[More below..] Pentagon Cyber-Hackers Claim NASA Also Cracked RTos 4/23/98 7:37 AM By Andrew Quinn SAN FRANCISCO (Reuters) - An international group of computer hackers who successfully broke into the telecommunications backbone of the U.S. military say they also stole key software programs from NASA. The group, which calls itself the "Masters of Downloading" or MOD, said the cyber-attack had stripped the U.S. space agency of its chief defense against computer intrusion and would allow them "to pass undetected through their systems." [Even if this wild claim was remotely true, knowing a security system and how to navigate through it does NOT mean you escape the security system logging. Thinking more rationally, we can see by repeated NASA hacks that there is NO standard security software/defense put in place by the Agency most likely.] MOD announced earlier it had broken into another sensitive site, the Pentagon's Defense Information Systems Network (DISN), and stolen enough information to "take control" of military satellites and other systems. MOD, which includes at least two Russian members, said it might consider selling the information to international terrorist groups or foreign governments. In Washington, the Defense Department confirmed the intrusion had taken place but officials said the application downloaded was for management and records-keeping rather than anything that could perform a control function. [And that it was available through anonymous FTP..] Susan Hansen of the Pentagon's Public Affairs office said: "The equipment management software suite of the Defense Information System Network is an unclassified application. It does not contain classified information and does not perform control of classified systems." The DISN, which one Pentagon official described as the "telecommunications backbone" for the Defense Department, is key to a number of military systems including the Global Positioning System (GPS) satellite network which U.S. military planners use for everything from missile targeting to troop movement information. Computer expert John Vranesevich, who runs the AntiOnline website devoted to information security issues (www.antionline.com), said Wednesday that MOD had contacted him with new claims about a break-in at NASA. "They have access to a lot more than they've given to me, or let me know about," Vranesevich told Reuters. [Blindly believe what proven liars say?] "The materials that they've supplied to me are the bottom of the totem pole, they are boosting their credibility with proof that they can get into these various systems." According to MOD, which sent Vranesevich samples of the alleged NASA software to back up its claim, members of the group broke into system through the Jet Propulsion Laboratory (JPL) in Pasadena, California, and took away enough information to effectively disable any "intruder alert" system the agency's computers might have. ["Might have"? Before they were saying they could "pass undetected through their systems". One second they can pass through the security systems, the next they don't know what security measures are in place?] Specifically, the group said it now had key pieces of the NASA Automatic Systems Incident Response Capability (NASIRC) software package and was able to break into NASA computer servers with impunity. [NASAIRC is a series of security advisories released by NASA. #93-01 reports on a vulnerability in Novell Netware login.exe] NASA had no immediate comment on the group's claims, although one official who had seen a list of the software allegedly stolen said "it doesn't look too alarming." "It is pretty trivial stuff that is openly available. It doesn't look like something a super-slick hacker would take," the official, who spoke on condition of anonymity, said. Vranesevich, who has conducted several online interviews with MOD members, said they appeared both more mature and more dangerous than the teen-age hackers who mounted a widely-publicized cyber-assault on the Pentagon in February. "They are much more secretive, much more careful, and much more sophisticated," said Vranesevich, who was instrumental in tracking down the 18-year-old Israeli master-hacker known as the "Analyzer". [ [9:21pm] [JP(jp@192.204.74.105)] on my site, I report that ; analyzer TOLD me that [9:22pm] [JP(jp@192.204.74.105)] he was bouncing through ; 13 different boxes [9:22pm] [JP(jp@192.204.74.105)] i certainly never tracked him down [9:23pm] [JP(jp@192.204.74.105)] I would NEVER try to trace anyone that was speaking with me [10:15pm] [JP(jp@192.204.74.105)] however, I feel the need to protect ALL of my sources He said MOD members, some of whom claim to be computer security specialists themselves, contact him with an elaborate system of passwords and cover their tracks by routing communication through a variety of computer systems all over the world. [Much like Analyzer and his 13 hops through systems..] =-= [Moderator: Now how hard would this have been for the journalist writing the story?] Forwarded From: Mark (Mookie)[SMTP:mark@ZANG.COM] Posted To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Forwarded From: "Prosser, Mike" [From: anonymous@nasa.gov] ---------- Forwarded message ---------- > The group, which calls itself the "Masters of Downloading" or MOD, > said the cyber-attack had stripped the U.S. space agency of its chief > defense against computer intrusion and would allow them "to pass undetected > through their systems." Unless they're able to h4x0r their way into the logging routines and undo ink upon printer paper, they would sooner "pass undetected" out my ass than on the NASA networks I'm around. The people I know who maintain the network monitors are highly clued-in and I trust their skills. > Computer expert John Vranesevich, who runs the AntiOnline website > devoted to information security issues (www.antionline.com), said Wednesday > that MOD had contacted him with new claims about a break-in at NASA. > "They have access to a lot more than they've given to me, or let me > know about," Vranesevich told Reuters. This is doubletalk. "I know they have access to things they don't let me know about." What the hell? > According to MOD, which sent Vranesevich samples of the alleged NASA > software to back up its claim, members of the group broke into system > through the Jet Propulsion Laboratory (JPL) in Pasadena, California, and > took away enough information to effectively disable any "intruder alert" > system the agency's computers might have. > Specifically, the group said it now had key pieces of the NASA > Automatic Systems Incident Response Capability (NASIRC) software package > and was able to break into NASA computer servers with impunity. They claim access to NASIRC in specific. BFD. NASIRC logs and tracks incidents. It's the NASA equivalent of CERT. To the best of my knowledge, NASIRC does not possess [nor has it ever possessed] software that allows it to cruise the NASA network without challenge. > NASA had no immediate comment on the group's claims, although one > official who had seen a list of the software allegedly stolen said "it > doesn't look too alarming." The reason why is that the software is available pretty readily on the NASA intranets. My present guess is that these guys got on a low-level NASA machine and connected via Lynx to NASIRC's internal pages. - From there, they got a few NASIRC packages and whoop-de-doo.From what I can see, the DISA DEM software was/is publically available at http://tcoss.safb.af.mil/common/HTML/DSC_support.htm (the link is broken though). No wonder the feds didn't bother to come after them ;-) By the looks of ftp://tcoss.safb.af.mil : 220 tcoss2 Microsoft FTP Service (Version 3.0). Name (tcoss.safb.af.mil:root): ftp 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 Anonymous user logged in. ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls. 11-20-97 05:16PM ActiveX 01-27-98 02:47PM disd 04-15-98 09:00PM Disn-W 03-12-98 08:33PM DITCO 04-14-98 01:45PM 0 dspd8.tmp 04-17-98 12:20PM MCI_TCOSS 04-23-98 06:59AM PDCBOOK 03-24-98 08:10PM R&R 04-15-98 06:52PM TSRE 11-20-97 05:27PM WinFrame ftp> cd Disn-W 550 Disn-W: Access is denied. So it appears the "highly technical crack team" just ftp'd the software. Wow. They fixed the perms on the dir last week. And what they got: A software tool set called DEM (Visual Basic Programming based) melds the day to day network operations and maintenance efforts. DEM provides the entire RAVN team with a user friendly/graphical based set of tools that allow real-time network access for monitoring, control, re-configuration and testing of the critical pieces of hardware/software that make up the composite RAVN architecture. Both RIMS and DEM data bases are hosted on a stand alone RAVN server operated and maintained by NTAC personnel. The server is accessible via a Local Area Network connection and supports up to 25 simultaneous users. Sounds rather useless unless you have the databases of network equipment and device authentication parameters. Cheers, Mark mark@zang.com