TITLE: Youth is a Suspect in Theft of Software
FROM: The Chicago Tribune
DATE: September 17, 1987
A 17-year-old North Side youth is under investigation by the U.S. Secret
Service and the U.S. attourney's office for allegedly breaking into AT&T
computers across the nation and stealing sophisticated software valued
in the thousands of dollars. The youth is also suspected of advertising AT&T's
security devices over a network in Texas that is used as a "bulletin
board" by computer enthusiasts. The sole purpose of the computer network in
Texas, known as "Phreak Class-2600" is "to educate computer enthusiasts ... to
penetrate industrial and government sector computer systems," according to
a sworn affidavit filed in U.S. District Court by Assistant U.S. Atty.
William J. Cook.
On Sept. 4, Secret Service agents carrying a search warrant raided the
home of the youth, identified as Herbert D. Zinn Jr., of 6211 N. Artersian Ave.
The agents confiscated computers and the software that was stolen during the
break-ins, according to a U.S. Atty. Anton R. Valukas. A sworn affidavit
filed in U.S. District Court by Secret Service Agent Patrick Convery said the
the youth, using the code-name "Shadow Hawk" is suspected of breaking into an
AT&T computer at NATO Maintenance and Supply Headquarters in Burlington, N.C.
and an AT&T computer at Robins Air Force Base, Georgia, during the last
five months.
In addition, he also broke into AT&T computers at Bell Labs in
Naperville and New Jersey, according to the affidavit. Among the software
stolen during the break-ins was an artificial intelligence program that is
not yet on the market, the affidavit said. A single copy of the software is
valued at $5,000, but AT&T told the Secret Service that the program has an
estimated market value of $1 million.
An analysis of long distance calls made from Zinn's telephone disclosed
that attempts also were made to gain access to computers at the accounts
payable department of the Washington Post newspaper, a hostpital in South
Bend, Ind.; and computers in Colombus, Ohio; Rye, N.Y., and Pipe Creek, Tex.,
according to the government. Zinn's father, Herbert D. Zinn Sr., declined
to comment.
However, the affidavit said, the elder Zinn had recently retired from an
auto radio installationfederal investigators
that Zinn's son was "a bright boy" whose father had bragged at work that
his son's interest in computers "had just taken off."
"We consider this to be very serious," Valukas said. "We have said
from the beginning that we would take an aggressive stance in this area. We
are currently reviewing the matter and no charges have been filed." A
17-year-old is considered a juvenile under federal law. Valudas
characterized the software taken from NATO and the Air Force base as "low
level in terms of sensitivity."
Kathyryn Clark, a spokesman for AT&T, said "I'm aware of it. Our
security systems alert us when there is this type of break. It's in the hands
of the U.S. attorney."
Last June 6, Henry Kluepfel, an AT&T corporate security official tuned
into the Phreak Class-2600 and spotted messages from Shadow Hawk, the
affidavit said. Shadow Hawk braged in the messages that he had successfully
gained access to AT&T computer files and said he was interested in creating
some "Trojan horses" in the AT&T network. A Trojan horse, in computer
lingo, is an unauthorized computer program placed into a computer. Later
that month, another AT&T corporate security official spotted a statement
made by Shadow Hawk on another computer bulletin board in Chicago.
In that message, Shadow Hawk provided the names, telephone numbers,
passwords and other critical information needed to gain access to
seven different AT&T computers, according to the affidavit. On July 7,
a computer break-in at the Bell Labs computer in Naperville was discovered
and a record of the intruder's telephone number was spotted on the
compromised computer, the affidavit said. Illinois Bell then began using a
device known as a dial number recorder to log all calls made from the
telephone number, the affidavit said. From July 17 through July 19, the Zinn
computer gained access to the NATO computer by using and unauthorized
passowrd, according to the government.
The Zinn computer transferred software packages valued at $21,000
from the NATO computer, the affidavit said. On July 23, the AT&T software
program with an estimated $1 million market value vanished from the Bell
Labs computer in New Jersey. And, on July 27, $3,000 worth of software was
taken from Bell Labs. On July 31, the Zinn computer, according to the
affidavit, entered an AT&T computer that was holding a software program
used by the regional Bell System companies to record telephone service
requirements for customers.
That program, "if manipulated can give free telephone service and it can
be used to disrupt or halt telephone communications," the affidavit said.
On Aug. 1 and Aug. 3, 16 entries into the Naperville computer were made and
$40,000 worth of software used to support AT&T's electronic switching
system was stolen, according to the government.
On Aug. 28, the Zinn computer broke into the AT&T computer at Robins
Air Force Base and stole software that was used to back up a switching system
used by the Department of Defense, the affidavit said.
It seems that Shadow Hawk was severely busted for hacking. If he does not go
back into the hacking world, he should be remembered as one of the better
hackers (much better than most hackers). Shadow Hawk made several scans
of local exchanges and was known to have broken into many computers. He was
very good with the Unix operating system and definitely knew what he was
doing. As I said before, he should be remembered as one of the better hackers
of the hack/phreak world. Now I will go into the article in detail with some
explanations on different things mentioned.
======================================
"The sole purpose of the computer network in Texas, known as 'Phreak
Class-2600' is 'to educate computer enthusiasts ... to penetrate industrial
and government sector computer systems.'"-
The bbs described as "Phreak Class-2600" is actually "Phreak Klass
Room 2600." The current number to this bulletin board is (806) 799-0016. The
board isn't the greatest but it does have some very knowledgable people on it.
As described in the article, Phreak Klass is meant to educate people to
phreaking and hacking. If you would like to learn more about phreaking and
hacking, then please call. The current login is: EDUCATE. The board is public
and does not print codes or passwords to systems. The board is up for
educational purposes and codes or passwords are not tolerated.
======================================
"Henry Kluepfel, an AT&T corporate security official, tuned into the
Phreak Class-2600 and spotted messages from Shadow Hawk"-
This would indicate that there is currently an AT&T security official
on Phreak Klass. It is also likely that this security official, named Henry
Kluepfel, is on other bulletin boards related to the topics of phreaking and
hacking. Although this security official was/is monitoring messages on
Phreak Klass, it is unknown whether or not he had anything to do with the bust
of Shadow Hawk. He might still be there and it is not known by which handle he
goes by.
Although many names are definitely not the informant, it should be assumed
that one of the users on this list is Henry Kluepfel (PK Userlist):
This security agent "spotted messages from Shadow Hawk". Here are some of
Shadow Hawk's posts from Phreak Klass:
Numb: 31
Subj: SHIT.
From: SHADOW HAWK
Date: MON MAY 11 2:08:53 AM
Looks like I've got a lot to learn as far as the TELE part of telecom goes...
I've got a question about trunks: Would someone mind explaining just how they
work, how you can 'drop into' a trunk w/2600, what a physical trunk (assuming
its just wires) looks like, etc.
Also, around here there are these weird green manholes that look more like
portholes to tanks than manhole covers. They usually are accompanied by a box
of the same shade, which usually has a red light (enclosed) as an appendage.
My question is, what the hell are they? There are none close enough to my
locale for me to actually attempt to enter one, but if their 'insides' are as
hi-tech as the outside looks... you get the picture
Later,
(_>Shadow Hawk<_)
I don't think it would be THAT hard. Probably just a small sequencer & about 16
bits of DRAM, as well as a timer & of course the tone generator and keyboard
encoder. Now that may sound complicated but with todays electronics it could
all be done with probably around 6 ICs.
I had something like this in mind a while ago, the ultimate Telecom/computer
tool. IT goes something like this: a 1 MHZ A/D and a 1 MHZ D/A converter (16
bit resolution each) are connected basically to whatever you want, and to the
computer via an RS-232 interface. 'Whatever you want' is your phone line, your
ham radio, or even your LAN. It's basically a computer controlled
oscilliscope/waveform generator, except that there's no way it could run at
full 1mhz without about 16 megs of 16 bit ram & a REALLY fast coprocessor to
convert the raw waveform data into more easily convertable data. I've been
looking for a tech to help me out with this one for a long time, but to no
avail.
(the purpose, in case it wasn't readily apparent from the above, is to
1) tone dial, 2) MF dial, 3) generate ANY modem standard, 4) FAX, 5) 'scope,
6) voice recognition? The list goes on and on...)
Executioner: I'm fairly certain that the '*' (I'm assuming that you mean the D
key on a modified touch tone keypad) connects you only to a testing device of
some sort. If my assumption was wrong, would you please explain how to do it?
It sounds interesting...
(_>SH
Numb: 35
Subj: mail? what mail?
From: SHADOW HAWK
Date: MON JUN 1 9:25:28 PM
I know of the multitude orating TH's, but that method was(is)
for a particular system where I can't even chown; I've got access to everything
else though.
Mail: As the title says, what mail? I thought I'd responded to your last mail,
but I guess not... Call me!
(_>Shadow Hawk<_)
Numb: 7
Subj: Reply to Question/Mercenary
From: SHADOW HAWK
Date: FRI MAY 22 1:09:44 PM
I've never had any problems with just dialing straight through 1 (one) sprint
950. Call me crazy, stupid, or an excessive taker of risks, but I've never even
had a run in with Sprint Security. Probably because I don't hack the codes out
myself, but that's another story.
(_>Sh
Numb: 33
Subj: BUGS
From: SHADOW HAWK
Date: MON MAY 11 2:17:12 AM
This should really go on the phreak board, BUT...
If you're referring to the bugs that are sold by deco industries, and you can
tell by their ads: they always compare their bugs to a dime or a quarter,
they're actually not that bad a deal. The phone line bug that they sell will
trasmit about a quarter to a half a block, and is powered completely from the
phone line. Their other bug, the one that's powered by (I think) a 9 volt
battery & is itself the size of a quarter, will go about 1-2 blocks. This is
without any real antenna, (except of course the phone line, or the battery
wires, respectively) which would be pretty good, except that they transmit on
the FM band. If you can find a spot on FM where theres no station, and can tune
both your receiver and the bug-transmitter to the same frequency, then you've
got it made.
As to construction, they're actually pretty easy to build if you've ever used a
soldering iron in your life. If not, make friends with a tech. and ask her/him
to do it, it is little more than a 5 minute assembly job for anyone with ANY
experience.
Later, (_>Shadow Hawk<_)
======================================
"Shadow Hawk braged in the messages that he had successfully gained access
to AT&T computer files and said he was interested in creating some 'Trojan
horses' in the AT&T network."-
This statement in the article refers to the following messages that
this security official read on Phreak Klass. Here are the messages posted by
Shadow Hawk as well as the appropriate responses (all from PK, of course):
Numb: 39
Subj: another 'stuff' already.
From: SHADOW HAWK
Date: MON MAY 11 2:21:47 AM
I better make this quick, 2 minutes left.
I've got all this source code (Notesfiles, UnAxcess, *ALL system 5 source) as
well as this list (399K) of AT&T Unixes on their net, and nothing to do with
them. Anyone out there wanna help me make some serious 'trojans?' I REALLY like
abusing the net...
Later,
(_>Shadow Hawk<_)
Numb: 38
Subj: uucp
From: SHADOW HAWK
Date: SUN MAY 31 2:16:59 AM
I've got this idea for a trojan horse type of deal...
A shellscript, run under nohup, with the 'victim' tty being the one I'm on, and
linked to the nohup.out file. I log out, and the nohup starts doin' it's thing.
I think you can figure out the rest for yourself. The question is, will itit rig
ht now but I'm doing an 8 meg uucp transfer through it
at the moment.
Later,
(_>SH
Numb: 30
Subj: my first born...
From: DRUIDIC DEATH
Date: WED MAY 13 2:36:54 PM
I7ll trade you my first born for a
chance to hack those systems. I'm
pretty good at TH and decoy
programming, so sure I'll help you.
I'd love to download the 399K
list for you too. Let's work out
a deal, how about it?
DRU'
Numb: 31
Subj: unix from the top down
From: THE PROPHET
Date: THU MAY 14 6:17:23 AM
I'd like to point out one thing about my file first... A rather embarrassing
errr. In the original version, I said "chown"
was used to change file modes, when the correct command is "chmod". This was
purely a typo, as I know the difference between the two commands. The format
for the command, though, was correct.
SState- there is one slight flaw in your trojan shell script. If the LOGNAME
variable is not set by root, it will not unprotect the password file when it is
run by the superuser. It's better to check the logname by using the logname
command, which is accomplished by using logname in place of $LOGNAME in the
script.
Shadow Hawke was asking about less easily detectable trojan horses. An easy way
to subvert a utility that normally has the uid bit set, like su, is to make a
copy of the utility and hide it in an out of the way directory, with the uid
bit NOT set. Then make a c program which does the following:
if a certain argument is given to the program (which replaces the real
utility), it executes the shell using the execvp C command.
otherwise, execute the copy of the utility.
Then set change ownership of the file to root, and set the uid bit, and name it
"su" (or whatever), and replace the real utility with it. Since su always has
the uid bit set and is always owned by root, it will be less easily detected,
unless the administrators notice the file size. This is easy to do, requires
only a minimal knowledge of C, and does not require the source code for the
subverted utility.
-TP
======================================
"Kathyryn Clark, a spokesman for AT&T, said 'I'm aware of it. Our
security systems alert us when there is this type of break'".-
I'm so sure. Shadow Hawk broke into many more systems than the ones
they busted him for.
======================================
"Later that month, another AT&T corporate security official spotted a
statement made by Shadow Hawk on another computer bulletin board in
Chicago."-
This bulletin board is most likely Ripco (Ripco International). Shadow
Hawk was a user at this bulletin board and took part in phreak/hack discussions
(and possibly posted hacked computers). Do not quote me on this. This is only
an assumption and has not been verified. The current telephone number to
Ripco is (312) 528-5020. It should also be noted that this was a different
AT&T corporate security official. A DIFFERENT one.... as if AT&T has been
monitoring all phreak/hack bulletin boards??? Both of these security
officials are being paid to monitor boards. Is it poss
security officials monitor phreak/hack bulletin boards?? Henry Kluepfel and
this security official are certainly monitoring bulletin boards!
======================================
"In that message, Shadow Hawk provided the names, telephone numbers, passwords
and other critical information needed to gain access to seven different AT&T
computers"-
It is not certain if any of these computers were the ones that Shadow
Hawk was busted for breaking into. And of course an AT&T security official
(one of those paid to monitor boards) read Shadow Hawk's message.
======================================
The story of Shadow Hawk's bust is continued in TNS Issue #11.
