Ahao.194 net.followup utcsrgv!utzoo!decvax!ucbvax!ARPAVAX:C70:sri-unix!hplabs!menlo70!hao!pag Fri Mar 5 17:16:02 1982 Unix Security Breach -- LA Times Article The previously mentioned LA Times article about security hole in UNIX appeared in our local paper the Boulder "Daily Camera". For those of you who might be curious, here it is: --------------------------------------------------------------------- Students Crack Computers' Code By Lee Dembart Los Angeles Times Computer experts are scurrying to counter what may be the most serious threat to computer security ever. A group of students at the University of California at Berkeley figured out an extremely simple and undetectable way to crack a large number of computer systems and remove, change or destroy the informa- tion they contain. News of the existence of the students' method has leaked out into the computer community before manufacturers [huh? -- pag] have been able to devise a way to neutralize the threat. "We've been sitting around for years thinking about what if some day something like this happened," said Donn Parker of SRI Interna- tional in Menlo Park, Calif., one of the world's leading experts on computer crime. "All of sudden it has, and we're now trying to deal with it." There is no evidence that anyone has actually used the method to commit a crime. Although SRI is distributing detailed instructions on the method to computer operators [sic] with a need to know, it is reluctant to discuss the specifics with the public at large. However, Parker said that the method works by allowing a person at a computer terminal to impersonate another user at another terminal and have access to all of the data that the other user has. The system in question in the UC Berkeley case is the UNIX, [I love that! "The" UNIX] manufactured by the Digital Equipment Corp ., although it is assumed that other systems would be affected as well. Parker said that all UNIX-based systems -- of which there are thousands operating in the world, including some used by the Depart- ment of Defense -- are vulnerable to the security breach. Under the new method, Parker said, "a person at one terminal can effectively operate in the computer as though he were that other per- son. "If that other person has privileged access to the computer sys- tem -- which allows him to get into the operating system itself -- then the impersonator has access to the entire computer system," he said. No one is sure exactly which UC students discovered the new method. M. Stuart Lynn, director of computing affairs at Berkely [sic], said that it was brought to his attention last September when an anonymous message appeared on the computer's electronic mail sys- tem, drawing people's attention to the problem. "They did the responsible thing," Lynn said of the unknown dis- coverers of the method. "They didn't exploit it. They intended to bring it to people's attention." Parker said there are several ways to defeat the new method, but each has practical problems. The ideal solution is to change the terminals so that they no longer have the particular commands available to make the thing work [huh??]. However, there are already as many as 3 million terminals operating in the world that would have to be fixed at a cost estimated at $50 to $60 each. [Let's see, $50*3,000,000 = $150,000,00 -- that should be no problem for Digital Equipment Corp, manufacturers of the UNIX]. --peter gross ----------------------------------------------------------------- gopher://quux.org/ conversion by John Goerzen of http://communication.ucsd.edu/A-News/ This Usenet Oldnews Archive article may be copied and distributed freely, provided: 1. There is no money collected for the text(s) of the articles. 2. The following notice remains appended to each copy: The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996 Bruce Jones, Henry Spencer, David Wiseman.