NEW SECURITY LEARNING

By Andrew Rosthorn

An Enigma rotor stack, Photo by Bob Lord

In primeval Cold War days, when half the Internet was still called MILNET and the other half was known as the ARPANET, the celebrated cyber sleuth Clifford Stoll discovered to his horror that the entry password to a computer leading into the Strategic Air Command headquarters in Omaha, Nebraska, was nothing more than ‘SAC’.

In his charming 1989 memoir, The Cuckoo’s Egg, Stoll tells how his part-time task to trace a pesky 75-cent accounting error on a computer system at Berkeley led him to the ever so faint trail of a West German hacker, a man living in Hanover and spying for the KGB.

One weekend the Californian astronomer shut down some networks to set a trap for the ‘Hanover Hacker’.

‘While the network was down, the hacker had appeared. My only record was a printout from the monitor, but that was enough. He had shown up at 5:15 a.m. and tried to connect into a Milnet site in Omaha, Nebraska. Disappeared two minutes later. From the network directory, I found he tried to get into a defense contractor there, SRI Inc.

‘I called Ken Crepea of SRI, and he hadn't noticed anyone trying to get in. "But I'll call you back if I see anything strange."

‘Ken called back two hours later. "Cliff, you won't believe this, but I checked our accounting logs, and someone's broken into my computer."

‘I believed him. "How do you know?"

"There's weekend connections from several places, on accounts that ought to be dead."

"From where?"

"From Anniston, Alabama, and from Livermore, California. Someone used our old account, SAC. It used to be used for the Strategic Air Command, here in Omaha."

"Any idea how it was invaded?"

"Well, it never had much password protection," Ken said.

"The password was SAC. Guess we screwed up, huh?"

The News of the World phone hacking crisis that knocked 8.3 billion dollars off the value of Rupert Murdoch’s News Corporation and now threatens the survival of the British coalition government was triggered by nothing more complicated than passwords that were too simple.

A crucial chink in the security of the voicemail accounts of the 4,000 people targeted by the reptiles of the tabloid press opened wide because the people who were targeted, including policemen and members of the royal family, had been too lazy to change the original default PIN numbers on their telephones.

Until five years ago, most British mobile phones came with a PIN code that was set to default to an obvious number like 1234 or 0000. Until 2003, the Vodafone default number was still 3333.

Using the remote voicemail facility, men like Glenn Mulcaire, jailed in 2006 for hacking Prince William’s messages, simply dialled the target’s phone number. If no one answered or if the line was busy, they entered a default PIN and listened to voicemail messages.

The American investigative attorney and security expert Marc Weber Tobias claims the USA is still wide open. He opened his own Verizon and T-Mobile accounts in 2011, without using his own PIN.

‘Voice mail systems are inherently insecure. They can be hacked into by a variety of means, including caller-ID spoofing, brute-force hacking, and social engineering to derive numeric passwords. Some cellular carriers, such as T-Mobile allow changes to PINs on line, which may provide another vulnerability.

‘Detailed technical manuals for virtually all systems are available online, which may disclose back-door passwords and programming access codes. The spoofing of caller-ID is now illegal in the United States, but many services such as Itellas are available that allow the placing of calls through a remote switch with any originating phone number that the caller desires to appear on the called-party caller-ID display.’

The American website WorldStart.com recently offered advice on how to construct an impressive 17 digit password that is remains easy to remember.

The password ‘ks86jw03ts92ctb02’ was designed for an imaginary family called ‘Smith with a daughter named Kelly and a son named Tyler.

‘They have a 2003 Jeep Wrangler and an 02 Chevy Trail Blazer.

‘Now, let’s take those facts and look at the password again:

ks86 – Kelly Smith, born in 1986,

jw03 – Jeep Wranger, 2003 model

ts92 – Tyler Smith, born in 1992

ctb02 – You guessed it, Chevy Trail Blazer, 2002 model year.’

In Britain, four of the five biggest network operators; Vodafone, T-Mobile, O2 and Hutchison Whampoa’s 3 network, now block access to voicemail from anything other than the subscriber's own phone, unless a customer sets a PIN by dialing in from his own telephone. Vodafone, Orange and T-Mobile tackled the problem of lazy PIN numbers by banning numbers like 1111 and 5678.

In order to prevent ‘brute force’ attacks; Vodafone locks out people who enter an incorrect code three times. Subscribers must then contact customer service to get a new randomly generated four-digit PIN, sent by SMS message.

To tackle bribery in the call centres, Vodafone, O2 and 3 no longer allow their staff to look up voicemail PIN numbers.

But the world still suffers from lazy passwords. An appalling fact emerged in December 2010 after the Gnosis hacker group published source codes to unravel the passwords of 1.3 million users of the big American online media firm Gawker.

The passwords that people had chosen for the trivial business of looking at new products on Gawker sites like Gizmodo for gadgets, Kotaku for video games and Gawker for New York gossip, turned out to be the same passwords they had chosen for their their email accounts, and even their bank accounts. Thousands ended up locked out of their own accounts on Twitter.

IT specialists analysed 200,000 of the stolen passwords and were not surprised that thousands of bloggers had used ‘123456’ and ‘password’ as access codes. They were however intrigued to see how many thousands had chosen ‘starwars’ and ‘iloveyou’.

Passwords like ‘Dell’ and ‘Samsung’ had obviously been chosen by lazy or busy people who simply looked down from the screen to use the maker’s name on their monitor as their password.

Daniel Amitay, who worked on the iPhone app Big Brother Camera Security, has discovered that 15% of all iPhone users have used one of only ten lazy access codes: 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998.

Graham Cluley, senior technology consultant at the global data protection firm Sophos commented, ‘People choosing 1234, 0000 and 1111 as their passcode are doing the equivalent of locking up their cars with a piece of thin string’.

After the Gawker disaster, Sam Grobart warned readers of the New York Times about lazy use of one single password for various web sites: ‘You really need to use more than one password. It’s annoying, yes, but necessary.

‘Have one password that you use for really sensitive accounts (like things that deal with money) and another for basic things. ‘That way, a hacker who breaks into, say, flowerlovers.com (which is likely to have more lax security than bignationalbank.com) will only know your password to other low-security sites.

Sloth is the least heinous of the seven deadly sins. But it was the early morning laziness of a few German radio operators that first allowed British wartime code breakers at Bletchley Park to tackle the ‘Red’ cipher, used for liaison between the German army and the Luftwaffe and protected every morning by a change in a ring settling on the rotors of their Enigma code machines.

Alone in his Bletchley digs during the cold winter of 1940, a 21-year-old mathematician, John Herivel, had an idea.

‘Every evening, I would sit down in front of the fire and put my feet up and think of some method of breaking into the Red. I was very young and very confident, and I said I'm going to find some way to break into it. Then one evening, I remember vividly, suddenly finding myself thinking about the other end of the story, the German operators. ‘I may have dozed off and perhaps I woke with a start and the faint trace of a vanishing dream in my head. Whatever it was, I was left with a distinct picture in my mind’s eye of a German Enigma operator. This was the trigger that set off my discoveries.

‘I thought of this imaginary German fellow with his wheels and his book of keys. He would open the book and find what wheels and settings he was supposed to use that day. He would set the rings on the wheels, put them into the machine, and the next thing he would have to do would be to choose a three-letter indicator for his first message of the day.’

Herivel guessed that if an operator was a little bit lazy, or transmitting under battlefield pressure, he might take a shortcut, choosing a ring setting close to the one he had used the day before. It would reduce the number of decode variables to find the ring setting of the day from 17,576 to around 20.

They called it ‘Herivelismus’. But for two months it wouldn’t work.

Then, on May 20, 1940, when young German radio operators were sending battlefield messages during the invasion of France, they started to take early morning shortcuts. Two days later the Hut 6 team at Bletchley Park used the ‘Herivel Tip’ to decode one of the messages and henceforth Hut 6 broke the cipher almost daily for the rest of the war, with terrible consequences for the Luftwaffe.