Copyright 1990-2016 by Kevin G. Barkes All rights reserved. This article may be duplicated or redistributed provided no alterations of any kind are made to this file. This edition of DCL Dialogue is sponsored by Networking Dynamics, developers and marketers of productivity software for OpenVMS systems. Contact our website www.networkingdynamics.com to download free demos of our software and see how you will save time, money and raise productivity! Be sure to mention DCL Dialogue! DCL DIALOGUE Originally published August, 1990 By Kevin G. Barkes Hacking by the Numbers Operators and persons who work weekends at companies with "trunked" telephone lines are familiar with the problem. The night service bell rings, you dial the number to access the line, and you get a recording selling aluminum siding or velvet Elvis portraits. You hang up. Ten seconds later the night bell rings again. It's the same recording; an automated computer system is sequentially dialing every number in the telephone exchange. Depending on how many phone lines your company has installed, you can spend up to an hour wasting your time. I have seven lines in my office, most connected to my computer systems. My weekends are frequently spent watching with bemused detachment as these electronic salesmen from hell attempt to hawk their wares to my screaming modems. Last Saturday was different. THE INVASION BEGINS One of my extra voice lines rang, and when I answered I heard a modem tone. The line is unlisted, but has a number similar to the BBS; I figured someone had just mis-dialed. I hung up. Ten minutes later, one of the modems attached to my VAXstation went off-hook. Then it connected. I popped over to the window where I keep Kermit attached to the line and was somewhat alarmed to see: HELLO? ANYONE THERE? I immediately disconnected the modem. Less than a minute later it rang again and connected. The anonymous caller was persistent: FIELD SERVICE SYSTEM MANAGER LOGIN SHO SERVICES And obviously someone familiar with VMS. I reset the modem. It went off-hook again almost immediately. After another abortive attempt to log in, a stream of garbage began flying across the screen. I guess the caller was attempting to cause the program attached to the port to abort, hoping it would drop him down to the DCL prompt. I hit the disconnect a third time. The calls stopped, but I was still apprehensive. A few hours later, the fax machine answered its line, then dropped carrier. Twenty minutes after that the second line on the VAXstation rang and the modem connected. The data lights were flashing; I did a show user and saw: Username Process Name PID Terminal _TTA3: 00000047 TTA3: Soon after, the security alarm went off. Someone was trying to log into the field service account. Enough was enough. I turned off both modems. METHODICAL ATTACK I took note of the order in which the hacker called my various lines. Obviously, the person was using an automatic system that started at the lowest number in an exchange (0000) and sequentially dialed up to the highest (9999). Since my telephone exchange is in a residential area, I had to assume the would-be intruder had specifically targeted me. Even more convincing was his use of VMS-specific login sequences; not many private residences have VAXstations off the master bedroom. My office, fax and BBS phone numbers are widely publicized, as is the fact I have several systems and communications lines. Through brute force and persistence, he managed to identify the remainder of my unlisted voice and data numbers in under five hours. MAKING THINGS SECURE Unlike Cliff Stoll, I don't have the time and money to "track the elusive hacker". Because of the sophistication of his break-in attempts, I assumed he was bright enough not to call from a line that could be easily traced. So I decided to shore up my defenses. Making a computer system secure against dial-up break-ins is easy. You unplug the modems, or set them so they don't answer the phone. Unfortunately, this makes it a trifle difficult to conduct business, especially when you need to access your system remotely. I double-checked all the entries in my VAXstation's SYSUAF file, making certain the default accounts were set to DISUSER. I'm thankful my machine isn't a big VAX with scores of users; it would have been quite an arduous chore. I changed passwords again, making certain my selections were unique and included numeric characters. An attorney friend noted that the standard "Welcome to VMS" announcement could be used as a defense; after all, "Welcome" implies access. So I changed SYS$ANNOUNCE from "Energizing transporter..." to "Unauthorized access prohibited. Violators will be prosecuted". To be doubly sure, SYS$WELCOME now displays "Kevin G. Barkes Consulting Services. Unauthorized access prohibited. Violators will be prosecuted, whipped, beaten, called nasty names, beaten, whipped, and then prosecuted some more. I'm not kidding. So there. VMS 5.3-1." Maybe DEC should rename it SYS$INTIMIDATE. Then I called the phone company. For a slight charge (equal to the gross national product of some third world nations) it was possible to arrange "foreign exchanges" for my dial-in lines. Instead of the 854- prefix, I could get an exchange that "looked" like it was somewhere else. My hacker friend would have to make about 600,000 calls to locate me now. POUND FOOLISH The most frustrating thing about trying to make the serial ports of a VAXstation 3100 secure is that DEC intentionally designed them to be wide open. In a engineering change that must have saved them ones of dollars, the serial lines on my VAXstation do not support true modem signals. My 3100 is blissfully oblivious to such luxuries as the carrier detect signal. This means if I somehow get knocked off the line when logged in, the VAX doesn't automatically kill my process. If someone else calls in before I redial... well, you get the picture. I'm going to get a terminal server to circumvent the problem in the long term. I need more than two ports anyway, with all the dial-out lines, printers and other do-hickeys I have jury-rigged together with ABCD switches. I wish DEC would fix this problem - er, feature. My guess is there are a lot of exposed VAXstations out there. In the meantime, I put together a little Rube Goldberg device that insures I get logged out if the line drops. This diverting adventure has taken about 25 hours of my time in the past week. As an independent consultant who bills by the hour, that's a sizable chunk of change out of my pocket, plus the expense of hardware. The next person who tells me hackers don't really do any harm is going to learn a wondrous new use for null modem adapters. Still, I'm uneasy. Somewhere out there is a modem with my name on it. ========================================================= DECUS Enlightenment: The May DECUS Symposium in New Orleans was quite enjoyable. Thanks to all of you who made a point of looking me up at the Professional Press booth at DEXPO or attending my alleged session on DCL and DECwindows. I say "alleged" because the airline managed to lose my bag containing the overheads and handouts for the session. Even worse, they lost my underwear. While the latter could be replaced, the overheads and notes could not, so I ended up doing a "stream of DCL consciousness" session for 35 minutes and hosting a DCL roundtable of sorts for the balance of the hour. The suggestions and tips offered by the attendees were quite useful. Aaron Leonard of the University of Arizona revealed his method of suppressing the Digital logo which is displayed on the VAXstation 3100 at bootup. DEC provides, in SYS$MANAGER:SYSTARTUP_V5.COM, a "hook" for substituting a user-supplied display. For example, adding the line $ DEFINE/SYSTEM/EXEC - DECW$LOGIN_BACKGROUND - SYS$MANAGER:BACKGROUND.COM to the startup file will cause DECwindows to create a new process named LOGO to execute the commands in the BACKGROUND.COM file. To eliminate the DEC logo, I had assigned DECW$LOGIN_BACKGROUND to the null device (NL:). While it worked, it had the unfortunate side-effect of causing the LOGO process to consume about 80% of the cpu as it unsucessfully but incessantly attempted to read from the nonexistent file. Aaron's tip was to put a single command in BACKGROUND.COM: $LOGOUT. The result is a commercial-free VAXstation startup with no cpu load. The real crowd pleaser was from John McMahon of NASA-Goddard. John noted that by editing the DECW$SM_GENERAL.DAT file on your VAXstation and changing the value on the line sm.pointer_shape: to -142, the mundane digit-shaped pointer is magically transformed to the far more aesthetically pleasing outline of the Starship Enterprise. (Too bad John's original posting on Internet came after June's "DCL on the Edge of Forever".) I've been happily clicking the accursed Romulan-derived FileView box into the Icon Dimension for the past two months. If you couldn't make DECUS and would like to hear some of the goings-on, you can still order cassettes of selected sessions from National Audio Video Transcripts at 800-373-2952. If you'd like the first set of "reverse-engineered" notes from my somewhat disjointed session, send a self-addressed #10 business envelope with 45 cents postage attached to the address at the end of this column. Onward to Las Vegas in December... ---------- Kevin G. Barkes is an independent consultant. He publishes the KGB Report newsletter, operates the www.kgbreport.com website, lurks on comp.os.vms, and can be reached at kgbarkes@gmail.com.