OT Hackers hit Pac Bell

greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread

Hackers Force Pac Bell to Seek New Passwords

David Lazarus, Chronicle Staff Writer Tuesday, January 11, 2000

Pacific Bell Internet subscribers have been instructed to change their passwords after a group of young hackers gained access to the account files of more than 60,000 members.

``Basically, you have a bunch of kids who are very smart and gained unlawful access to accounts,'' said Damian Frisby, a detective with the Sacramento Valley High-Tech Crimes Task Force. ``It was mainly for bragging rights.''

However, some of the hackers decided to use the purloined passwords to gain anonymous access to the Net and hack into other sites, and that's how law-enforcement officials got involved.

Frisby said his unit was mobilized after one of the hackers managed to shut down a Sacramento Internet service provider using one of the ripped-off accounts.

A 16-year-old Los Angeles boy has been arrested on felony charges of unlawful access and grand theft.

Frisby said that at least five other teens have been contacted by police in connection with the case and that the circle of hackers may grow even wider.

``There are quite a few juveniles being interviewed,'' he said.

The hackers managed to break into the servers of as many as 26 different ISPs, businesses and schools, making off with thousands of users' passwords.

Pacific Bell so far is the only one to issue a blanket request for users to come up with new passwords.

Pac Bell learned of the hack attack last week. It said as many as 63,000 of its more than 300,000 subscribers statewide had their passwords stolen.

In a message to subscribers on Friday, Valeri Marks, president and chief executive of Pacific Bell Internet Services, instructed members to change their passwords in light of the incident.

Pac Bell said that if Internet subscribers do not change their passwords by Friday, they will be shut out of their accounts and will be required to call in to obtain a new password.

In any case, the company said Internet users should routinely change their passwords every three months or so to prevent hackers from causing mischief.

``Our priority is to make sure customers have a secure Internet experience,'' said Michelle Strykowski, a Pac Bell spokeswoman. ``We sent this note out because security is a top priority for us.''

http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/01/11/BU39211.DTL&type=tech_article

-- Martin Thompson (Martin@aol.com), January 11, 2000

Answers

Is your password the same as your user name? Is your password a word which can be looked up in a dictionary? Do you pop your email from one provider while connected to a different provider? Is your password to your email account at yahoo or aol or some other free mail provider the same as your login password at your access provider?

If you answered any of these questions yes. You should read:

http://osiris.urbanna.net

-- Michael Erskine (Osiris@urbanna.net), January 11, 2000.


---in my opinion, hacking into anyones computer should be treated as breaking and entering, with appropriate sentences. Publicize the heck out of anyone caught and convicted. Possession of hacking tools should be treated as possession of burglary tools at the scene of a crime, that includes war dialers, gui "administrative" tools, etc. And the corporate mega software and hardware providers need to spend some of that $$$$$ in the zillions they are making, take a year off from their profit taking, and CLEAN UP THE BUGS IN THEIR SOFTWARE THAT ALLOW HACKING TO TAKE PLACE. Maybe another mass class action suit against them, with individuals and corporations as plaintiffs who have been hurt by those providers security lapses, perhaps.

-- don'tneednohakerz (throwthem@jail.losekey), January 11, 2000.

"---in my opinion, hacking into anyones computer should be treated as breaking and entering, with appropriate sentences. Publicize the heck out of anyone caught and convicted."

You will get no disagreement from me on these points.

"Possession of hacking tools should be treated as possession of burglary tools at the scene of a crime, that includes war dialers, gui "administrative" tools, etc. And the corporate mega software and hardware providers need to spend some of that $$$$$ in the zillions they are making, take a year off from their profit taking, and CLEAN UP THE BUGS IN THEIR SOFTWARE THAT ALLOW HACKING TO TAKE PLACE. Maybe another mass class action suit against them, with individuals and corporations as plaintiffs who have been hurt by those providers security lapses, perhaps."

However, on this point, you know not of which you speak. Some of the exact same tools that are used to crack into networks are used to protect the networks. Moreover, alot of the tools in use are, for lack of a better term, crap, and only allow exploitation of computers to a wider audience. Most in depth cracking is done via command line and not by some software program. If you're referring to "skript kiddiez", they will eventually foil themselves. The good hackers are the ones that you'll never see, never know they were there and will never be caught. Of this brand, I know quite a few.

Unix is inherently insecure due to the nature of the timesharing and open source. Further, many exploits take advantage of the transmission protocol (standardized by the gov't generally, and the NSA specifically) which has nothing to do with the platform software. Windows? Don't make me laugh. A child with a modicum of intelligence can be taught to crack a Wintel machine.

And that's JUST what we need - more government. Note the sarcasm. The weakest link in any security platform is the user. In this case, if the users had too easy of a password to guess, that is their fault. People cannot be protected from their stupidity.

Competition will force software makers and OS platforms to become more secure. Let the open market take care of itself and get the gov't out of the regulation business.

-- Mudge Fan (mudge-fan@l0pht.com), January 11, 2000.


Now, the question is: Am I the real "macbeth1" or not?

'Course I ask myself that question every once in a while, just out of existential pique, I s'pose.

Interesting.. I've been on PBI (as it's known) many times since Friday and have received no such notification from the lovely and talented Ms. Marks, nor from any other minion of PacBell. Was she overstating the scope of the mailing? Dunno.

And no, my password is not a word in the dictionary, nor any alphanumeric pattern easily discerned. I used to admin Unix systems and spent plenty of time logging on as assorted users using their easily-cracked passwords. Used to scare the beejeebers out of 'em when they got mystery e-mail from themselves...

-- DeeEmBee (macbeth1@pacbell.net), January 11, 2000.


Mudge is cool. The l0pht is cool. They are doing a good thing. There are reasons for keeping and knowing how to use cracker tools.

The best way to secure you own network is to crack your own computers.

It is also true what is being said about the professional crackers. They just slip in and usually you won't even notice they are there. Ofcourse if you have been cracking your own systems, you might get lucky.

-- Michael Erskine (Osiris@urbanna.net), January 12, 2000.



Moderation questions? read the FAQ