| I have checked out the authenticity of the following memo with John
Kulik's office (Corp. Security - Investigations). [I did not do
this. - LK]
I N T E R O F F I C E M E M O R A N D U M
Date: 15-Sep-1987 03:00pm GMT
From: BROTHERS
180974@DECMAIL@GVAML4@GEO
Dept: EURO SECURITY MNGR
Tel No: (7)830-4696
TO: See Below
Subject: VMS HACKER ACTIVITIES, EUROPE & WORLDWIDE
VMS HACKER ACTIVITIES, EUROPE & WORLDWIDE:
------------------------------------------
MEDIA ATTENTION
---------------
The hacker activities currently under investigation and
subject to media attention in Germany and UK are due to
climax in the coming days. Digital's market reputation
is likely to suffer as a result. Area, Functional and
Subsidiary Senior Management attention and support is
necessary to minimise that effect, particularly in the
areas of implementation of the VMS 4.5 patching programme,
dealing with the anticipated media questions and
consultation/support for injured customers. The
situation is being managed as a potential business crisis.
The current position follows:
1. The prestigious UK newspaper "THE GUARDIAN" has this
morning published the attached article, front page
top.
2. The German T.V. programme 'Panorama' will present a
programme this evening which it is anticipated will
not be complimentary to Digital.
3. The German CHAOS COMPUTER CLUB (CCC) is believed to
be calling a Press conference in Hamburg either
tomorrow Wednesday, 16th September or Friday 18th
September.
4. Other German T.V. stations are attempting to involve
our customer Max Planck Institute (MPI) in interviews
and photo sessions.
The reason for this focus is that one of the
identified hackers works for MPI. The Institute is
not expected to co-operate.
5. The magazine Datenschutz-Beraten, a German Security
journal has published an article on the case
(translation already circulated).
6. The German Press Agency is likely to sell the story
internationally.
7. Subsidiaries are already receiving requests from
sensitive Defence and other National Authority
customers relative to the allegations.
8. The American Broadcasting Corporation in UK is asking
for a taped interview for broadcast in US today.
CRISIS MANAGEMENT PLAN
----------------------
1. Dick Mahoney, Corporate VMS Marketing PR, will co-
ordinate the Corporate media responses.
2. Beat Stiefel and George Brothers will co-ordinate the
Area activity and liaise with Corporate functions.
3. Hermann Saenger and Georg-Peter Kraenzlin will co-
ordinate the German Subsidiary actions.
4. Alan Mercer and Robin Cole will co-ordinate the F/S
implementation plan and provide customers with
details of Trojan Horse identifiers.
5. ESDC Galway will expedite manufacture of sufficient
copies of the mandatory patch or VMS version 4.6 (see
para. 9 - Decision required).
6. Ralph Gilmor will co-ordinate the Area media
responses in conjunction with Dick Mahoney, Corp. VMS
PR and Jeff Gibson, Corp. PR.
7. Ray Humphrey will co-ordinate the interface with US
investigative authorities and locate and liaise with
DEC European managers currently visiting US.
8. George Brothers, Gerhard Friedrichs and Kent Anderson
will co-ordinate the continuing investigation with
the German Police and other international agencies.
The first objective is to discover the extent of the
hacker penetration and develop a plan to re-instate
the integrity of customer systems.
9. DECISION REQUIRED
It should be clearly understood that in the opinion
of Kent Anderson (Digital Competence Centre, Munich)
based on his investigation of the detailed hacker
transactions, simple overlay of the version 4.5 patch
WILL NOT secure customer systems which have already
had Trojan Horses (or certain VIRUS programmes)
installed by hackers. Kent believed that in order
to ensure the proper levels of system security,
customers should be advised to re-install Version 4.6
from an official Digital Distribution Media Kit, not
from system back-up which must be considered
contaminated.
A decision needs to be taken immediately to inform
customers of that fact and to make the relative
software available to them. It is highly likely,
however, that because of the extensive down-time
involved, customers will decide not to re-install as
advised and from discussions with customers whose
systems have been attacked, I believe this problem
will require the most sensitive handling.
Regards.
COPY OF ARTICLE FROM THE GUARDIAN DATED TUESDAY, 15TH
SEPTEMBER 1987.
QUOTE - FRONT PAGE HEADLINE ARTICLE
YOUTHS HACKED INTO SECRET NASA NETWORK
EXCLUSIVE
by Gareth Parry
Young West German computer hackers have successfully
broken into a top secret world-wide computer network which
connects the North American Space Agency's scientific
research centres with its counterparts in Britain, France,
Germany, Switzerland and Japan.
The attack has been kept secret by the intelligence
services, although the scandal was discovered months ago,
because it is feared that the knowledge the youths may
have gained puts them, and the integrity of various
American and European space development programmes in
extreme danger from Eastern bloc agents.
The space programme involved cover a wide range of
applications. Nasa, for example, is working on space
platform technology, while Britain is looking at remote-
sensing satellites - a form of spy satellite project.
France is building up towards a manned satellite, and
Japan's projects concentrate on the computing aspects of
space communication.
The youths have told West German interior ministry
interrogators that they planted a programme known to
hackers as a Trojan Horse in the world-wide computer
network, Span, "for fun". They have denied accusations
of espionage.
The Trojan Horse enabled them to reap at will any or all
the secrets of Western space technology at a key-stroke.
The Trojan Horse can wait for a top security user to log
on with a secret password, and then record his key strokes
in a file, revealing everything that is said.
The attacked computers are the 4.4 and 4.5 state of the
art models made by Digital Equipment Corporate (DEC), one
of the most important and respected computer companies in
the world. DEC's latest computers, the VAXes and their
super-sophisticated software are interlinked with secret
Western technology, and Western governments claim the
VAXes can be used for designing, making and operating
weapons.
DEC recently disclosed that it has been given top security
validation by the National Computer Security Centre, an
agency operated by the United States government.
The company's VMS machines - virtual manning or standard
deck operation computers - were given two security
classifications. C2, signifying "controlled access", and
B2 "Trusted Path Requirements".
Despite this, the German hackers managed to penetrate
systems, implant Trojan Horses, giving unauthorised users
access; use the penetrated computer for their own
purposes; and alter accounts and security checks in such
a way that their presence went undetected.
Security sources said yesterday that the hackers "visited"
no fewer than 135 computer centres worldwide, leaving
their Trojan Horses and a general key word for their own
purposes within the system.
With the Horse and the keyword installed it was easy to
enter any associate of the Span network. The hackers
later delightedly observed that in some cases their
"modifications" had already been automatically taken into
the back-up versions which allow a security start-up if
any organisation fears that its defences have been
breached.
The West German hackers, who call themselves Data
Travellers, worked together on their target for more than
six months. Some of the groups are understood to be
insiders in some the agencies working with DEC computers,
and therefore had access to all the highly-classified
operating systems manuals.
This insider involvement enabled them to detect a hitherto
undiscovered flaw in the computer system which they used
as a "doorway" into computers of the same type.
That flaw was, however, known to some experts, and its
implications were discussed in the German computer
security magazine Datenschutz-Berater of Pulheim. The
magazine showed how people who penetrate high-technology
computers could be at risk from desperate political
agencies hungry for rival countries' computer known-how.
The hackers' activities would have continued unhampered
but for a security manager of a German research laboratory
alerted by the Datenschutz-Berater article. He noticed
abnormalities in a computer system, and carried out his
own intensive investigation for several days. He
discovered that Trojan Horses could be isolated.
Two of the hackers were identified - the insiders. Then
the security manager made a move which later appalled the
security services: he revealed details of his discovery,
including the names and employers, in a "mail-box" in the
general computer network. His message ended ".... in
hope that some-one, somewhere ... might perform physical
violence on them".
The named youths felt exposed and in danger. They went
to Datenschutz-Berater, which informed DEC and other DEC
computer users.
DEC said it was aware of the flaw in its system and had
counteracted it.
This May it informed all customers of a "mandatory patch".
This patch amends an operating system and effectively
erects a bar against Trojan Horses and other penetrations.
Intelligence sources say however, that, as with most
computer hacking crimes, the blame lies not with the
computer but with lax security by users. A DEC spokesman
said last night that the company was still conducting an
intensive internal inquiry. The whereabouts of the
hackers if unknown.
Ms Teresa Tomsett, a DEC spokeswoman in Britain, said:
"There will always be organisations which challenge to
break through security levels, but our engineering and our
servicing people are all very well trained.
UNQUOTE
|