Date   : Tue, 01 Nov 2011 21:13:09 +0000
From   : dan@... (Dan Gardner)
Subject: Request for Help - Security Research Project

Hi Martyn,

Playing with the security on Econet networks at school 20 years ago was
what got me interested in information security and lead to a very
rewarding and enjoyable career. I've been lurking on this list for a
while and thought this would be an ideal opportunity to break cover.

Please bear in mind that I haven't played with an Econet in 20 years, so
my memory is probably incorrect in places. Also, apologies for the long
post but I wanted to dredge up as much as I could remember.

The most serious vulnerability with Econet (Level 3/4) was the fact that
all credentials were sent over the wire in plain text. One of my friends
and his brother spent one summer holiday disassembling the NETMON
utility and rewriting it to display fully decoded packets in ASCII
instead of unintelligible hex, revealing the username and password of
every logon packet flowing past. I see that Philip Blundell has released
a similar tool into the public domain.

Other attacks I remember included writing (Break-key resistant) programs
which spoofed the "Acorn MOS" startup banners and BASIC prompt and
logged the results of any *I AM commands while displaying a suitable
error message. A more advanced version could have been loaded into SWRAM
as a language rom or similar and would have been very difficult for a
normal user to detect.

I once wrote an interesting copy-protection denial of service routine
that would detect when it was run under an incorrect user account and
write a !BOOT for that user that would immediately log them out whenever
they logged in >;-)

I seem to remember that you could do something interesting with poking
station numbers into location &D22 (NMI?), which would usually cause the
remote victim station to stop responding to network packets.

Our NFS-based BBC B machines would require a local floppy drive to run
*PROT from, so I generally went for the Masters with *PROT in the ANFS
ROM. This would ensure I was at least protected from somebody messing
with my station from a remote station via the calls described in the
Level 3 Advanced User Guide.

We had a handy trick for avoiding particularly dull lessons which was to
insert a staple into an out-of-the-way Econet socket, shorting either
the clock or the data lines. This would usually mean us spending a
couple of hours hanging out in the computer rooms "fixing the network"
until we removed the staple and declared it fixed (proto-BOFH
schooldays!).

Another attack which required physical access to a FileStore was to
insert a properly-formatted floppy containing a password file with the
SYST user and a known password. Since the FileStore was not kept in a
locked room, this was easily accomplished - I doubt many schools run
their fileservers in an unlocked cupboard nowadays.

The FileStore Service Manual seems to indicate that any station can run
the rather interesting utilities provided on the FileStore dealer test
disc without authentication, including a CMOS editor, disk sector editor
and disk formatting tools. Unfortunately, I never came across these but
that was probably for the best.

Acorn's Level 4 File Server password files introduced an "encryption"
scheme that Acorn were boasting about at the Acorn User show when they
announced it. Within 15 minutes of getting hold of a copy of L4, we
worked out that all they had done was to XOR the password with the
second(?) byte of the username. This was made more obvious by the fact
that they also XORd any NUL bytes following the password, leaving a run
of the XOR value at the end of every password of less than 8(?)
characters.

Please let me know if I can be of any assistance with the project.

Regards,

Dan Gardner

On Tue, Nov 01, 2011 at 05:35:24PM +0000, Martyn Ruks wrote:
> Hi everyone,
> 
> I've only just been pointed at this list so hopefully this is the right 
audience! I am a security consultant and researcher based in the UK and 
am currently looking at revisiting my past experiences by running a retro 
research project to look at BBC security using today's knowledge of vulnerabilities 
and exploitation techniques. At school in the early 90s I came into contact 
with what I now realise must have been an econet environment with a room 
full of BBC computers. I am now working on a research project to remind myself
of the things I used to do on that network and will be trying to apply the
techniques used in modern security attacks and vulnerability exploitation
to the old technology.
> 
> To set the context I have no hardware so will be confined to emulators 
for all my work and literally started on this on Sunday. I would be interested 
in any knowledge or info anyone has on security in these types of networked 
environments, whether its facts, stories or sneaky attacks you have seen
or experienced. I will supplement this with my testing and experimentation
using some modern tools to produce what will hopefully be an interesting
and most importantly fun project.
> 
> I have already picked up some interesting nuggets from the various Beeb 
sites that are out there but would love to expand and build on it. I am 
happy to share any results and will publish my research as I go, I will publish
the URL for where the project will live when its up and rolling. All help
and information is welcomed and please reply to me directly if needed!
> 
> Thanks in advance.
> 
> Martyn
> _______________________________________________
> bbc-micro mailing list
> bbc-micro@...
> http://lists.cloud9.co.uk/mailman/listinfo/bbc-micro