Ahao.194
net.followup
utcsrgv!utzoo!decvax!ucbvax!ARPAVAX:C70:sri-unix!hplabs!menlo70!hao!pag
Fri Mar 5 17:16:02 1982
Unix Security Breach -- LA Times Article
The previously mentioned LA Times article about security hole in UNIX
appeared in our local paper the Boulder "Daily Camera". For those
of you who might be curious, here it is:
---------------------------------------------------------------------
Students Crack Computers' Code
By Lee Dembart
Los Angeles Times
Computer experts are scurrying to counter what may be the most
serious threat to computer security ever.
A group of students at the University of California at Berkeley
figured out an extremely simple and undetectable way to crack a large
number of computer systems and remove, change or destroy the informa-
tion they contain.
News of the existence of the students' method has leaked out into
the computer community before manufacturers [huh? -- pag] have been
able to devise a way to neutralize the threat.
"We've been sitting around for years thinking about what if some
day something like this happened," said Donn Parker of SRI Interna-
tional in Menlo Park, Calif., one of the world's leading experts on
computer crime. "All of sudden it has, and we're now trying to deal
with it."
There is no evidence that anyone has actually used the method to
commit a crime.
Although SRI is distributing detailed instructions on the method
to computer operators [sic] with a need to know, it is reluctant to
discuss the specifics with the public at large.
However, Parker said that the method works by allowing a person
at a computer terminal to impersonate another user at another terminal
and have access to all of the data that the other user has.
The system in question in the UC Berkeley case is the UNIX, [I
love that! "The" UNIX] manufactured by the Digital Equipment Corp .,
although it is assumed that other systems would be affected as well.
Parker said that all UNIX-based systems -- of which there are
thousands operating in the world, including some used by the Depart-
ment of Defense -- are vulnerable to the security breach.
Under the new method, Parker said, "a person at one terminal can
effectively operate in the computer as though he were that other per-
son.
"If that other person has privileged access to the computer sys-
tem -- which allows him to get into the operating system itself --
then the impersonator has access to the entire computer system," he
said.
No one is sure exactly which UC students discovered the new
method. M. Stuart Lynn, director of computing affairs at Berkely
[sic], said that it was brought to his attention last September when
an anonymous message appeared on the computer's electronic mail sys-
tem, drawing people's attention to the problem.
"They did the responsible thing," Lynn said of the unknown dis-
coverers of the method. "They didn't exploit it. They intended to
bring it to people's attention."
Parker said there are several ways to defeat the new method, but
each has practical problems.
The ideal solution is to change the terminals so that they no
longer have the particular commands available to make the thing work
[huh??]. However, there are already as many as 3 million terminals
operating in the world that would have to be fixed at a cost estimated
at $50 to $60 each. [Let's see, $50*3,000,000 = $150,000,00 -- that
should be no problem for Digital Equipment Corp, manufacturers of the
UNIX].
--peter gross
-----------------------------------------------------------------
gopher://quux.org/ conversion by John Goerzen <
[email protected]>
of
http://communication.ucsd.edu/A-News/
This Usenet Oldnews Archive
article may be copied and distributed freely, provided:
1. There is no money collected for the text(s) of the articles.
2. The following notice remains appended to each copy:
The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996
Bruce Jones, Henry Spencer, David Wiseman.