Date: Thu, 24 Nov 1994 13:40:09 +0000
From: Brian.Randell@newcastle.ac.uk (Brian Randell)
Subject: Secret British Telecom Files Hacked [scanned, not checked for errors]

The following articles about a major breach of British Telecom security are
quoted, in their entirety, without permission, from The Independent (for 24
Nov.), one of the main national newspapers here in the UK. Between them,
they fill much of the news column space on the front page, and on all of of
pages two and three. As far as I know (from the way the story has been
reported on radio by the BBC) the Independent is the only paper that has
this story. The articles are ilustrated by photgraphs of the reporter Steve
Fleming, the MI5 and MI6 buildings in London, the Government Bunker near
Hawthorn, Wiltshire, and one (censored) example of an item that had been
obtained from the BT files.

Cheers

Brian Randell

==========

REVEALED: HOW HACKER PENETRATED THE HEART OF BRITISH INTELLIGENCE

BY TIM KELSEY

Some of the country's most sensitive intelligence networks have been
breached by a computer hacker from British Telecom's main database in one
of the most serious breaches of national security in recent years.

Telephone numbers and addresses for MI6, MI5, many secret Ministry of
Defence installations and other very sensitive information were copied from
the computer by the hacker without any special technical expertise. The
material was then sent out on to the Internet, a global network of
computers, to which any one of 35 million users would potentially have
access.

The thousands of pages of highly confidential BT records were sent across
the Internet to a young Scottish journalist, Steve Fleming, in July. Mr
Fleming does not know the identity of his informant.

The hacker was also able to retrieve, undetected by BT records of the
top-secret government communications centre, GCHQ in Cheltenham. Other
information included home addresses of senior military personnel, details
of phone installations for the secret US communications station at Menwith
Hill in North Yorkshire, information about the bunker in Wiltshire where
the Government would go in the event of a nuclear war; and telephone
installations in Downing Street and Buckingham Palace.

The data gives the location of a number of intelligence service buildings
in London. Some of these are clumsily disguised on BT records. One MI5
location is described as "shoe shops" and another as "textile
warehouseman". Various MI6 locations are also identified. Its training
establishment - the school for spies - sits next to a pub in a nondescript
building on a busy street in south London.

The Independent has been able to verify the authenticity of the information
which runs to hundreds of thousands of words and numbers and appears as
internal BT records taken straight off the
computer.

The hacker would not have been able to alter the records, simply read them.
It is thought he was able to access the material with astonishing ease.
Secure passwords giving access to the system were left lying around BT
computer offices. Mr Fleming verified that this was possible by working on
a short-term contract for BT, through an employment agency, and gaining
access to the computer.

One of Britain's leading computer security experts, Ian James, who was for
10 years a senior officer in the Fraud Squad and now gives advice to some
of Britain's biggest companies, said last night: "If you are telling me
that that computer has been hacked into, it is the most serious breach of
security I have ever heard of. There is no way that sort of information
should get out."

No computer that contains such sensitive information has ever been hacked
in the UK on such a scale before, according to Mr James.

Tommy Helsby, managing director of Kroll Associates, an international
investigations agency with expertise in computer security, said: "It really
is very difficult to believe. I am surprised most of all that the security
services would not have been more prudent with their information."

It is not known if the BT hacker sent the information he collected to
anybody other than Mr Fleming. He stopped communicating with Mr Fleming in
August and it is not known if he remains active.

It is also apparent that some of the numbers billed to the intelligence
services are, in fact, operated by apparently private businesses. Two
numbers chosen at random were answered with company names. It also emerged
that MI5 phone bills are being paid not by the Home Office but by the
Ministry of Defence.

Other information taken from the computer includes the location of missile
bases and military command and control centres in the UK, the private line
numbers of John and Norma Major at Downing Street and private lines for
Buckingham Palace and Kensington Palace.

It would be extremely difficult to tap any of the unlisted lines identified
in the documents. However, telecommunications specialists have confirmed
that it is possible, if the identity of a telephone exchange is known, to
eavesdrop undetected on a telephone line by hacking into BT's fault
detection system.

Most of the telephone numbers are classified and unlisted even as
ex-directory, in BT records.

The hacker systematically exploited lax security precautions on the BT
system over several weeks to gather a wide range of information.

It is understood that he obtained access to the computer while working as a
temporary employee with BT. He was given passwords by permanent members of
staff, and discovered that these passwords gave them access to the full
range of information on the computer. The computer database, the Customer
Services System, was designed by the American company Cincinnati Bell. It
is supposed to contain internal safeguards against unlawful hacking.

BT has previously maintained that the computer is carefully protected from
this kind of abuse, and that only authorised personnel are given access to
sensitive information.

----------------

HACKER BLOWS SPY SERVICES' COVER

REPORTS: TIM KELSEY

Telephone directories for MI5, MI6 and the Government's top-secret
eavesdropping centre, GCHQ at Cheltenham, are among the most sensitive
numbers disclosed in the huge amount of material taken by the hacker from
the British Telecom computer. The hacker also found information on secret
United States military listening posts in the United Kingdom.

MI5's telephone network has its centre on the 17th floor of Euston Tower in
central London. In the BT documents, this is identified as the base of
MI5's "communications manager". The billing lists dozens of lines run from
the tower, and the network extends across the country.

All the telephone bills charged to MI5, which is attached to the Home
Office and for which the Home Secretary is answerable to Parliament are
paid by the Ministry of Defence.

Despite the fact that MI5 has moved to new headquarters at Thames House,
some bills are still charged through its old headquarters at 140 Gower
Street in Bloomsbury - within walking distance of the tower.

Many of the numbers listed appear to belong to external companies. The
lndependent called one number at random, which was answered as a private
business. Many others are believed to belong to similar "front" companies.
Earlier this year, MI5 ran a free 0800 number from Euston Tower for the
convenience of operatives engaged in "watching" targets around the UK and
forced to make calls from payphones. All the numbers have a special
designation and are not listed in any telephone directories.

Apart from giving information about active telephone numbers, the bills
also detail the kinds of telecommunications equipment and the exchanges
from which the telephones are run. This would enable experienced hackers to
access the line and listen to conversations. The telephone bills reveal the
location of a number of security service buildings in London which had not
previously been identified.

Some of the numbers are clumsily disguised: one central London number is
described as belonging to a shoe shop, but the bill is paid by the Ministry
of Defence for MI5. Another is described as belonging to "textile
warehouseman".

It is not just the telecommunications network of MI5 that has been
compromised. Confidential details concerning both the Secret Intelligence
Service, or MI6, and GCHQ have also been taken from the BT computer. MI6
communications centres-and there are dozens in central London - are listed
as Government Communications Bureaux in the records. Unlike MI5, it appears
that MI6 has its own telephone budget, and it pays its own bills.

There are many numbers identified, and addresses supplied. Some go into the
new MI6 headquarters building at 85 Albert Embankment, but many do not. The
records appear to identify MI6 locations outside this building. MI6 is also
paying for a number of telephones located in a busy street in south London
which has been identified as the spy training centre. What is thought to
have been MI6's former City of London office is located in an office block
in the Square Mile.

Some of the telephone numbers - like those listed under MI5 - appear to be
used by private companies.

The information taken off the BT computer also compromises GCHQ, Britain's
communications headquarters. It gives computer access numbers as well as
classified telephone numbers within the organisation It ;also provides the
location of key facilities and identifies exchanges used.

BT supplies equipment to the US Department of Defense listening station at
Menwith Hill on the North Yorkshire moors, which is the largest American
communications base in Europe. There are numbers for the site's computer
rooms, and even for voicemail messages, which would enable hackers to
listen to messages left for staff.

The British Telecom computer into which the hacker, and then Mr Fleming
obtained access, is called CSS, the Customer Services System. This computer
contains all information on every BT customer - government, business and
residential. This covers installation details, faults, credit arrangements
and itemised bills. It also gives addresses.

The computer, which is situated in central London, was designed by
Cincinnati Bell, the American telecommunications company. The system
handbook states that there are security systems designed to prevent
unauthorised access to forbidden areas.

BT literature claims that access to CSS is strictly limited with
information released to specific vetted users at specific terminals. This
system can only work, of course, if passwords are not shared with temporary
members of staff.

Finding information on the CSS, once on-line, is easy. Simple commands give
access to the national system. If one commanded a search on the word
"government", among the items retrieved by the system would be "government
communications bureau", the BT billing name for MI6.

------------------
MISSILE AND RADAR SITES EXPOSES

The locations of secret missile and radar stations and military
communications centres are detailed on the British Telecom computer - and
are no more difficult to find than someone's home telephone number.
BT sought to disguise the identity of some of Britain's most secret
military installations but even so the hacker, who penetrated the central
computer database, was able to acquire the home addresses of senior
officers, all of whom could be terrorist targets.

The BT information describes the location of a variety of sensitive sites:
Nato fuel depots, remote communications posts in the Highlands of Scotland,
missile bases and tactical air control centres. It also details the
location of classified signals operations throughout Britain.

Some of the information in the records is historical. Several numbers no
longer function. There are some operational numbers for Operation Granby,
the code name for the British campaign in the Gulf.

The data also show how the Ministry of Defence pays telephone bills for a
number of private contractors, including the Royal Ordnance. In one case
the ministry appears to pay for telephones at a Royal Ordnance factory.
Some of the most sensitive numbers are given misleading identities: one
unit's telephone number is described as belonging to "glaziers" and an RAI;
communications base is categorised as a "club and association". However,
the hacker was able, without any difficulty, to identify the actual owner
of the telephone numbers.

These numbers are not just voice lines - many provide access to military
computers. The documents also identify which exchanges the military uses to
route its calls. This information would enable hackers to eavesdrop on
calls undetected.

The listings also give details of secure telephone exchanges in the field,
which are located only by their Ordnance Survey grid reference
co-ordinates.

Some of the numbers give access to nuclear submarines in port in Scotland,
and others give access to frigates at sea. There are also numbers for
nuclear weapons storage sites.

The documents not only compromise military installations, they also reveal
the home addresses and ex-directory telephone numbers of senior military
personnel. All are potential terrorist targets. The Ministry of Defence may
have to relocate many of its senior officers.

It is possible that much more information has been obtained from the BT
computer than the Independent knows.

----------------
HOW I HACKED INTO SECURITY FILES

STEVE FLEMING describes how he found top secret communications information
in the BT computer.

As an amateur computer enthusiast, I have spent several years involved on
the Internet - the gigantic worldwide network of computers which all talk
to each other. Each computer on the Net has its own mail box to which
messages can be sent.

Six months ago, I started to investigate how difficult it would be to gain
access to one of Britain's largest and most sensitive computers. There were
rumours circulating on the Internet that someone had gained entry to the
British Telecom main computer or that they were trying to do so.
I sent a general message over the Net to see if anybody had been
successful. There were dozens of replies: most asking for more information;
most time-wasting.

Sometime in July, I received an anonymous message on the computer. It was a
document. There was nothing to identify who had sent it or why. At first
glance it looked like an invoice: a list of numbers, product details, and
prices. It was not.

It was a British Telecom record giving unlisted private telephone numbers
inside 10 Downing Street. Was this a real document? I did not know where it
had come from; nor did I know whether I was breaking the law by having seen
it.

But I was curious, while sceptical of its authenticity and decided to check
it. So, at around ll pm one night, I called one of the numbers. A woman
answered. "Hello," she said. I hesitated and then replied: "Hello. May I
speak to John, please?" She then asked me who I was and I hung up.
About four days later I received another anonymous message on my screen
which contained another document. It had the same format as the first -
more BT internal data - but this time it gave details of MI6 installations.
After that I tried to find out who my source was. I approached two people I
had been told were computer hackers who took a particular interest in the
telephone network. They gave me 10 numbers that they said were top secret.
They did not tell me why.

I decided to send another general message on to the Internet, with the
numbers, in the hope this might provoke the source to reveal himself.
Shortly after that I received another message - there was no attached
document. This time, the source explained how it was possible to break into
the BT computer. He told an extraordinary story about the way in which
temporary staff employed by BT were given easy access to the computer.
He said that passwords assigned to vetted full-time members of the staff
were pinned to noticeboards and left in notebooks beside the terminals so
that they could be used by temps. He said that BT did not bother to create
shortterm passwords and simply allowed its temps to share fulltime access
privileges.

He went on, Temps not only obtained access to the computer on which the
records of every client BT has - government, business and residential - are
kept, but there were no restrictions once they were inside. A temp was able
to access any kind of data: even the telephone numbers of the secret
services.

I found this hard to believe. But for the time being did nothing. I was
becoming increasingly worried that I was being set up. Was I involved in
some real threat to the national security? Was I being used? Two or three
days later, I received more documents on my computer. These contained a
huge amount of information that ranged across the secret services to GCHQ
and the Ministry of Defence.

That was the last I heard from this source. I still had no idea why he had
chosen to send the material to me. I also doubted that the material was
authentic. How could it be? How could somebody obtain such access to the
British Telecom computer? How could they do it without being detected?
With some qualms, I decided to try and verify the documents. I thought the
best way of doing this would be, as the source had suggested, to go into BT
as a temp and see if it was possible to obtain access to the computer. I
applied to an employment agency in the late summer for a job involving
computers at British Telecom; 48 hours later I was offered a temporary
position.

To my amazement I found when I first walked into the BT offices that, as
the source had described, passwords openly distributed and a remarkable
lack of supervision. I was able to gain access to the computer without
provoking suspicion, and to view some of the same information I had
received over the Internet.

I left BT after three days without accepting any payment. I decided to
approach the authorities and entered into a dialogue with a Special Branch
officer and other security service personnel who were made aware of the
role I had played.

-------------------
TERRORISTS COULD LISTEN IN TO MAJOR

THE THREAT

What use are these telephone numbers? If a foreign power or a terrorist had
access to this information, what could they do with it?

Telecommunications experts have ruled out the possibility that physical
phone taps could be attached to most of the lines and conversations
overheard or disrupted. Many of the lines - and most of them are secure -
will be cased in tubing which could not be broken without setting off
alarms.

Experts have also said that there is no equipment yet invented which can
listen to telephone calls without having physical access to the line. It is
possible to monitor mobile telephone calls by "scanning" electronically for
them. It is not possible to do this with hard-wired telephone lines.
However, there is a way in which conversations can be overheard, and this
method which is already popular in the United States, has no defence in the
British Telecom system

Telecommunication security specialists consulted by the Independent, who do
not wish to be identified, have successfully tested this method on British
telephone lines. This is illegal but it is also undetectable.
This system allows an individual to sit by his telephone at home and
overhear conversations on any line in the country providing he knows to
which exchange the telephone line is connected. He can then, by locating
what is called the remote observation unit, and scanning for a simple code
hack into the system British Telecom engineers use to test faults on lines.
This allows the hacker to interrupt calls, to listen to them undetected,
and to disrupt them.

Theoretically, if somebody with this know-how and a private line number for
the Prime Minister, would be able to listen into conversations. One of the
experts said: 'It could take as long as 24 hours to scan for the code and
then a matter of minutes to hook onto the call."

The implications of this leak could be wide-ranging. It is not known how
much the hacker retrieved from the computer. He may have copied much more
information than he sent to Mr Fleming. If BT takes seriously the prospect
of hackers listening into telephone calls then all the unlisted
confidential numbers for M15, M16, the Ministry of Defence, GCHQ and
several Government departments will have to be changed. The cost would he
substantial.

More serious, however is the fact that the material gives the location of
secret service buildings and other sensitive addresses. It is not known if
the hacker who communicated with Mr Fleming sent his information to anybody
else.

It is suspected that the hacker "parked" the information at a number of
sites on computers around the world. It is impossible to estimate the
potential costs of relocating personnel to take account of the possible
security risk posed by this leak.

---------------
EMERGENCY TELEPHONE NETWORK IN PLACE FOR WAR

COMPUTER'S DATABANKS SHOW HOW THE NATION WOULD BE GOVERNED IN A CRISIS

Data contained on the BT computer paints a detailed picture of the way in
which Britain would be governed and defended in time of war. The existence
of the Defence Communications Network, which is the wartime alternative to
the BT telephone network, is a closely guarded secret and has never before
been exposed in so much detail.

In February the Government redesigned the telecommunications system for the
emergency network. The computer shows where government departments would be
relocated during a war and where the key communications centre for both
military and civil defence would be located.

At its heart is a huge underground bunker, maintained by the Department of
the Environment, beneath a field near Hawthorn in Wiltshire. The BT data
shows the location of special exchanges to deal with emergency telephone
communications. Knowing their location, an enemy might be able to disable
them.

The bunker, which is codenamed Burlington, is about 100 acres in size and
extends around 12Oft below ground. It is designed to be the seat of central
government and can house 55,000 people.

The Defence Communications Network is controlled from the bunker. The BT
records show that there are three access points for telephone calls from
the national network - if one site is bombed, opportunities remain to keep
open the network. However, the BT records provide enough information to
identify all three sites.

The records also reveal the complicated structure of the secret national
network. Many otherwise innocent buildings have been earmarked as
communications posts: the basement in a west country town hall would be
taken over by the Home Office as a regional civil defence headquarters. The
Navy would set up communications operations in a commercial radio station
in Cornwall. A secondary school in Scotland would become a police station.
There is a special telephone line linking the Isles of Scilly to the
mainland which would be used to maintain government communications.
All the locations chosen as civil defence centres are already - and they
may not be aware of it - on the system. But it only becomes active in an
emergency. If that should happen, BT has the ability to cut all other
telephone communications in the UK to relieve pressure on the system and to
preserve battery power. Civilians and businesses would find they were not
able to make calls.

The system has been upgraded. It was until this year a system reliant on
old manual switchboards with calls routed by operators. It has now been set
up as a more efficient and faster digital network.
The BT records also identify the engineer responsible for maintenance of
the network.

-------------
NO 10 AND PALACE MAY HAVE TO ALTER NUMBERS

THE EFFECTS

Downing Street and Buckingham Palace may have to alter all their telephone
numbers because the hacker retrieved from the computer full details of
numbers, addresses and details of all equipment supplied. This, in Downing
Street's case appears to include external security apparatus.

The hacker also accessed numbers belonging to government departments
including the Department of the Environment and the Home Office. Prison
telephone numbers and information relating to a Prison Service computer
system went out on the Internet.

What BT describes in its records as the "Prime Minister's Installation" at
10 Downing Street gives the name of the exchange through which the numbers
are routed and information on telecommunications equipment used within the
building. There are numbers which would give access to the Cabinet Office
and other government offices. Among the several numbers listed are two in
the "above-the-shop" flat in which John and Norma Major live at Downing
Street.

Some of the telephones have lights which are activated to show the caller
is using a privacy set - which scrambles conversations to make them more
secure. There is also a facility on Downing Street numbers for monitoring
whether the line is tapped. The rest of the equipment is openly available
in the high street.

The records also give extensive detail on ex-directory direct line numbers
for Buckingham Palace, which are thought to include numbers for the
apartments of members of the Royal Family. They also give numbers for
Kensington Palace, the residence of the Princess of Wales. The palace
switchboard is also directly linked by special lines to Clarence House -
the Queen Mother's home - and a nearby Ministry of Defence building. The
total quarterly cost of the equipment the Palace rents from BT is (pound
sterling) 14,000.

There are a variety of ex-directory numbers for the Department of
Environment, including various computer access lines. The Home Office
Prison Service communications network may have been extensively
compromised. Dozens of unlisted telephone numbers, some of them inside
prisons and giving access to prison service computers have been leaked.
Because they also contain details of local exchanges, it would be possible
to overhear, or even disable, particular lines.

It also gives details of ex-directory payphone numbers which can located to
specific wings inside prisons and are supposed to be used by inmates only
for outgoing calls.

-----------
CONFIDENTIAL CUSTOMER DATA REVEALED

THE FILES

The hacker not only probed information which might compromise the secret
services or the defence establishment, he also wanted to show how easy it
was to acquire commercially sensitive information from BT.
As a token of this, the information released on to the Internet located a
series of numbers for the Bank of England, giving access to one of its main
computers. It also contained the computer access number for an emergency
computer operated by a high street bank. Experienced hackers may be able to
find their way into the system if they know the telephone number that gives
access to it.

There is also a great deal of confidential commercial and personal
information available, including whether the telephone number is
ex-directory or unlisted. The database gives a variety of personal details:
name, address, private ex-directory telephone number, and occupation.
The leaked documents contain a large amount of personal information
including credit details on customers. It is not known whether BT sells
this information to other organisations, or whether it discloses its own
credit assessments. The bills record details of every conversation a client
has with British Telecom customer services.

The staff member may then record their own comments, which will remain on
the client's record for as long as they are a customer with BT and may
affect their future credit rating. Customers are not made aware of this.
One customer acquired an ex-directory number which was to be paid for by a
charity. The charity had difficulty paying but promised to do so. The BT
customer services official noted for the benefit of future operators:
"Please - no more concessions . . ." The line was then apparently cut off.
The customer had no right of appeal.


Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne,
NE1 7RU, UK
EMAIL = Brian.Randell@newcastle.ac.uk   PHONE = +44 91 222 7923
FAX = +44 91 222 8232