasion techniques. She plans to use Tone-Loc and pass it on to
other security professionals to test their own systems, she said. "If I
didn't, it would not stop. It would continue. If I didn't do it, somebody
else would."
CAPTIONS: COMPUTER VIRUSES
What Is a Computer Virus?
Computer viruses are programs that insert copies of themselves into
other programs. Each time an infected program is used, the viral code is
executed, usually resulting in the infection of other programs.
Computer viruses vary in the degree of harm that they cause. Some do no
more than reproduce themselves, others can display a humorous or innocuous
message, while still others are designed to cause catastrophic damage by
erasing or altering electronic files in the computer.
Even seemingly innocuous viruses can inadvertently cause problems or
unpredictable behavior. For example, if the virus is using memory or disk
resources that another program needs, that program might crash.
How Do Computer Viruses Spread?
Viruses move from machine to machine through shared disks and over
computer networks. In a world of on-line computer services, networks,
shared computer facilities and overnight mail services, computer viruses
can spread at an alarming rate.
SOURCE: Datawatch Corp.
ORGANIZATION NAME: TREASURY DEPARTMENT; AUTOMATED INFORMATION SYSTEMS
DESCRIPTORS: Federal government; Software; Computer crimes; Accident
prevention and safety; Classified documents
|
|
