Backdoor VMS software installed on NASA computers to capture user passwords
Incident Date: 1987
Incident Location: USA
The time between the discovery of a software vulnerability and the application of a patch to fix the issue can be short-lived on well-maintained systems. Which is why experienced hackers will often install additional back doors to maintain their hold on a system after gaining access with a vulnerability. Members of the German Chaos Computer Club hacking group followed this practice when they broke into NASA systems during 1987.
NASA maintained the Space Physics Analysis Network (SPAN) for U.S. and international scientists to carry out research and collaboration on approximately 800 linked VMS computer systems. In 1987 hackers from the Chaos Computer Club were able to access the network and exploit an unpatched flaw in VMS software that allowed a normal user to gain administrative privileges.
With administrator access the hackers replaced two VMS system files, SHOW.EXE and LOGINOUT.EXE. The new versions of the software allowed the hackers to log in as an administrator using a hidden master password. It also stored the plaintext password of any person who logged into the system using the fake login program. Passwords were stored in an unused field of each VMS User Authorization File record. Hackers could then come back to the system, retrieve the username and password pairs, and identify the accounts which had special privileges.
VMS accounting processes normally kept logs of the users authenticating to the system, but the criminals also modified this process to hide their activities. While on the system, hackers would not show up in listings produced by the “show users” command or in job counts.
Members of the Chaos Computer Club held a press conference in the fall of 1987 to announce their accomplishment, saying that they had penetrated 20 different systems on SPAN. They also bragged of finding sensitive government files related to the Strategic Defense Initiative (SDI) program. NASA downplayed the value of the data, saying that no classified information was stored on the network.
In addition to stealing NASA data, the hackers also used NASA’s X.25 network connections to attack other sites.
Title: NASA Hackers: There's More to the Story
Author: Vin McLellan
Publication: Digital Review
Do you have additional information to contribute regarding this story? If so, please email email@example.com with the details and source.