[More below..]

Pentagon Cyber-Hackers Claim NASA Also Cracked

RTos 4/23/98 7:37 AM  
 
    By Andrew Quinn
     SAN FRANCISCO (Reuters) - An international group of computer hackers
who successfully broke into the telecommunications backbone of the U.S.
military say they also stole key software programs from NASA.
     The group, which calls itself the "Masters of Downloading" or MOD,
said the cyber-attack had stripped the U.S. space agency of its chief
defense against computer intrusion and would allow them "to pass undetected
through their systems."

[Even if this wild claim was remotely true, knowing a security
 system and how to navigate through it does NOT mean you escape the
 security system logging. Thinking more rationally, we can see by
 repeated NASA hacks that there is NO standard security software/defense
 put in place by the Agency most likely.]

     MOD announced earlier it had broken into another sensitive site, the
Pentagon's Defense Information Systems Network (DISN), and stolen enough
information to "take control" of military satellites and other systems.
     MOD, which includes at least two Russian members, said it might
consider selling the information to international terrorist groups or
foreign governments.
     In Washington, the Defense Department confirmed the intrusion had
taken place but officials said the application downloaded was for
management and records-keeping rather than anything that could perform a
control function.

[And that it was available through anonymous FTP..]

     Susan Hansen of the Pentagon's Public Affairs office said: "The
equipment management software suite of the Defense Information System
Network is an unclassified application. It does not contain classified
information and does not perform control of classified systems."
     The DISN, which one Pentagon official described as the
"telecommunications backbone" for the Defense Department, is key to a
number of military systems including the Global Positioning System (GPS)
satellite network which U.S. military planners use for everything from
missile targeting to troop movement information.
     Computer expert John Vranesevich, who runs the AntiOnline website
devoted to information security issues (www.antionline.com), said Wednesday
that MOD had contacted him with new claims about a break-in at NASA.
     "They have access to a lot more than they've given to me, or let me
know about," Vranesevich told Reuters.

[Blindly believe what proven liars say?]

     "The materials that they've supplied to me are the bottom of the totem
pole, they are boosting their credibility with proof that they can get into
these various systems."
     According to MOD, which sent Vranesevich samples of the alleged NASA
software to back up its claim, members of the group broke into system
through the Jet Propulsion Laboratory (JPL) in Pasadena, California, and
took away enough information to effectively disable any "intruder alert"
system the agency's computers might have.

["Might have"? Before they were saying they could "pass undetected
 through their systems". One second they can pass through the security
 systems, the next they don't know what security measures are in place?]

     Specifically, the group said it now had key pieces of the NASA
Automatic Systems Incident Response Capability (NASIRC) software package
and was able to break into NASA computer servers with impunity.

[NASAIRC is a series of security advisories released by NASA.
 #93-01 reports on a vulnerability in Novell Netware login.exe]

     NASA had no immediate comment on the group's claims, although one
official who had seen a list of the software allegedly stolen said "it
doesn't look too alarming."
     "It is pretty trivial stuff that is openly available. It doesn't look
like something a super-slick hacker would take," the official, who spoke on
condition of anonymity, said.
     Vranesevich, who has conducted several online interviews with MOD
members, said they appeared both more mature and more dangerous than the
teen-age hackers who mounted a widely-publicized cyber-assault on the
Pentagon in February.
     "They are much more secretive, much more careful, and much more
sophisticated," said Vranesevich, who was instrumental in tracking down the
18-year-old Israeli  master-hacker known as the "Analyzer".

[
[9:21pm] [JP(jp@192.204.74.105)] on my site, I report that ; analyzer TOLD me that
[9:22pm] [JP(jp@192.204.74.105)] he was bouncing through ; 13 different boxes
[9:22pm] [JP(jp@192.204.74.105)] i certainly never tracked him down

[9:23pm] [JP(jp@192.204.74.105)] I would NEVER try to trace anyone that was speaking with me

[10:15pm] [JP(jp@192.204.74.105)] however, I feel the need to protect ALL of my sources


     He said MOD members, some of whom claim to be computer security
specialists themselves, contact him with an elaborate system of passwords
and cover their tracks by routing communication through a variety of
computer systems all over the world.

[Much like Analyzer and his 13 hops through systems..]
    
=-=



 [Moderator: Now how hard would this have been for the journalist
  writing the story? ]

 Forwarded From: Mark (Mookie)[SMTP:mark@ZANG.COM]
 Posted To: 	NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
 Forwarded From: "Prosser, Mike" 
 
 From what I can see, the DISA DEM software was/is publically available
 at http://tcoss.safb.af.mil/common/HTML/DSC_support.htm (the link is
 broken though).
 No wonder the feds didn't bother to come after them ;-)
 
 By the looks of ftp://tcoss.safb.af.mil :
 220 tcoss2 Microsoft FTP Service (Version 3.0).
 Name (tcoss.safb.af.mil:root): ftp
 331 Anonymous access allowed, send identity (e-mail name) as password.
 Password:
 230 Anonymous user logged in.
 ftp> dir
 200 PORT command successful.
 150 Opening ASCII mode data connection for /bin/ls.
 11-20-97  05:16PM                 ActiveX
 01-27-98  02:47PM                 disd
 04-15-98  09:00PM                 Disn-W
 03-12-98  08:33PM                 DITCO
 04-14-98  01:45PM                    0 dspd8.tmp
 04-17-98  12:20PM                 MCI_TCOSS
 04-23-98  06:59AM                 PDCBOOK
 03-24-98  08:10PM                 R&R
 04-15-98  06:52PM                 TSRE
 11-20-97  05:27PM                 WinFrame
 ftp> cd Disn-W
 550 Disn-W: Access is denied.
 
 So it appears the "highly technical crack team" just ftp'd the
 software. Wow.
 They fixed the perms on the dir last week.
 
 And what they got:
 
 A software tool set called DEM (Visual Basic Programming based) melds
 the day
 to day network operations and maintenance efforts. DEM provides the
 entire
 RAVN team with a user friendly/graphical based set of tools that allow
 real-time network access for monitoring, control, re-configuration and
 testing of the critical pieces of hardware/software that make up the
 composite RAVN architecture. Both RIMS and DEM data bases are hosted
 on a
 stand alone RAVN server operated and maintained by NTAC personnel. The
 server
 is accessible via a Local Area Network connection and supports up to
 25
 simultaneous users.
 
 Sounds rather useless unless you have the databases of network
 equipment and
 device authentication parameters.
 
 Cheers,
 Mark
 mark@zang.com
 
 

[From: anonymous@nasa.gov]

---------- Forwarded message ----------

>      The group, which calls itself the "Masters of Downloading" or MOD,
> said the cyber-attack had stripped the U.S. space agency of its chief
> defense against computer intrusion and would allow them "to pass undetected
> through their systems."

	Unless they're able to h4x0r their way into the logging routines
and undo ink upon printer paper, they would sooner "pass undetected"  out
my ass than on the NASA networks I'm around.  The people I know who
maintain the network monitors are highly clued-in and I trust their
skills. 

>      Computer expert John Vranesevich, who runs the AntiOnline website
> devoted to information security issues (www.antionline.com), said Wednesday
> that MOD had contacted him with new claims about a break-in at NASA.
>      "They have access to a lot more than they've given to me, or let me
> know about," Vranesevich told Reuters.

	This is doubletalk.  "I know they have access to things they don't
let me know about."  What the hell?

>      According to MOD, which sent Vranesevich samples of the alleged NASA
> software to back up its claim, members of the group broke into system
> through the Jet Propulsion Laboratory (JPL) in Pasadena, California, and
> took away enough information to effectively disable any "intruder alert"
> system the agency's computers might have.
>      Specifically, the group said it now had key pieces of the NASA
> Automatic Systems Incident Response Capability (NASIRC) software package
> and was able to break into NASA computer servers with impunity.

	They claim access to NASIRC in specific.  BFD.  NASIRC logs and
tracks incidents.  It's the NASA equivalent of CERT.  To the best of my
knowledge, NASIRC does not possess [nor has it ever possessed] software
that allows it to cruise the NASA network without challenge. 

>      NASA had no immediate comment on the group's claims, although one
> official who had seen a list of the software allegedly stolen said "it
> doesn't look too alarming."

	The reason why is that the software is available pretty readily on
the NASA intranets.  My present guess is that these guys got on a
low-level NASA machine and connected via Lynx to NASIRC's internal pages.
- From there, they got a few NASIRC packages and whoop-de-doo.